Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Yesterday's disclosures included 2 critical CVEs, a 92% decrease from the prior day's 26 critical vulnerabilities. High-priority vulnerabilities also declined significantly, with 39 CVEs compared to 100 the previous day, representing a 61% reduction. Ten actively exploited vulnerabilities remain on CISA's KEV catalog, affecting Microsoft Windows, Microsoft Office, Cisco Unified Communications Manager, HPE OneView, VMware vCenter Server, and Zimbra Collaboration Suite. Notable critical disclosures include CVE-2025-13374 (CVSS 9.8), an arbitrary file upload vulnerability in the Kalrav AI Agent WordPress plugin, and CVE-2026-24399 (CVSS 9.3) affecting ChatterMate. Patch availability stands at 0%, requiring organizations to implement compensating controls until vendor fixes are released.
2 critical CVEs disclosed, down 92% from 26 the prior day
39 high-priority CVEs, representing a 61% decrease from 100
10 actively exploited vulnerabilities affecting Microsoft, Cisco, HPE, VMware, Gogs, Zimbra, Versa, and Vite
0% patch availability for newly disclosed vulnerabilities
WordPress plugin (Kalrav AI Agent) and ChatterMate identified in critical severity disclosures
Immediate action: Organizations running Microsoft Windows, Cisco Unified Communications Manager, HPE OneView, VMware vCenter Server, or Zimbra should prioritize reviewing the actively exploited CVEs and implement available mitigations. With no patches currently available for newly disclosed critical vulnerabilities, focus on network segmentation and monitoring for exploitation attempts.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2009-0556
9.5
MicrosoftOffice
â° Federal Deadline:January 27, 2026(3 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-37164
9.5đ
Hewlett Packard Enterprise (HPE)OneView
â° Federal Deadline:January 27, 2026(3 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-8110
9.5
GogsGogs
â° Federal Deadline:February 1, 2026(8 days remaining)
Gogs Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-20805
9.5
MicrosoftWindows
â° Federal Deadline:February 2, 2026(9 days remaining)
Microsoft Windows Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-20045
9.5đ
CiscoUnified Communications Manager
â° Federal Deadline:February 10, 2026(17 days remaining)
Cisco Unified Communications Products Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-68645
9.5đ
Synacor Zimbra Collaboration Suite (ZCS)
â° Federal Deadline:February 11, 2026(18 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-34026
9.5
VersaConcerto
â° Federal Deadline:February 11, 2026(18 days remaining)
Versa Concerto Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-31125
9.5
ViteVitejs
â° Federal Deadline:February 11, 2026(18 days remaining)
Vite Vitejs Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54313
9.5
Prettiereslint-config-prettier
â° Federal Deadline:February 11, 2026(18 days remaining)
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-37079
9.5
BroadcomVMware vCenter Server
â° Federal Deadline:February 12, 2026(19 days remaining)
Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2025-13374
9.8đ
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in theMultiple Products
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Base9.8
â
CRSSelect profile
CVE-2026-24399
9.3đ
ChatterMate is aMultiple Products
ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9.
CVSS Base9.3
â
CRSSelect profile
â ī¸
High Priority Updates
CVE-2026-24608
7.5đ
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2026-24635
7.5đ
DevsBlink EduBlinkMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2025-14866
8.8đ
WordPressMultiple Products
The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24609
7.5đ
ImproperMultiple Products
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion
CVSS Base7.5
â
CRSSelect profile
CVE-2026-0800
7.2đ
WordPressMultiple Products
The User Submitted Posts â Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping
CVSS Base7.2
â
CRSSelect profile
CVE-2025-69908
7.5đ
accessibleMultiple Products
An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1257
7.5đ
WordPressMultiple Products
The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0
CVSS Base7.5
â
CRSSelect profile
CVE-2026-0911
7.5đ
WordPressMultiple Products
The Hustle â Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7
CVSS Base7.5
â
CRSSelect profile
CVE-2026-0807
7.2đ
WordPressMultiple Products
The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1
CVSS Base7.2
â
CRSSelect profile
CVE-2026-22273
8.8đ
DellMultiple Products
Dell ECS, versions 3
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47903
8.8đ
WebMultiple Products
LiteSpeed Web Server Enterprise 5
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24572
8.8đ
Nelio Software NelioMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection
CVSS Base8.8
â
CRSSelect profile
CVE-2025-69907
7.5đ
unauthenticatedMultiple Products
An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint
CVSS Base7.5
â
CRSSelect profile
CVE-2021-47888
8.8đ
priorMultiple Products
Textpattern versions prior to 4
CVSS Base8.8
â
CRSSelect profile
CVE-2021-47904
8.8đ
PhreeBooksMultiple Products
PhreeBooks 5
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24405
8.8
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24406
8.8
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24412
8.8
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24624
7.2
ImproperMultiple Products
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection
CVSS Base7.2
â
CRSSelect profile
CVE-2021-47881
8.4
AvionicsMultiple Products
dataSIMS Avionics ARINC 664-1 version 4
CVSS Base8.4
â
CRSSelect profile
CVE-2021-47889
7.8
LANMultiple Products
Softros LAN Messenger 9
CVSS Base7.8
â
CRSSelect profile
CVE-2021-47890
7.8
LogonExpertMultiple Products
LogonExpert 8
CVSS Base7.8
â
CRSSelect profile
CVE-2021-47896
7.8
CorporateMultiple Products
PDF Complete Corporate Edition 4
CVSS Base7.8
â
CRSSelect profile
CVE-2021-47898
7.8
USBMultiple Products
Epson USB Display 1
CVSS Base7.8
â
CRSSelect profile
CVE-2025-66720
7.5
NullMultiple Products
Null pointer dereference in free5gc pcf 1
CVSS Base7.5
â
CRSSelect profile
CVE-2021-47893
7.5
PingMasterMultiple Products
AgataSoft PingMaster Pro 2
CVSS Base7.5
â
CRSSelect profile
CVE-2021-47894
7.5
MappingMultiple Products
Managed Switch Port Mapping Tool 2
CVSS Base7.5
â
CRSSelect profile
CVE-2021-47895
7.5
NsauditorMultiple Products
Nsauditor 3
CVSS Base7.5
â
CRSSelect profile
CVE-2025-70986
7.5
IncorrectMultiple Products
Incorrect access control in the selectDept function of RuoYi v4
CVSS Base7.5
â
CRSSelect profile
CVE-2026-24469
7.5
HTTPMultiple Products
C++ HTTP Server is an HTTP/1
CVSS Base7.5
â
CRSSelect profile
CVE-2021-47892
7.2
PEELMultiple Products
PEEL Shopping 9
CVSS Base7.2
â
CRSSelect profile
CVE-2021-47897
7.2
PEELMultiple Products
PEEL Shopping 9
CVSS Base7.2
â
CRSSelect profile
CVE-2025-67230
7.1
ImproperMultiple Products
Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0
CVSS Base7.1
â
CRSSelect profile
CVE-2026-24403
7.1
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base7.1
â
CRSSelect profile
CVE-2026-24404
7.1
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base7.1
â
CRSSelect profile
CVE-2026-24407
7.1
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base7.1
â
CRSSelect profile
CVE-2026-24409
7.1
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base7.1
â
CRSSelect profile
CVE-2026-24410
7.1
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles
CVSS Base7.1
â
CRSSelect profile
CVE-2026-24411
7.1
iccDEVMultiple Products
iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles