Critical vulnerabilities, curated daily for security professionals
๐ฏ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
๐
Archived Security Brief
Yesterday's disclosures included 11 critical-severity CVEs, a 74% decrease from the prior day's 43 critical vulnerabilities. High-priority vulnerabilities also declined 29% to 71 issues. Four actively exploited vulnerabilities require attention, including CVE-2023-52163 affecting Digiever DS-2105 Pro, CVE-2025-14847 targeting MongoDB Server, a legacy Microsoft Office flaw (CVE-2009-0556), and CVE-2025-37164 impacting HPE OneView. Notable critical disclosures include CVE-2025-65091 and CVE-2025-70974 (both CVSS 10.0) affecting XWiki and Fastjson respectively, plus CVE-2025-64093 enabling unauthenticated remote code execution. No patches are currently available for yesterday's disclosed vulnerabilities, requiring compensating controls for affected systems.
11 critical CVEs disclosed (74% decrease from prior day's 43)
71 high-priority CVEs disclosed (29% decrease from 100)
4 actively exploited vulnerabilities affecting Digiever, MongoDB, Microsoft Office, and HPE OneView
0% patch availability for newly disclosed vulnerabilities
Critical RCE vulnerabilities in XWiki, Fastjson, Sangfor management systems, and WordPress plugins
Immediate action: Organizations using Digiever surveillance systems, MongoDB Server, HPE OneView, or Microsoft Office should prioritize reviewing exposure to actively exploited CVEs. With no patches available for yesterday's critical disclosures, implement network segmentation, enhanced monitoring, and access restrictions for affected WordPress plugins, XWiki, Fastjson, and Sangfor systems.
๐ก Tip: Swipe CVE cards left to โญ star, right to โ remove
Section Navigation
โ ๏ธ
CISA Known Exploited Vulnerabilities
โ ๏ธ CISA KEVURGENT
CVE-2023-52163 (reserved 2023, disclosed 2025)
9.5
DigieverDS-2105 Pro
โฐ Federal Deadline:January 11, 2026(2 days remaining)
Digiever DS-2105 Pro Missing Authorization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-14847
9.5
MongoDBMongoDB and MongoDB Server
โฐ Federal Deadline:January 18, 2026(9 days remaining)
MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2009-0556 (reserved 2009, disclosed 2026)
9.5
MicrosoftOffice
โฐ Federal Deadline:January 27, 2026(18 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-37164 (reserved 2025, disclosed 2026)
9.5๐
Hewlett Packard Enterprise (HPE)OneView
โฐ Federal Deadline:January 27, 2026(18 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
๐จ
Critical Vulnerabilities
CVE-2025-65091 (reserved 2025, disclosed 2026)
10๐
XWiki Full Calendar Macro displays objects from the wiki on theMultiple Products
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
CVSS Base10
โ
CRSSelect profile
CVE-2025-14736 (reserved 2025, disclosed 2026)
9.8๐
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions upMultiple Products
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes it possible for unauthenticated attackers to register as administrators and gain complete control of the site, granted they can access a user registration form containing a Role field.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-14598 (reserved 2025, disclosed 2026)
9.8๐
BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affectedMultiple Products
BeeS Software Solutions BET Portal contains an SQL injection vulnerability in the login functionality of affected sites. The vulnerability enables arbitrary SQL commands to be executed on the backend database.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-70974 (reserved 2025, disclosed 2026)
10๐
Fastjson beforeMultiple Products
Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.
CVSS Base10
โ
CRSSelect profile
CVE-2025-14741 (reserved 2025, disclosed 2026)
9.1๐
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on theMultiple Products
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
CVSS Base9.1
โ
CRSSelect profile
CVE-2025-64093 (reserved 2025, disclosed 2026)
10๐
Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of theMultiple Products
Remote Code Execution vulnerability that allows unauthenticated attackers to inject arbitrary commands into the hostname of the device.
