Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
Yesterday's vulnerability disclosures included 14 critical-severity CVEs, a 17% increase from the prior day's 12 critical issues. High-priority vulnerabilities rose significantly to 100, representing a 45% increase from 69 the previous day. Five actively exploited vulnerabilities were added to the KEV catalog, including CVE-2026-20805 affecting Microsoft Windows, CVE-2025-37164 in HPE OneView, and CVE-2025-8110 targeting Gogs. Critical vulnerabilities of note include CVE-2026-23524 (CVSS 9.8) in Laravel Reverb, CVE-2026-24061 (CVSS 9.8) in GNU Inetutils telnetd, and CVE-2021-47748 (CVSS 9.8) in Hasura GraphQL. Patch availability currently stands at 0%, requiring organizations to prioritize compensating controls and monitoring.
14 critical CVEs disclosed, up 17% from prior day
100 high-priority vulnerabilities, a 45% increase
5 actively exploited: Microsoft Windows, HPE OneView, Gogs, Microsoft Office
0% patch availability for newly disclosed vulnerabilities
Affected products include Laravel Reverb, GNU Inetutils, Hasura GraphQL, Academy LMS
Immediate action: Organizations using Microsoft Windows, HPE OneView, Gogs, and Microsoft Office should implement compensating controls immediately given confirmed active exploitation. With no patches currently available for yesterday's disclosures, focus on network segmentation, enhanced monitoring, and vendor advisory tracking for affected critical systems.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2009-0556
9.5
MicrosoftOffice
β° Federal Deadline:January 27, 2026(6 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-37164
9.5π
Hewlett Packard Enterprise (HPE)OneView
β° Federal Deadline:January 27, 2026(6 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-8110
9.5
GogsGogs
β° Federal Deadline:February 1, 2026(11 days remaining)
Gogs Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2026-20805
9.5
MicrosoftWindows
β° Federal Deadline:February 2, 2026(12 days remaining)
Microsoft Windows Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-23524
9.8π
Laravel Reverb provides aMultiple Products
Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHPβs unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node).
CVSS Base9.8
β
CRSSelect profile
CVE-2026-22793
9.6π
UnknownMultiple Products
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electronβs electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-0920
9.8π
TheMultiple Products
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-22792
9.6π
UnknownMultiple Products
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.
CVSS Base9.6
β
CRSSelect profile
CVE-2025-15521
9.8π
The Academy LMSMultiple Products
The Academy LMS β WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
CVSS Base9.8
β
CRSSelect profile
CVE-2021-47748
9.8π
Hasura GraphQLMultiple Products
Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL's COPY FROM PROGRAM functionality.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-23966
9.1π
UnknownMultiple Products
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-24061
9.8π
telnetd in GNU Inetutils throughMultiple Products
telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.
CVSS Base9.8
β
CRSSelect profile
CVE-2021-47851
9.8π
Mini MouseMultiple Products
Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2021-47854
9.8π
UnknownMultiple Products
DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target device.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-24002
9π
Grist is spreadsheet software using Python as its formulaMultiple Products
Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.
CVSS Base9
β
CRSSelect profile
CVE-2026-1331
9.8π
MeetingHub developed by HAMASTAR Technology has an Arbitrary File UploadMultiple Products
MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-24042
9.4π
Appsmith is a platform to build adminMultiple Products
Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of editβmode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication.
CVSS Base9.4
β
CRSSelect profile
CVE-2021-47875
9.8π
GeoGebra CAS CalculatorMultiple Products
GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field to trigger an application crash.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
β οΈ CISA KEV
CVE-2026-20045
8.2π
CiscoMultiple Products
β° Federal Deadline:February 10, 2026(20 days remaining)
A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device
CVSS Base8.2
β
CRSSelect profile
CVE-2026-0726
8.1π
WordPressMultiple Products
The Nexter Extension β Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4
CVSS Base8.1
β
CRSSelect profile
CVE-2025-15347
8.8π
WordPressMultiple Products
The Creator LMS β The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1
CVSS Base8.8
β
CRSSelect profile
CVE-2025-15380
7.2π
WordPressMultiple Products
The NotificationX β FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3
CVSS Base7.2
β
CRSSelect profile
CVE-2021-47853
8.8π
phpPgAdminMultiple Products
phpPgAdmin 7
CVSS Base8.8
β
CRSSelect profile
CVE-2026-21967
8.6π
OracleMultiple Products
Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet)
CVSS Base8.6
β
CRSSelect profile
CVE-2026-21955
8.2π
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
β
CRSSelect profile
CVE-2026-21956
8.2π
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
β
CRSSelect profile
