Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Yesterday's disclosures included 7 critical-severity CVEs (CVSS 9.0+), a 40% increase from the prior day's 5 critical issues. High-priority vulnerabilities (CVSS 7.0-8.9) totaled 72, reflecting an 8% decrease from the previous 78. Sixteen actively exploited vulnerabilities remain on the CISA KEV catalog, spanning Cisco Unified Communications Manager, Zimbra Collaboration Suite, VMware vCenter Server, Microsoft Office, and multiple SmarterTools SmarterMail instances. Notable critical disclosures include CVE-2026-1868 (CVSS 9.9) affecting GitLab, CVE-2026-22903 (CVSS 9.8) in lighttpd, and CVE-2025-15027 (CVSS 9.8) targeting WordPress installations. Patch availability stands at 0%, requiring organizations to prioritize compensating controls and monitoring until vendor remediations are released.
7 critical CVEs disclosed, up 40% from the prior day's 5 critical vulnerabilities
72 high-priority CVEs (CVSS 7.0-8.9), down 8% from the previous 78
16 actively exploited KEV entries spanning Cisco, Zimbra, VMware, Microsoft Office, SmarterMail, and FreePBX
0% patch availability across disclosed vulnerabilities β compensating controls recommended
GitLab (CVE-2026-1868, CVSS 9.9), lighttpd (CVE-2026-22903, CVSS 9.8), and WordPress (CVE-2025-15027, CVSS 9.8) among top critical issues
Immediate action: Organizations running Cisco Unified Communications Manager, Zimbra, VMware vCenter, Microsoft Office, SmarterMail, GitLab, lighttpd, or WordPress should review exposure to the listed CVEs and apply network-level mitigations. With no patches currently available, implement compensating controls such as access restrictions, enhanced monitoring, and WAF rules for affected systems.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-20045
9.5π
CiscoUnified Communications Manager
β° Federal Deadline:February 10, 2026(2 days remaining)
Cisco Unified Communications Products Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-68645
9.5π
Synacor Zimbra Collaboration Suite (ZCS)
β° Federal Deadline:February 11, 2026(3 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-34026
9.5
VersaConcerto
β° Federal Deadline:February 11, 2026(3 days remaining)
Versa Concerto Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-31125
9.5
ViteVitejs
β° Federal Deadline:February 11, 2026(3 days remaining)
Vite Vitejs Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-54313
9.5
Prettiereslint-config-prettier
β° Federal Deadline:February 11, 2026(3 days remaining)
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2024-37079
9.5π Late Disclosure
BroadcomVMware vCenter Server
β° Federal Deadline:February 12, 2026(4 days remaining)
Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2018-14634
9.5π Late Disclosure
LinuxKernal
β° Federal Deadline:February 15, 2026(7 days remaining)
Linux Kernel Integer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-52691
9.5π
SmarterToolsSmarterMail
β° Federal Deadline:February 15, 2026(7 days remaining)
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-23760
9.5
SmarterToolsSmarterMail
β° Federal Deadline:February 15, 2026(7 days remaining)
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-24061
9.5π
GNUInetUtils
β° Federal Deadline:February 15, 2026(7 days remaining)
GNU InetUtils Argument Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-21509
9.5π
MicrosoftOffice
β° Federal Deadline:February 15, 2026(7 days remaining)
Microsoft Office Security Feature Bypass Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2021-39935
9.5π Late Disclosure
GitLabCommunity and Enterprise Editions
β° Federal Deadline:February 23, 2026(15 days remaining)
GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-64328
9.5
SangomaFreePBX
β° Federal Deadline:February 23, 2026(15 days remaining)
Sangoma FreePBX OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2019-19006
9.5π Late Disclosure
SangomaFreePBX
β° Federal Deadline:February 23, 2026(15 days remaining)
Sangoma FreePBX Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-11953
9.5π
React Native CommunityCLI
β° Federal Deadline:February 25, 2026(17 days remaining)
React Native Community CLI OS Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-24423
9.5
SmarterToolsSmarterMail
β° Federal Deadline:February 25, 2026(17 days remaining)
SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-1615
9.8π
Alljsonpath (Node.js/Browser Package)
All versions of the jsonpath library are vulnerable to arbitrary code injection via unsafe evaluation of user-supplied JSON Path expressions.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-15027
9.8π
WordPressis vulnerable
The JAY Login & Register plugin for WordPress allows unauthenticated privilege escalation to administrator by exploiting the 'jay_login_register_ajax_create_final_user' function.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1868
9.9π
GitLabhas remediated
Insecure template expansion in GitLab AI Gateway allows attackers to cause a denial-of-service or execute arbitrary code via crafted Duo Agent definitions.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-22903
9.8π
lighttpdlighttpd Server (Modified)
A stack buffer overflow in modified lighttpd servers allows unauthenticated remote code execution via a crafted SESSIONID cookie.
Improper length handling of cookie fields, including TRACKID, allows unauthenticated remote attackers to trigger a stack buffer overflow and execute arbitrary code.
User credentials are stored using weak AES-ECB encryption with a hardcoded key, allowing unauthenticated attackers to recover plaintext passwords.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-2234
9.1π
HGigaC&Cm@il
A missing authentication vulnerability in HGiga C&Cm@il allows unauthenticated attackers to read and modify any user's email content.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2026-2236
7.5π
HGigaC&Cm@il
A SQL Injection vulnerability in HGiga C&Cm@il allows unauthenticated remote attackers to inject arbitrary commands and read database contents.
CVSS Base7.5
β
CRSSelect profile
CVE-2025-15100
8.8π
WordPressis vulnerable
The JAY Login & Register plugin for WordPress is vulnerable to privilege escalation. All versions up to and including version 2 are affected by this flaw.
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2088
7.3π
HPBeauty Parlour Management System
A security vulnerability exists in PHPGurukul Beauty Parlour Management System 1, which could allow attackers to compromise the application's integrity and access sensitive data.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2113
7.3
HPof the
A security vulnerability has been detected in yuan1994 tpadmin up to 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2165
7.3
HPof the
A weakness has been identified in detronetdip E-commerce 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2166
7.3
HPof the
A security vulnerability has been detected in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2171
7.3
HPof the
A vulnerability was found in code-projects Online Student Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2172
7.3
HPof the
A vulnerability was determined in code-projects Online Application System for Admission 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2221
7.3
HPof the
A security flaw has been discovered in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2225
7.3
HPof the
A flaw has been found in itsourcecode News Portal Project 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2151
7.2
HPof the
A vulnerability has been found in D-Link DIR-615 4
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2152
7.2
HPof the
A vulnerability was found in D-Link DIR-615 4
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2083
7.3π
HPSocial Networking Site
A security flaw has been discovered in code-projects Social Networking Site 1, potentially enabling unauthorized actions or data exposure within the platform.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2087
7.3π
HPOnline Class Record System
A flaw in SourceCodester Online Class Record System 1 allows for potential exploitation and unauthorized interaction with academic records and system data.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2089
7.3π
HPOnline Class Record System
A secondary vulnerability has been discovered in SourceCodester Online Class Record System 1, further increasing the potential for unauthorized system access and data manipulation.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2114
7.3π
HPSociety Management System
A security vulnerability in itsourcecode Society Management System 1 could allow for unauthorized access or the compromise of sensitive organizational data.