CVSS Base10
โ
CRSSelect profile
CVE-2025-15500 (reserved 2025, disclosed 2026)
9.8๐
A vulnerability was found in Sangfor Operation and Maintenance Management System up toMultiple Products
A vulnerability was found in Sangfor Operation and Maintenance Management System up to 3.0.8. This issue affects some unknown processing of the file /isomp-protocol/protocol/getHis of the component HTTP POST Request Handler. The manipulation of the argument sessionPath results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-15501 (reserved 2025, disclosed 2026)
9.8๐
A vulnerability was determined in Sangfor Operation and Maintenance Management System up toMultiple Products
A vulnerability was determined in Sangfor Operation and Maintenance Management System up to 3.0.8. Impacted is the function WriterHandle.getCmd of the file /isomp-protocol/protocol/getCmd. This manipulation of the argument sessionPath causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-64090 (reserved 2025, disclosed 2026)
10๐
This vulnerability allows authenticated attackers to execute commands via the hostname of theMultiple Products
This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
CVSS Base10
โ
CRSSelect profile
CVE-2026-22688
9.9๐
WeKnora is anMultiple Products
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval. Prior to version 0.2.5, there is a command injection vulnerability that allows authenticated users to inject stdio_config.command/args into MCP stdio settings, causing the server to execute subprocesses using these injected values. This issue has been patched in version 0.2.5.
CVSS Base9.9
โ
CRSSelect profile
CVE-2026-22600
9.1๐
OpenProject is anMultiple Products
OpenProject is an open-source, web-based project management software. A Local File Read (LFR) vulnerability exists in the work package PDF export functionality of OpenProject prior to version 16.6.4. By uploading a specially crafted SVG file (disguised as a PNG) as a work package attachment, an attacker can exploit the backend image processing engine (ImageMagick). When the work package is exported to PDF, the backend attempts to resize the image, triggering the ImageMagick text: coder. This allows an attacker to read arbitrary local files that the application user has permissions to access (e.g., /etc/passwd, all project configuration files, private project data, etc.). The attack requires permissions to upload attachments to a container that can be exported to PDF, such as a work package. The issue has been patched in version 16.6.4. Those who are unable to upgrade may apply the patch manually.
CVSS Base9.1
โ
CRSSelect profile
โ ๏ธ
High Priority Updates
CVE-2025-67925 (reserved 2025, disclosed 2026)
8.1๐
zozothemes CorpkitMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-67934 (reserved 2025, disclosed 2026)
8.1๐
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-67935 (reserved 2025, disclosed 2026)
8.1๐
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-67936 (reserved 2025, disclosed 2026)
8.1๐
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-67937 (reserved 2025, disclosed 2026)
8.1๐
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-13457 (reserved 2025, disclosed 2026)
7.5๐
WordPressMultiple Products
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-14436 (reserved 2025, disclosed 2026)
7.2๐
WordPressMultiple Products
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โuser_connection_idโ parameter in all versions up to, and including, 4
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-22521
7.5๐
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-63611 (reserved 2025, disclosed 2026)
8.7๐
UnknownMultiple Products
Cross-Site Scripting in phpgurukul Hostel Management System v2
CVSS Base8.7
โ
CRSSelect profile
CVE-2026-21898
8.2๐
CryptoLibMultiple Products
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station
CVSS Base8.2
โ
CRSSelect profile
CVE-2025-67919 (reserved 2025, disclosed 2026)
8.1๐
WofficeIO WofficeMultiple Products
Authorization Bypass Through User-Controlled Key vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-22704
8๐
HAXMultiple Products
HAX CMS helps manage microsite universe with PHP or NodeJs backends
CVSS Base8
โ
CRSSelect profile
CVE-2026-0830
7.8๐
beforeMultiple Products
Processing specially crafted workspace folder names could allow for arbitrary command injection in the Kiro GitLab Merge-Request helper in Kiro IDE before version 0
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-22230
7.6๐
modifyMultiple Products
OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator
CVSS Base7.6
โ
CRSSelect profile
CVE-2025-15464 (reserved 2025, disclosed 2026)
7.5๐
ExportedMultiple Products
Exported Activity allows external applications to gain application context and directly launch Gmail with inbox access, bypassing security controls
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-64092 (reserved 2025, disclosed 2026)
7.5
ThisMultiple Products
This vulnerability allows unauthenticated attackers to inject an SQL request into GET request parameters and directly query the underlying database
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-22697
7.5
CryptoLibMultiple Products
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21897
7.3
CryptoLibMultiple Products
CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-15055 (reserved 2025, disclosed 2026)
7.2
WordPressMultiple Products
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5
CVSS Base7.2
โ
CRSSelect profile
CVE-2025-15057 (reserved 2025, disclosed 2026)
7.2
WordPressMultiple Products
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5
CVSS Base7.2
โ
CRSSelect profile
CVE-2025-14657 (reserved 2025, disclosed 2026)
7.2
WordPressMultiple Products
The Eventin โ Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4
CVSS Base7.2
โ
CRSSelect profile
CVE-2025-14937 (reserved 2025, disclosed 2026)
7.2
WordPressMultiple Products
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3
CVSS Base7.2
โ
CRSSelect profile
CVE-2025-68887 (reserved 2025, disclosed 2026)
7.1
WordPressMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-21638
8.8
airMAX WirelessMultiple Products
A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-55125 (reserved 2025, disclosed 2026)
7.8
ThisMultiple Products
This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious
backup configuration file
CVSS Base7.8
โ
CRSSelect profile
CVE-2025-50334 (reserved 2025, disclosed 2026)
7.5
DNSMultiple Products
An issue in Technitium DNS Server v
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-22589
7.5
SpreeMultiple Products
Spree is an open source e-commerce solution built with Ruby on Rails
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-68719 (reserved 2025, disclosed 2026)
8.8
withMultiple Products
KAYSUS KS-WR3600 routers with firmware 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-21873
7.2
NiceGUIMultiple Products
NiceGUI is a Python-based UI framework
CVSS Base7.2
โ
CRSSelect profile
CVE-2025-68716 (reserved 2025, disclosed 2026)
8.4
withMultiple Products
KAYSUS KS-WR3600 routers with firmware 1
CVSS Base8.4
โ
CRSSelect profile
CVE-2026-21884
8.2
ReactMultiple Products
React Router is a router for React
CVSS Base8.2
โ
CRSSelect profile
CVE-2025-67089 (reserved 2025, disclosed 2026)
8.1
commandMultiple Products
A command injection vulnerability exists in the GL-iNet GL-AXT1800 router firmware v4
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-22029
8
ReactMultiple Products
React Router is a router for React
CVSS Base8
โ
CRSSelect profile
CVE-2025-59057 (reserved 2025, disclosed 2026)
7.6
ReactMultiple Products
React Router is a router for React
CVSS Base7.6
โ
CRSSelect profile
CVE-2025-69259 (reserved 2025, disclosed 2026)
7.5
Trend MicroMultiple Products
A message unchecked NULL return value vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-69260 (reserved 2025, disclosed 2026)
7.5
Trend MicroMultiple Products
A message out-of-bounds read vulnerability in Trend Micro Apex Central could allow a remote attacker to create a denial-of-service condition on affected installations
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-56424 (reserved 2025, disclosed 2026)
7.5
beforeMultiple Products
An issue in Insiders Technologies GmbH e-invoice pro before release 1 Service Pack 2 allows a remote attacker to cause a denial of service via a crafted script
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-67926 (reserved 2025, disclosed 2026)
8.8
Shahjahan JewelMultiple Products
Missing Authorization vulnerability in Shahjahan Jewel Fluent Support fluent-support allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-66001 (reserved 2025, disclosed 2026)
8.8
NeuVectorMultiple Products
NeuVector supports login authentication through OpenID Connect
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-22255
8.8
iccDEVMultiple Products
iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-22256
8.8
SalvoMultiple Products
Salvo is a Rust web backend framework
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-22257
8.8
SalvoMultiple Products
Salvo is a Rust web backend framework
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-69194 (reserved 2025, disclosed 2026)
8.8
securityMultiple Products