CVE-2026-21987
8.2π
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
β
CRSSelect profile
CVE-2026-21988
8.2π
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
β
CRSSelect profile
CVE-2026-21990
8.2π
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.2
β
CRSSelect profile
CVE-2026-21973
8.1π
OracleMultiple Products
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System)
CVSS Base8.1
β
CRSSelect profile
CVE-2026-21989
8.1π
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base8.1
β
CRSSelect profile
CVE-2026-24016
7.8π
installerMultiple Products
The installer of ServerView Agents for Windows provided by Fsas Technologies Inc
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47862
7.8π
RezMultiple Products
Hi-Rez Studios 5
CVSS Base7.8
β
CRSSelect profile
CVE-2025-66692
7.5
beforeMultiple Products
A buffer over-read in the PublicKey::verify() method of Binance - Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21926
7.5
OracleMultiple Products
Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21940
7.5
OracleMultiple Products
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21945
7.5
OracleMultiple Products
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21957
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21982
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21983
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21984
7.5
OracleMultiple Products
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core)
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23965
7.5
UnknownMultiple Products
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23967
7.5
UnknownMultiple Products
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4
CVSS Base7.5
β
CRSSelect profile
CVE-2026-21932
7.4
OracleMultiple Products
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX)
CVSS Base7.4
β
CRSSelect profile
CVE-2025-33229
7.3
NVIDIAMultiple Products
NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application
CVSS Base7.3
β
CRSSelect profile
CVE-2026-21976
7.1
OracleMultiple Products
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud)
CVSS Base7.1
β
CRSSelect profile
CVE-2026-22022
8.2
ApacheMultiple Products
Deployments of Apache Solr 5
CVSS Base8.2
β
CRSSelect profile
CVE-2025-59465
7.5
malformedMultiple Products
A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47770
8.8
OpenPLCMultiple Products
OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface
CVSS Base8.8
β
CRSSelect profile
CVE-2025-27378
8.6
AESMultiple Products
AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied
CVSS Base8.6
β
CRSSelect profile
CVE-2021-47802
7.5
TendaMultiple Products
Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files
CVSS Base7.5
β
CRSSelect profile
CVE-2026-1330
7.5
MeetingHubMultiple Products
MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files
CVSS Base7.5
β
CRSSelect profile
CVE-2025-33015
8.8
IBMMultiple Products
IBM Concert 1
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47852
8.8
GamesMultiple Products
Rockstar Games Launcher 1
CVSS Base8.8
β
CRSSelect profile
CVE-2021-47871
8.8
ControlMultiple Products
Hestia Control Panel 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-22807
8.8
servingMultiple Products
vLLM is an inference and serving engine for large language models (LLMs)
CVSS Base8.8
β
CRSSelect profile
CVE-2026-24010
8.8
HorillaMultiple Products
Horilla is a free and open source Human Resource Management System (HRMS)
CVSS Base8.8
β
CRSSelect profile
CVE-2025-12985
8.4
IBMMultiple Products
IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image
CVSS Base8.4
β
CRSSelect profile
CVE-2025-14115
8.4
IBMMultiple Products
IBM Sterling Connect:Direct for UNIX Container 6
CVSS Base8.4
β
CRSSelect profile
CVE-2025-68137
8.3
EVerestMultiple Products
EVerest is an EV charging software stack
CVSS Base8.3
β
CRSSelect profile
CVE-2021-47846
8.2
ManagementMultiple Products
Digital Crime Report Management System 1
CVSS Base8.2
β
CRSSelect profile
CVE-2021-47848
8.2
BlitarMultiple Products
Blitar Tourism 1
CVSS Base8.2
β
CRSSelect profile
CVE-2026-24038
8.1
HorillaMultiple Products
Horilla is a free and open source Human Resource Management System (HRMS)
CVSS Base8.1
β
CRSSelect profile
CVE-2025-33233
7.8
NVIDIAMultiple Products
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47859
7.8
ActivIdentityMultiple Products
ActivIdentity 8
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47861
7.8
LogMultiple Products
Event Log Explorer 4
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47863
7.8
MacPawMultiple Products
MacPaw Encrypto 1
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47864
7.8
TraverseMultiple Products
OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47866
7.8
PACKMultiple Products
WIN-PACK PRO 4
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47867
7.8
UnknownMultiple Products
WIN-PACK PRO4
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47868
7.8
PACKMultiple Products
WIN-PACK PRO 4
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47869
7.8
BRAdminMultiple Products
Brother BRAdmin Professional 3
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47874
7.8
forMultiple Products
VFS for Git 1
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47878
7.8
EducationMultiple Products
eBeam Education Suite 2
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47879
7.8
InteractiveMultiple Products
eBeam Interactive Suite 3
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47880
7.8
LANMultiple Products
Realtek Wireless LAN Utility 700
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47882
7.8
FreeLANMultiple Products
FreeLAN 2
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47883
7.8
SandboxieMultiple Products
Sandboxie Plus 0
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47884
7.8
ConfigurationMultiple Products
OKI Configuration Tool 1
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47886
7.8
PingzapperMultiple Products
Pingzapper 2
CVSS Base7.8
β
CRSSelect profile
CVE-2021-47887
7.8
JobMultiple Products
OKI Print Job Accounting 4
CVSS Base7.8
β
CRSSelect profile
CVE-2025-27380
7.6
EnterpriseMultiple Products
HTML injection in Project Release in Altium Enterprise Server (AES) 7
CVSS Base7.6
β
CRSSelect profile
CVE-2025-56353
7.5
tinyMQTTMultiple Products
In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker's failure to validate or reject malformed UTF-8 strings in topic filters
CVSS Base7.5
β
CRSSelect profile
CVE-2025-57155
7.5
NULLMultiple Products
NULL pointer dereference in the daap_reply_groups function in src/httpd_daap
CVSS Base7.5
β
CRSSelect profile
CVE-2025-57156
7.5
NULLMultiple Products
NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63647
7.5
NULLMultiple Products
A NULL pointer dereference in the parse_meta function (src/httpd_daap
CVSS Base7.5
β
CRSSelect profile
CVE-2025-63648
7.5
NULLMultiple Products
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp
CVSS Base7.5
β
CRSSelect profile
CVE-2025-66902
7.5
inputMultiple Products
An input validation issue in in Pithikos websocket-server v
CVSS Base7.5
β
CRSSelect profile
CVE-2025-13878
7.5
MalformedMultiple Products
Malformed BRID/HHIT records can cause `named` to terminate unexpectedly
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70645
7.5
TendaMultiple Products
Tenda AX-1806 v1
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70650
7.5
TendaMultiple Products
Tenda AX-1806 v1
CVSS Base7.5
β
CRSSelect profile
CVE-2025-70651
7.5
TendaMultiple Products
Tenda AX-1803 v1
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47746
7.5
PluginMultiple Products
NodeBB Plugin Emoji 3
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47850
7.5
MiniMultiple Products
Mini Mouse 9
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47865
7.5
ProFTPDMultiple Products
ProFTPD 1
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47876
7.5
GeoGebraMultiple Products
GeoGebra Classic 5
CVSS Base7.5
β
CRSSelect profile
CVE-2021-47877
7.5
GraphingMultiple Products
GeoGebra Graphing Calculator 6
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23737
7.5
serovalMultiple Products
seroval facilitates JS value stringification, including complex structures beyond JSON
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23956
7.5
serovalMultiple Products
seroval facilitates JS value stringification, including complex structures beyond JSON
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23957
7.5
serovalMultiple Products
seroval facilitates JS value stringification, including complex structures beyond JSON
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23962
7.5
networkMultiple Products
Mastodon is a free, open-source social network server based on ActivityPub
CVSS Base7.5
β
CRSSelect profile
CVE-2026-24006
7.5
SerovalMultiple Products
Seroval facilitates JS value stringification, including complex structures beyond JSON
CVSS Base7.5
β
CRSSelect profile
CVE-2025-68133
7.4
EVerestMultiple Products
EVerest is an EV charging software stack
CVSS Base7.4
β
CRSSelect profile
CVE-2025-68134
7.4
EVerestMultiple Products
EVerest is an EV charging software stack
CVSS Base7.4
β
CRSSelect profile
CVE-2025-68136
7.4
EVerestMultiple Products
EVerest is an EV charging software stack
CVSS Base7.4
β
CRSSelect profile
CVE-2025-68141
7.4
EVerestMultiple Products
EVerest is an EV charging software stack
CVSS Base7.4
β
CRSSelect profile
CVE-2025-36418
7.3
IBMMultiple Products
IBM ApplinX 11
CVSS Base7.3
β
CRSSelect profile
CVE-2025-33228
7.3
NVIDIAMultiple Products
NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli
CVSS Base7.3
β
CRSSelect profile
CVE-2025-33230
7.3
NVIDIAMultiple Products
NVIDIA Nsight Systems for Linux contains a vulnerability in the
CVSS Base7.3
β
CRSSelect profile
CVE-2026-23736
7.3
serovalMultiple Products
seroval facilitates JS value stringification, including complex structures beyond JSON
CVSS Base7.3
β
CRSSelect profile
CVE-2021-47855
7.2
OpenlitespeedMultiple Products
Openlitespeed 1
CVSS Base7.2
β
CRSSelect profile
CVE-2021-47857
7.2
MoodleMultiple Products
Moodle 3
CVSS Base7.2
β
CRSSelect profile
CVE-2021-47858
7.2
GenexisMultiple Products
Genexis Platinum-4410 P4410-V2-1
CVSS Base7.2
β
CRSSelect profile
CVE-2021-47873
7.2
priorMultiple Products
VestaCP versions prior to 0
CVSS Base7.2
β
CRSSelect profile
CVE-2026-23699
7.2
UnknownMultiple Products
AP180 series with firmware versions prior to AP_RGOS 11
CVSS Base7.2
β
CRSSelect profile
CVE-2025-55130
7.1
flawMultiple Products
A flaw in Node
CVSS Base7.1
β
CRSSelect profile
CVE-2025-55131
7.1
flawMultiple Products
A flaw in Node
CVSS Base7.1
β
CRSSelect profile
CVE-2026-21641
7.1
HackerOneMultiple Products
HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete