Critical vulnerabilities, curated daily for security professionals
๐ฏ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
๐
Archived Security Brief
This curated brief highlights 10 critical vulnerabilities and 46 high-priority updates requiring immediate attention.
56 total vulnerabilities disclosed in last 24 hours
๐ก Tip: Swipe CVE cards left to โญ star, right to โ remove
Section Navigation
โ ๏ธ
CISA Known Exploited Vulnerabilities
โ ๏ธ CISA KEV
CVE-2009-0556
9.5
MicrosoftOffice
โฐ Federal Deadline:January 27, 2026(8 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-37164
9.5๐
Hewlett Packard Enterprise (HPE)OneView
โฐ Federal Deadline:January 27, 2026(8 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-8110
9.5
GogsGogs
โฐ Federal Deadline:February 1, 2026(13 days remaining)
Gogs Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-20805
9.5
MicrosoftWindows
โฐ Federal Deadline:February 2, 2026(14 days remaining)
Microsoft Windows Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
๐จ
Critical Vulnerabilities
CVE-2026-1221
9.8๐
PrismXMultiple Products
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-14533
9.8๐
The Advanced CustomMultiple Products
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-23836
9.9๐
HotCRP is conference reviewMultiple Products
HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2.
CVSS Base9.9
โ
CRSSelect profile
CVE-2026-1181
9๐
A storedMultiple Products
A stored cross-site scripting (XSS) vulnerability exists in the Altium Forum due to missing server-side input sanitization in forum post content. An authenticated attacker can inject arbitrary JavaScript into forum posts, which is stored and executed when other users view the affected post.
Successful exploitation allows the attackerโs payload to execute in the context of the victimโs authenticated Altium 365 session, enabling unauthorized access to workspace data, including design files and workspace settings. Exploitation requires user interaction to view a malicious forum post.
CVSS Base9
โ
CRSSelect profile
CVE-2026-23837
9.8๐
MyTube is aMultiple Products
MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next().
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-1162
9.8๐
A flaw has been found in UTT HiPERMultiple Products
A flaw has been found in UTT HiPER 810 1.7.4-141218. The impacted element is the function strcpy of the file /goform/setSysAdm. This manipulation of the argument passwd1 causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-23839
9.3๐
Movary is a web application toMultiple Products
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue.
CVSS Base9.3
โ
CRSSelect profile
CVE-2026-23840
9.3๐
Movary is a web application toMultiple Products
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.
CVSS Base9.3
โ
CRSSelect profile
CVE-2026-23841
9.3๐
Movary is a web application toMultiple Products
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue.
CVSS Base9.3
โ
CRSSelect profile
CVE-2026-22797
9.9๐
An issue was discovered in OpenStack keystonemiddlewareMultiple Products
An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected.
CVSS Base9.9
โ
CRSSelect profile
โ ๏ธ
High Priority Updates
CVE-2025-14977
8.1๐
WordPressMultiple Products
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution โ Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-22850
8.3๐
WordPressMultiple Products
Koko Analytics is an open-source analytics plugin for WordPress
CVSS Base8.3
โ
CRSSelect profile
CVE-2026-1160
7.3๐
ManagementMultiple Products
A security vulnerability has been detected in PHPGurukul Directory Management System 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-23843
7.1๐
theirMultiple Products
teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-23846
8.1๐
DockerMultiple Products
Tugtainer is a self-hosted app for automating updates of Docker containers
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-0863
8.5๐
UsingMultiple Products
Using string formatting and exception handling, an attacker may bypass n8n's python-task-executor sandbox restrictions and run arbitrary unrestricted Python code in the underlying operating system
CVSS Base8.5
โ
CRSSelect profile
CVE-2025-11043
7.4๐
TLSMultiple Products
An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6
CVSS Base7.4
โ
CRSSelect profile
CVE-2026-1222
7.2๐
theMultiple Products
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-1137
8.8๐
wasMultiple Products
A vulnerability was detected in UTT ่ฟๅ 520W 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1138
8.8๐
flawMultiple Products
A flaw has been found in UTT ่ฟๅ 520W 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1139
8.8๐
hasMultiple Products
A vulnerability has been found in UTT ่ฟๅ 520W 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1140
8.8๐
wasMultiple Products
A vulnerability was found in UTT ่ฟๅ 520W 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1143
8.8๐
TOTOLINKMultiple Products
A weakness has been identified in TOTOLINK A3700R 9
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1155
8.8๐
TotolinkMultiple Products
A vulnerability was found in Totolink LR350 9
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1156
8.8๐
TotolinkMultiple Products
A vulnerability was determined in Totolink LR350 9
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1157
8.8๐
TotolinkMultiple Products
A high-severity security vulnerability has been identified in Totolink LR350 devices, potentially allowing for unauthorized system access or control.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1158
