Critical vulnerabilities, curated daily for security professionals
đ¯ SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
đ
Archived Security Brief
Tuesday's brief covers 3 critical CVEs (CVSS 9.0+), a notable increase from zero critical disclosures the prior day. High-priority vulnerabilities rose 218% to 35 CVEs compared to 11 previously. The CISA KEV catalog added 15 actively exploited vulnerabilities, including CVE-2026-20805 affecting Microsoft Windows, CVE-2025-37164 in HPE OneView, and CVE-2026-20045 targeting Cisco Unified Communications Manager. Critical disclosures include CVE-2016-15057 and CVE-2025-70982 (both CVSS 9.9), with the latter involving incorrect access control in SpringBlade's importUser function. Patch availability stands at 0%, requiring organizations to prioritize compensating controls and monitoring until fixes become available.
3 critical CVEs disclosed, up from 0 the prior day (100% increase)
35 high-priority CVEs, up from 11 previously (218% increase)
15 actively exploited vulnerabilities including Microsoft Windows, HPE OneView, Cisco UCM, and Zimbra Collaboration Suite
0% patch availability across disclosed vulnerabilities
Critical access control vulnerability in SpringBlade (CVE-2025-70982) rated CVSS 9.9
Immediate action: Organizations running Microsoft Windows, HPE OneView, Cisco Unified Communications Manager, Zimbra Collaboration Suite, or VMware vCenter Server should assess exposure to the 15 actively exploited vulnerabilities. With no patches currently available, implement network segmentation, enhanced monitoring, and access restrictions for affected systems.
đĄ Tip: Swipe CVE cards left to â star, right to â remove
Section Navigation
â ī¸
CISA Known Exploited Vulnerabilities
â ī¸ CISA KEVURGENT
CVE-2009-0556
9.5
MicrosoftOffice
â° Federal Deadline:January 27, 2026(1 days remaining)
Microsoft Office PowerPoint Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-37164
9.5đ
Hewlett Packard Enterprise (HPE)OneView
â° Federal Deadline:January 27, 2026(1 days remaining)
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2025-8110
9.5
GogsGogs
â° Federal Deadline:February 1, 2026(6 days remaining)
Gogs Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEVURGENT
CVE-2026-20805
9.5
MicrosoftWindows
â° Federal Deadline:February 2, 2026(7 days remaining)
Microsoft Windows Information Disclosure Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-20045
9.5đ
CiscoUnified Communications Manager
â° Federal Deadline:February 10, 2026(15 days remaining)
Cisco Unified Communications Products Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-68645
9.5đ
Synacor Zimbra Collaboration Suite (ZCS)
â° Federal Deadline:February 11, 2026(16 days remaining)
Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-34026
9.5
VersaConcerto
â° Federal Deadline:February 11, 2026(16 days remaining)
Versa Concerto Improper Authentication Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-31125
9.5
ViteVitejs
â° Federal Deadline:February 11, 2026(16 days remaining)
Vite Vitejs Improper Access Control Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-54313
9.5
Prettiereslint-config-prettier
â° Federal Deadline:February 11, 2026(16 days remaining)
Prettier eslint-config-prettier Embedded Malicious Code Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2024-37079
9.5
BroadcomVMware vCenter Server
â° Federal Deadline:February 12, 2026(17 days remaining)
Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2018-14634
9.5
LinuxKernal
â° Federal Deadline:February 15, 2026(20 days remaining)
Linux Kernel Integer Overflow Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2025-52691
9.5đ
SmarterToolsSmarterMail
â° Federal Deadline:February 15, 2026(20 days remaining)
SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-23760
9.5
SmarterToolsSmarterMail
â° Federal Deadline:February 15, 2026(20 days remaining)
SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
â ī¸ CISA KEV
CVE-2026-24061
9.5đ
GNUInetUtils
â° Federal Deadline:February 15, 2026(20 days remaining)
GNU InetUtils Argument Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
â
CRSSelect profile
đ¨
Critical Vulnerabilities
CVE-2016-15057
9.9đ
UnknownMultiple Products
** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Continuum.
This issue affects Apache Continuum: all versions.
Attackers with access to the installations REST API can use this to invoke arbitrary commands on the server.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Base9.9
â
CRSSelect profile
CVE-2025-70982
9.9đ
Incorrect access control in the importUser function of SpringBladeMultiple Products
Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data.