A security issue was discovered in GNU Wget2 when handling Metalink documents
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-15499 (reserved 2025, disclosed 2026)
8.8
hasMultiple Products
A vulnerability has been found in Sangfor Operation and Maintenance Management System up to 3
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-22685
8.8
DevToysMultiple Products
DevToys is a desktop app for developers
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-9222 (reserved 2025, disclosed 2026)
8.7
versionsMultiple Products
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18
CVSS Base8.7
โ
CRSSelect profile
CVE-2025-64091 (reserved 2025, disclosed 2026)
8.6
ThisMultiple Products
This vulnerability allows authenticated attackers to execute commands via the NTP-configuration of the device
CVSS Base8.6
โ
CRSSelect profile
CVE-2025-14025 (reserved 2025, disclosed 2026)
8.5
AnsibleMultiple Products
A flaw was found in Ansible Automation Platform (AAP)
CVSS Base8.5
โ
CRSSelect profile
CVE-2025-67070 (reserved 2025, disclosed 2026)
8.2
existsMultiple Products
A vulnerability exists in Intelbras CFTV IP NVD 9032 R Ftd V2
CVSS Base8.2
โ
CRSSelect profile
CVE-2025-22715 (reserved 2025, disclosed 2026)
8.1
loopus WP AttractiveMultiple Products
Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-67917 (reserved 2025, disclosed 2026)
8.1
shinetheme TravelerMultiple Products
Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-22594
8.1
GhostMultiple Products
Ghost is a Node
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-22595
8.1
GhostMultiple Products
Ghost is a Node
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-22687
8.1
WeKnoraMultiple Products
WeKnora is an LLM-powered framework designed for deep document understanding and semantic retrieval
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-13761 (reserved 2025, disclosed 2026)
8
versionsMultiple Products
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18
CVSS Base8
โ
CRSSelect profile
CVE-2025-69195 (reserved 2025, disclosed 2026)
7.6
flawMultiple Products
A flaw was found in GNU Wget2
CVSS Base7.6
โ
CRSSelect profile
CVE-2025-67914 (reserved 2025, disclosed 2026)
7.5
PathMultiple Products
Path Traversal: '
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-67931 (reserved 2025, disclosed 2026)
7.5
AITpro BulletProofMultiple Products
Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-0719
7.5
flawMultiple Products
A flaw was identified in the NTLM authentication handling of the libsoup HTTP library, used by GNOME and other applications for network communication
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-22235
7.5
beforeMultiple Products
OPEXUS eComplaint before version 9
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-65518 (reserved 2025, disclosed 2026)
7.5
ObsidianMultiple Products
Plesk Obsidian versions 8
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-67133 (reserved 2025, disclosed 2026)
7.5
issueMultiple Products
An issue in Hero Motocorp Vida V1 Pro 2
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-22699
7.5
UnknownMultiple Products
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-22700
7.5
UnknownMultiple Products
RustCrypto: Elliptic Curves is general purpose Elliptic Curve Cryptography (ECC) support, including types and traits for representing various elliptic curve forms, scalars, points, and public/secret keys composed thereof
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-22777
7.5
UnknownMultiple Products
ComfyUI-Manager is an extension designed to enhance the usability of ComfyUI
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-15502 (reserved 2025, disclosed 2026)
7.3
wasMultiple Products
A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-15503 (reserved 2025, disclosed 2026)
7.3
securityMultiple Products
A security flaw has been discovered in Sangfor Operation and Maintenance Management System up to 3
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-68873 (reserved 2025, disclosed 2026)
7.1
ImproperMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chloรฉdigital PRIMER by chloรฉdigital primer-by-chloedigital allows Reflected XSS
CVSS Base7.1
โ
CRSSelect profile
CVE-2025-68874 (reserved 2025, disclosed 2026)
7.1
Shahjada VisitorMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS
CVSS Base7.1
โ
CRSSelect profile
CVE-2025-68889 (reserved 2025, disclosed 2026)
7.1
Pinpoll PinpollMultiple Products
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS
CVSS Base7.1
โ
CRSSelect profile
CVE-2025-13772 (reserved 2025, disclosed 2026)
7.1
versionsMultiple Products
GitLab has remediated an issue in GitLab EE affecting all versions from 18