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2115
7.3
HPMultiple Products
A flaw has been found in itsourcecode Society Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2116
7.3
HPMultiple Products
A vulnerability has been found in itsourcecode Society Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2117
7.3
HPMultiple Products
A vulnerability was found in itsourcecode Society Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2132
7.3
HPMultiple Products
A security flaw has been discovered in code-projects Online Music Site 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2133
7.3
HPMultiple Products
A weakness has been identified in code-projects Online Music Site 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2136
7.3
HPMultiple Products
A flaw has been found in projectworlds Online Food Ordering System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2158
7.3
HPMultiple Products
A vulnerability was detected in code-projects Student Web Portal 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2161
7.3
HPMultiple Products
A vulnerability was found in itsourcecode Directory Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2164
7.3
HPMultiple Products
A security flaw has been discovered in detronetdip E-commerce 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2173
7.3
HPMultiple Products
A vulnerability was identified in code-projects Online Examination System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2184
7.3
HPMultiple Products
A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2189
7.3
HPMultiple Products
A vulnerability was identified in itsourcecode School Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2190
7.3
HPMultiple Products
A security flaw has been discovered in itsourcecode School Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2195
7.3
HPMultiple Products
A vulnerability has been found in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2196
7.3
HPMultiple Products
A vulnerability was found in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2197
7.3
HPMultiple Products
A vulnerability was determined in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2198
7.3
HPMultiple Products
A vulnerability was identified in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2199
7.3
HPMultiple Products
A security flaw has been discovered in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2211
7.3
HPMultiple Products
A vulnerability was determined in code-projects Online Music Site 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2212
7.3
HPMultiple Products
A vulnerability was identified in code-projects Online Music Site 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2217
7.3
HPMultiple Products
A vulnerability was found in itsourcecode Event Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2220
7.3
HPMultiple Products
A vulnerability was identified in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2223
7.3
HPMultiple Products
A security vulnerability has been detected in code-projects Online Reviewer System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-0870
7.8
Gigabytehas
MacroHub developed by GIGABYTE has a Local Privilege Escalation vulnerability
CVSS Base7.8
β
CRSSelect profile
CVE-2026-2137
8.8
TendaTX3 up
A vulnerability has been found in Tenda TX3 up to 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2138
8.8
TendaTX9 up
A vulnerability was found in Tenda TX9 up to 22
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2139
8.8
TendaTX9 up
A vulnerability was determined in Tenda TX9 up to 22
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2140
8.8
TendaTX9 up
A vulnerability was identified in Tenda TX9 up to 22
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2180
8.8
TendaRX3
A vulnerability was identified in Tenda RX3 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2181
8.8
TendaRX3
A security flaw has been discovered in Tenda RX3 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2185
8.8
TendaRX3
A flaw has been found in Tenda RX3 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2186
8.8
TendaRX3
A vulnerability has been found in Tenda RX3 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2187
8.8
TendaRX3
A vulnerability was found in Tenda RX3 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2202
8.8
TendaAC8
A vulnerability was detected in Tenda AC8 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2203
8.8
TendaAC8
A flaw has been found in Tenda AC8 16
CVSS Base8.8
β
CRSSelect profile
CVE-2026-2084
7.2
D-LinkDIR
A weakness has been identified in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2085
7.2
D-LinkDWR
A security vulnerability has been detected in D-Link DWR-M921 1
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2120
7.2
D-LinkDIR
A vulnerability was identified in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2129
7.2
D-LinkDIR
A vulnerability was found in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2142
7.2
D-LinkDIR
A weakness has been identified in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2155
7.2
D-LinkDIR
A security flaw has been discovered in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2157
7.2
D-LinkDIR
A security vulnerability has been detected in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2175
7.2
D-LinkDIR
A weakness has been identified in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2191
7.2
TendaAC9
A weakness has been identified in Tenda AC9 15
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2192
7.2
TendaAC9
A security vulnerability has been detected in Tenda AC9 15
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2210
7.2
D-LinkDIR
A vulnerability has been found in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-22905
7.5π
UnknownUnspecified Product (Web Interface)
Insufficient URI validation and path traversal sequences allow unauthenticated remote attackers to bypass authentication on the affected system.
CVSS Base7.5
β
CRSSelect profile
CVE-2026-2086
8.8
UTTMultiple Products
A vulnerability was detected in UTT HiPER 810G up to 1
CVSS Base8.8
β
CRSSelect profile
CVE-2025-7799
8.6
Zirve InformationMultiple Products
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc
CVSS Base8.6
β
CRSSelect profile
CVE-2026-2090
7.3
RecordMultiple Products
A vulnerability was determined in SourceCodester Online Class Record System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2174
7.3
ManagementMultiple Products
A security flaw has been discovered in code-projects Contact Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2177
7.3
ManagementMultiple Products
A vulnerability has been found in SourceCodester Prison Management System 1
CVSS Base7.3
β
CRSSelect profile
CVE-2026-2118
7.2
UTTMultiple Products
A vulnerability was determined in UTT HiPER 810 1
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2143
7.2
D-LinkMultiple Products
A security vulnerability has been detected in D-Link DIR-823X 250416
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2182
7.2π
UTTθΏε 521G 3
A security weakness has been identified in the UTT θΏε 521G 3 router that could compromise the device's security posture.
CVSS Base7.2
β
CRSSelect profile
CVE-2026-2188
7.2π
UTTθΏε 521G 3
A vulnerability in the UTT θΏε 521G 3 router allows for potential compromise of the device by remote attackers.