8.8๐
TotolinkMultiple Products
A security flaw discovered in Totolink LR350 9 hardware could allow attackers to bypass security measures and impact device stability.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-23950
8.8๐
UnknownMultiple Products
node-tar,a Tar for Node
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-23625
8.7๐
OpenProjectMultiple Products
OpenProject is an open-source, web-based project management software
CVSS Base8.7
โ
CRSSelect profile
CVE-2026-23949
8.6๐
UnknownMultiple Products
jaraco
CVSS Base8.6
โ
CRSSelect profile
CVE-2026-22031
8.4๐
UnknownMultiple Products
@fastify/middie is the plugin that adds middleware support on steroids to Fastify
CVSS Base8.4
โ
CRSSelect profile
CVE-2026-22037
8.4๐
TheMultiple Products
The @fastify/express plugin adds full Express compatibility to Fastify
CVSS Base8.4
โ
CRSSelect profile
CVE-2026-23876
8.1๐
ImageMagickMultiple Products
ImageMagick is free and open-source software used for editing and manipulating digital images
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-61684
7.5๐
UnknownMultiple Products
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-68616
7.5๐
WeasyPrintMultiple Products
WeasyPrint helps web developers to create PDF documents
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-23842
7.5๐
dialogMultiple Products
ChatterBot is a machine learning, conversational dialog engine for creating chat bots
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-1119
7.3๐
ManagementMultiple Products
A flaw has been found in itsourcecode Society Management System 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1120
7.3๐
YonyouMultiple Products
A vulnerability has been found in Yonyou KSOA 9
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1121
7.3๐
YonyouMultiple Products
A vulnerability was found in Yonyou KSOA 9
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1122
7.3๐
YonyouMultiple Products
A vulnerability was determined in Yonyou KSOA 9
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1123
7.3๐
YonyouMultiple Products
A vulnerability was identified in Yonyou KSOA 9
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1124
7.3๐
YonyouMultiple Products
A security flaw has been discovered in Yonyou KSOA 9
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1125
7.3๐
D-LinkMultiple Products
A weakness has been identified in D-Link DIR-823X 250416
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1129
7.3๐
YonyouMultiple Products
A security vulnerability has been identified in Yonyou KSOA 9 that could allow an attacker to compromise system integrity. This flaw represents a significant risk to enterprise data.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1130
7.3๐
YonyouMultiple Products
A high-severity flaw has been discovered in Yonyou KSOA 9, potentially allowing for unauthorized system manipulation. Technical details suggest a failure in secure processing within the application.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1131
7.3๐
YonyouMultiple Products
Yonyou KSOA 9 is affected by a security vulnerability that may lead to unauthorized access. This high-severity issue requires immediate attention from security administrators.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1132
7.3๐
YonyouMultiple Products
A vulnerability has been identified in Yonyou KSOA 9 that could compromise system security. The flaw is rated as high severity due to its potential impact on enterprise data.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1133
7.3๐
YonyouMultiple Products
Technical analysis has determined a high-severity vulnerability exists in Yonyou KSOA 9. This flaw could lead to significant unauthorized actions within the software environment.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1159
7.3๐
OrderingMultiple Products
A security weakness has been identified in the itsourcecode Online Frozen Foods Ordering System 1. This high-severity flaw could allow for unauthorized data access.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1176
7.3๐
ManagementMultiple Products
A security flaw has been discovered in itsourcecode School Management System 1, which could allow unauthorized access to sensitive educational records.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-23880
7.3๐
OnboardLiteMultiple Products
A vulnerability has been identified in the OnboardLite platform, a membership lifecycle tool used by student organizations. This flaw could lead to unauthorized access to member data.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1177
7.3๐
YonyouMultiple Products
A security weakness has been identified in Yonyou KSOA 9 that could compromise system integrity. This high-severity flaw requires immediate remediation.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1178
7.3๐
YonyouMultiple Products
A security vulnerability has been detected in Yonyou KSOA 9, posing a high risk to enterprise data security. Immediate patching is required.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1179
7.3๐
YonyouMultiple Products
A vulnerability was detected in Yonyou KSOA 9
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1192
7.3๐
wasMultiple Products
A vulnerability was determined in Tosei Online Store Management System ใใใๅบ่็ฎก็ใทในใใ 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1202
7.3๐
securityMultiple Products
A security flaw has been discovered in CRMEB up to 5