CVSS Base9.9
â
CRSSelect profile
CVE-2026-22709
9.8đ
UnknownMultiple Products
vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue.
CVSS Base9.8
â
CRSSelect profile
â ī¸
High Priority Updates
â ī¸ CISA KEV
CVE-2026-21509
7.8đ
MicrosoftMultiple Products
â° Federal Deadline:February 15, 2026(20 days remaining)
Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36934
7.8đ
WindowsMultiple Products
Deep Instinct Windows Agent 1
CVSS Base7.8
â
CRSSelect profile
CVE-2026-21408
7.3đ
WindowsMultiple Products
beat-access for Windows version 3
CVSS Base7.3
â
CRSSelect profile
CVE-2025-14316
7.1đ
WordPressMultiple Products
The AhaChat Messenger Marketing WordPress plugin through 1
CVSS Base7.1
â
CRSSelect profile
CVE-2025-27821
7.3đ
nativeMultiple Products
Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client
CVSS Base7.3
â
CRSSelect profile
CVE-2026-24486
8.6đ
UnknownMultiple Products
Python-Multipart is a streaming multipart parser for Python
CVSS Base8.6
â
CRSSelect profile
CVE-2026-24123
7.4đ
BentoMLMultiple Products
BentoML is a Python library for building online serving systems optimized for AI apps and model inference
CVSS Base7.4
â
CRSSelect profile
CVE-2026-1427
8.8đ
theMultiple Products
Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server
CVSS Base8.8
â
CRSSelect profile
CVE-2026-1428
8.8đ
theMultiple Products
Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server
CVSS Base8.8
â
CRSSelect profile
CVE-2026-24470
8.1đ
SkipperMultiple Products
Skipper is an HTTP router and reverse proxy for service composition
CVSS Base8.1
â
CRSSelect profile
CVE-2026-21721
8.1đ
dashboardMultiple Products
The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards
CVSS Base8.1
â
CRSSelect profile
CVE-2026-1283
7.8đ
ReleaseMultiple Products
A Heap-based Buffer Overflow vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file
A flaw was found in KubeVirt Containerized Data Importer (CDI)
CVSS Base8.5
â
CRSSelect profile
CVE-2026-24490
8.1
MobSFMultiple Products
MobSF is a mobile application security testing tool used
CVSS Base8.1
â
CRSSelect profile
CVE-2020-36933
7.8đ
HTCMultiple Products
HTC IPTInstaller 4
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36935
7.8đ
KMSpicoMultiple Products
KMSpico 17
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36936
7.8đ
MagicMultiple Products
Magic Mouse 2 Utilities 2
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36937
7.8đ
MEMUMultiple Products
Microvirt MEMU Play 3
CVSS Base7.8
â
CRSSelect profile
CVE-2026-1284
7.8
ReleaseMultiple Products
An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36952
7.8
IObitMultiple Products
IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36953
7.8
MiniToolMultiple Products
MiniTool ShadowMaker 3
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36957
7.8
PDFMultiple Products
PDF Complete 3
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36958
7.8
KiteMultiple Products
Kite 1
CVSS Base7.8
â
CRSSelect profile
CVE-2020-36959
7.8
IDTMultiple Products
IDT PC Audio 1
CVSS Base7.8
â
CRSSelect profile
CVE-2025-67274
7.5
issueMultiple Products
An issue in continuous
CVSS Base7.5
â
CRSSelect profile
CVE-2026-23864
7.5
ReactMultiple Products
Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack
CVSS Base7.5
â
CRSSelect profile
CVE-2026-21720
7.5
EveryMultiple Products
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image
CVSS Base7.5
â
CRSSelect profile
CVE-2026-1412
7.3đ
hasMultiple Products
A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3
CVSS Base7.3
â
CRSSelect profile
CVE-2026-1422
7.3đ
ExaminationMultiple Products
A vulnerability was found in code-projects Online Examination System 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-1443
7.3
MusicMultiple Products
A flaw has been found in code-projects Online Music Site 1
CVSS Base7.3
â
CRSSelect profile
CVE-2026-1449
7.3
flawMultiple Products
A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113
CVSS Base7.3
â
CRSSelect profile
CVE-2026-1448
7.2
D-LinkMultiple Products
A vulnerability was detected in D-Link DIR-615 up to 4
CVSS Base7.2
â
CRSSelect profile
CVE-2026-24478
7.2
AnythingLLMMultiple Products
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting