Critical vulnerabilities, curated daily for security professionals
๐ฏ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
๐
Archived Security Brief
Yesterday's disclosures included 12 critical vulnerabilities, a 20% increase from the prior day's 10. High-priority CVEs saw significant growth at 69 disclosures, up 50% from 46. Four actively exploited vulnerabilities require attention, including CVE-2026-20805 affecting Microsoft Windows and CVE-2025-37164 targeting HPE OneView. Notable critical issues include CVE-2026-21962 (CVSS 10.0) in Oracle HTTP Server, CVE-2026-22844 (CVSS 9.9) affecting Zoom Node Multimedia Routers, and multiple Google Chrome security UI flaws rated at CVSS 9.8. With 0% patch availability reported, organizations should prioritize compensating controls and monitoring.
12 critical CVEs disclosed, 20% increase from prior day
69 high-priority CVEs, up 50% from 46 previously
4 actively exploited vulnerabilities including Microsoft Windows and HPE OneView
Affected vendors include Oracle, Google Chrome, Microsoft, Zoom, and HPE
Immediate action: Prioritize Microsoft Windows, HPE OneView, Oracle HTTP Server, and Google Chrome environments for exposure assessment given active exploitation and critical severity ratings. With no patches currently available, implement network segmentation, access restrictions, and enhanced monitoring for affected systems.
๐ก Tip: Swipe CVE cards left to โญ star, right to โ remove
Section Navigation
โ ๏ธ
CISA Known Exploited Vulnerabilities
โ ๏ธ CISA KEVURGENT
CVE-2009-0556
9.5
MicrosoftOffice
โฐ Federal Deadline:January 27, 2026(7 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEVURGENT
CVE-2025-37164
9.5๐
Hewlett Packard Enterprise (HPE)OneView
โฐ Federal Deadline:January 27, 2026(7 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2025-8110
9.5
GogsGogs
โฐ Federal Deadline:February 1, 2026(12 days remaining)
Gogs Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
โ ๏ธ CISA KEV
CVE-2026-20805
9.5
MicrosoftWindows
โฐ Federal Deadline:February 2, 2026(13 days remaining)
Microsoft Windows Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
โ
CRSSelect profile
๐จ
Critical Vulnerabilities
CVE-2026-21962
10
Vulnerability in the Oracle HTTPMultiple Products
Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
CVSS Base10
โ
CRSSelect profile
CVE-2026-0906
9.8๐
Incorrect security UI in Google Chrome on Android prior toMultiple Products
Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low)
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-0907
9.8๐
Incorrect security UI in Split View in Google Chrome prior toMultiple Products
Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-1221
9.8๐
PrismXMultiple Products
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-14533
9.8๐
The Advanced CustomMultiple Products
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-15521
9.8๐
The Academy LMSMultiple Products
The Academy LMS โ WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-0905
9.8๐
Insufficient policy enforcement in Network in Google Chrome prior toMultiple Products
Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium)
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-21969
9.8๐
Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply ChainMultiple Products
Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-56005
9.8๐
An undocumented and unsafe feature in the PLYMultiple Products
An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk.
CVSS Base9.8
โ
CRSSelect profile
CVE-2026-22844
9.9๐
A Command Injection vulnerability in Zoom Node Multimedia RoutersMultiple Products
A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access.
CVSS Base9.9
โ
CRSSelect profile
CVE-2026-24061
9.8๐
telnetd in GNU Inetutils throughMultiple Products
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
CVSS Base9.8
โ
CRSSelect profile
CVE-2025-53912
9.6๐
An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS PremiumMultiple Products
An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability.
CVSS Base9.6
โ
CRSSelect profile
โ ๏ธ
High Priority Updates
CVE-2026-0726
8.1๐
WordPressMultiple Products
The Nexter Extension โ Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-14977
8.1๐
WordPressMultiple Products
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution โ Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-0908
8.8๐
GoogleMultiple Products
Use after free in ANGLE in Google Chrome prior to 144
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-15347
8.8๐
WordPressMultiple Products
The Creator LMS โ The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-15380
7.2๐
WordPressMultiple Products
The NotificationX โ FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-0899
8.8๐
GoogleMultiple Products
Out of bounds memory access in V8 in Google Chrome prior to 144
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-0900
8.8๐
GoogleMultiple Products
Inappropriate implementation in V8 in Google Chrome prior to 144
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-0902
8.8๐
GoogleMultiple Products
Inappropriate implementation in V8 in Google Chrome prior to 144
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-21967
8.6๐
OracleMultiple Products
Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet)
CVSS Base8.6
โ
CRSSelect profile
CVE-2026-22850
8.3๐
WordPressMultiple Products
Koko Analytics is an open-source analytics plugin for WordPress
CVSS Base8.3
โ
CRSSelect profile
CVE-2026-21955
8.2๐
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-21956
8.2๐
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-21987
8.2๐
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-21988
8.2๐
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-21990
8.2๐
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
โ
CRSSelect profile
CVE-2026-21973
8.1
OracleMultiple Products
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System)
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-21989
8.1
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.1
โ
CRSSelect profile
CVE-2026-24016
7.8
installerMultiple Products
The installer of ServerView Agents for Windows provided by Fsas Technologies Inc
CVSS Base7.8
โ
CRSSelect profile
CVE-2026-21926
7.5
OracleMultiple Products
Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure)
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21940
7.5
OracleMultiple Products
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group)
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21945
7.5
OracleMultiple Products
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security)
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21957
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21982
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21983
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21984
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-21932
7.4
OracleMultiple Products
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX)
CVSS Base7.4
โ
CRSSelect profile
CVE-2026-1160
7.3๐
ManagementMultiple Products
A security vulnerability has been detected in PHPGurukul Directory Management System 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-33229
7.3
NVIDIAMultiple Products
NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-23843
7.1๐
theirMultiple Products
teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-21976
7.1
OracleMultiple Products
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud)
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-21986
7.1
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-21939
7
OracleMultiple Products
Vulnerability in the SQLcl component of Oracle Database Server
CVSS Base7
โ
CRSSelect profile
CVE-2026-23846
8.1๐
DockerMultiple Products
Tugtainer is a self-hosted app for automating updates of Docker containers
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-59465
7.5
malformedMultiple Products
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-11043
7.4๐
TLSMultiple Products
An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6
CVSS Base7.4
โ
CRSSelect profile
CVE-2026-1007
7.6
virtualMultiple Products
Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules
CVSS Base7.6
โ
CRSSelect profile
CVE-2026-1222
7.2๐
theMultiple Products
PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server
CVSS Base7.2
โ
CRSSelect profile
CVE-2026-1155
8.8๐
TotolinkMultiple Products
A vulnerability was found in Totolink LR350 9
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1156
8.8๐
TotolinkMultiple Products
A vulnerability was determined in Totolink LR350 9
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1157
8.8๐
TotolinkMultiple Products
A high-severity security vulnerability has been identified in Totolink LR350 devices, potentially allowing for unauthorized system access or control.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-1158
8.8๐
TotolinkMultiple Products
A security flaw discovered in Totolink LR350 9 hardware could allow attackers to bypass security measures and impact device stability.
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-23950
8.8๐
UnknownMultiple Products
node-tar,a Tar for Node
CVSS Base8.8
โ
CRSSelect profile
CVE-2025-33015
8.8
IBMMultiple Products
IBM Concert 1
CVSS Base8.8
โ
CRSSelect profile
CVE-2026-23625
8.7๐
OpenProjectMultiple Products
OpenProject is an open-source, web-based project management software
CVSS Base8.7
โ
CRSSelect profile
CVE-2026-23949
8.6๐
UnknownMultiple Products
jaraco
CVSS Base8.6
โ
CRSSelect profile
CVE-2026-22031
8.4๐
UnknownMultiple Products
@fastify/middie is the plugin that adds middleware support on steroids to Fastify
CVSS Base8.4
โ
CRSSelect profile
CVE-2026-22037
8.4๐
TheMultiple Products
The @fastify/express plugin adds full Express compatibility to Fastify
CVSS Base8.4
โ
CRSSelect profile
CVE-2025-12985
8.4
IBMMultiple Products
IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image
CVSS Base8.4
โ
CRSSelect profile
CVE-2025-14115
8.4
IBMMultiple Products
IBM Sterling Connect:Direct for UNIX Container 6
CVSS Base8.4
โ
CRSSelect profile
CVE-2026-23876
8.1๐
ImageMagickMultiple Products
ImageMagick is free and open-source software used for editing and manipulating digital images
CVSS Base8.1
โ
CRSSelect profile
CVE-2025-33233
7.8
NVIDIAMultiple Products
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection
CVSS Base7.8
โ
CRSSelect profile
CVE-2025-61684
7.5๐
UnknownMultiple Products
Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-68616
7.5๐
WeasyPrintMultiple Products
WeasyPrint helps web developers to create PDF documents
CVSS Base7.5
โ
CRSSelect profile
CVE-2026-23842
7.5๐
dialogMultiple Products
ChatterBot is a machine learning, conversational dialog engine for creating chat bots
CVSS Base7.5
โ
CRSSelect profile
CVE-2025-68133
7.4
EVerestMultiple Products
EVerest is an EV charging software stack
CVSS Base7.4
โ
CRSSelect profile
CVE-2026-1159
7.3๐
OrderingMultiple Products
A security weakness has been identified in the itsourcecode Online Frozen Foods Ordering System 1. This high-severity flaw could allow for unauthorized data access.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1176
7.3๐
ManagementMultiple Products
A security flaw has been discovered in itsourcecode School Management System 1, which could allow unauthorized access to sensitive educational records.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-23880
7.3๐
OnboardLiteMultiple Products
A vulnerability has been identified in the OnboardLite platform, a membership lifecycle tool used by student organizations. This flaw could lead to unauthorized access to member data.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1177
7.3๐
YonyouMultiple Products
A security weakness has been identified in Yonyou KSOA 9 that could compromise system integrity. This high-severity flaw requires immediate remediation.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1178
7.3๐
YonyouMultiple Products
A security vulnerability has been detected in Yonyou KSOA 9, posing a high risk to enterprise data security. Immediate patching is required.
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1179
7.3๐
YonyouMultiple Products
A vulnerability was detected in Yonyou KSOA 9
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1192
7.3๐
wasMultiple Products
A vulnerability was determined in Tosei Online Store Management System ใใใๅบ่็ฎก็ใทในใใ 1
CVSS Base7.3
โ
CRSSelect profile
CVE-2026-1202
7.3๐
securityMultiple Products
A security flaw has been discovered in CRMEB up to 5
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-36418
7.3
IBMMultiple Products
IBM ApplinX 11
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-33228
7.3
NVIDIAMultiple Products
NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-33230
7.3
NVIDIAMultiple Products
NVIDIA Nsight Systems for Linux contains a vulnerability in the
CVSS Base7.3
โ
CRSSelect profile
CVE-2025-55130
7.1
flawMultiple Products
A flaw in Node
CVSS Base7.1
โ
CRSSelect profile
CVE-2025-55131
7.1
flawMultiple Products
A flaw in Node
CVSS Base7.1
โ
CRSSelect profile
CVE-2026-21641
7.1
HackerOneMultiple Products
HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete