Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Archived Security Brief
Yesterday's disclosures reveal 33 critical vulnerabilities spanning Docker, WordPress, Juniper Networks, and multiple enterprise collaboration platforms. Critical CVE volume increased 74% from the prior day while high-priority disclosures held steady at 100. CVE-2026-40089 (CVSS 9.9) targets Docker Compose stacks, CVE-2026-33784 (CVSS 9.8) affects Juniper Networks infrastructure, and CVE-2026-34424 (CVSS 9.8) impacts both WordPress and Joomla installations. Remote code execution and authentication bypass patterns are prominent across CMS platforms and container orchestration tooling, with three vulnerabilities under active exploitation targeting Ivanti EPMM, Google Dawn, and TrueConf Client. No vendor patches are currently available for these disclosures, requiring defenders to prioritize compensating controls and network-level mitigations.
CVE-2026-40089 (CVSS 9.9) in Docker Compose represents the highest-severity disclosure, threatening containerized deployment pipelines
33 critical vulnerabilities disclosed, a 74% increase from the prior day's 19 critical CVEs
100 high-priority vulnerabilities disclosed, unchanged from the prior day
Remote code execution and authentication bypass flaws dominate, affecting WordPress, Joomla, Juniper Networks, and Teams-based collaboration systems
Patch availability stands at 0% across all disclosed CVEs β compensating controls are essential
3 vulnerabilities are confirmed actively exploited, targeting Ivanti EPMM, Google Dawn, and TrueConf Client
Immediate action: Prioritize reviewing exposure to Docker Compose, Juniper Networks, WordPress, and Ivanti EPMM environments, as these carry the highest severity scores and broadest attack surface. With no patches currently available, apply network segmentation, restrict access to affected services, and monitor for indicators of exploitation until vendor fixes are released.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2026-1340
9.5π
IvantiEndpoint Manager Mobile (EPMM)
β° Federal Deadline:April 10, 2026(1 days remaining)
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-5281
9.5π
GoogleDawn
β° Federal Deadline:April 14, 2026(5 days remaining)
A use-after-free vulnerability exists in the Dawn component of Google Chrome. This flaw allows attackers to potentially execute arbitrary code or cause a denial-of-service via a crafted HTML page.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2026-3502
9.5
TrueConfClient
β° Federal Deadline:April 15, 2026(6 days remaining)
TrueConf Client Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2026-40089
9.9
DockerCompose stack
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (including the oneβliner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)) are affected. In these deployments, the dashboard accepts user-controlled URLs and passes them directly to a server-side HTTP client without sufficient validation. An authenticated operator can abuse this to make arbitrary HTTP requests from the dashboard backend to internal or external systems. This vulnerability is fixed with commit cb1ddbacafcb441549fe87d3eeabdb6a085325e4.
CVSS Base9.9
β
CRSSelect profile
CVE-2026-34424
9.8π
WordPressand Joomla
Smart Slider 3 Pro 3.5.1.35 contains a critical remote access toolkit vulnerability that allows unauthenticated attackers to execute arbitrary code and commands via a compromised update system.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-1830
9.8π
WordPressis vulnerable
The Quick Playground plugin for WordPress contains an RCE vulnerability due to insufficient authorization on REST API endpoints, allowing unauthenticated file uploads.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-40154
9.3
Teamssystem
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in 4.5.128.
CVSS Base9.3
β
CRSSelect profile
CVE-2026-40088
9.6
Teamssystem
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-1115
9.6π
parisneolollms
A stored Cross-Site Scripting (XSS) vulnerability in the lollms social feature allows unauthenticated attackers to inject malicious JavaScript, leading to potential account takeover.
CVSS Base9.6
β
CRSSelect profile
CVE-2026-39980
9.1π
IntelOpenCTI
OpenCTI prior to 6.9.5 contains an EJS template injection vulnerability allowing authenticated users with Manage customization capabilities to execute arbitrary JavaScript on the platform.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-39912
9.1
V2BoardMultiple Products
V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the login_with_mail_link_enable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receive the full authentication URL in the response, then exchange the token at the token2Login endpoint to obtain a valid bearer token with complete account access including admin privileges.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-33784
9.8
JuniperNetworks
Support
A Use of Default Password vulnerability in the Juniper Networks
Support Insights (JSI)
Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device.
vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-34179
9.1π
CanonLXD
Canonical LXD versions 4.12 through 6.7 contain a privilege escalation vulnerability where restricted TLS certificate users can elevate to cluster admin.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-34177
9.1π
CanonLXD
An incomplete denylist in Canonical LXD allows a restricted project user to inject AppArmor and QEMU configurations, facilitating privilege escalation to host root.
CVSS Base9.1
β
CRSSelect profile
CVE-2026-5850
9.8π
TotolinkA7100RU
The Totolink A7100RU contains an OS command injection vulnerability in the setVpnPassCfg function, allowing remote attackers to execute arbitrary system commands via the pptpPassThru parameter.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5851
9.8π
TotolinkA7100RU
The Totolink A7100RU is susceptible to remote OS command injection via the setUPnPCfg function, specifically through the enable parameter in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5852
9.8π
TotolinkA7100RU
The Totolink A7100RU allows remote OS command injection via the setIptvCfg function by manipulating the igmpVer argument in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5853
9.8π
TotolinkA7100RU
The Totolink A7100RU is vulnerable to remote OS command injection via the setIpv6LanCfg function, exploitable through the addrPrefixLen argument in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5854
9.8π
TotolinkA7100RU
The Totolink A7100RU is susceptible to remote OS command injection via the setWiFiEasyCfg function, specifically through the merge argument in the CGI handler.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5975
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setDmzCfg function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5976
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setStorageCfg function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5977
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setWiFiBasicCfg function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5978
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setWiFiAclRules function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5993
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setWiFiGuestCfg function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5994
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setTelnetCfg function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5995
9.8π
TotolinkA7100RU
The Totolink A7100RU CGI Handler contains an OS command injection vulnerability in the setMiniuiHomeInfoShow function, allowing remote attackers to execute arbitrary commands.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5996
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler, allowing unauthenticated attackers to execute arbitrary system commands via the tty_server argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-5997
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability in the Totolink A7100RU CGI handler allows unauthenticated attackers to execute arbitrary system commands via the admpass argument.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6025
9.8π
TotolinkA7100RU
An OS command injection vulnerability in the Totolink A7100RU CGI handler allows unauthenticated remote attackers to execute arbitrary commands via the enable argument in setSyslogCfg.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6026
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability exists in the Totolink A7100RU CGI handler, allowing unauthenticated attackers to execute commands via the enable argument in setPortalConfWeChat.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6027
9.8π
TotolinkA7100RU
A remote OS command injection vulnerability in the Totolink A7100RU CGI handler allows unauthenticated remote attackers to execute commands via the enable argument in setUrlFilterRules.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6028
9.8
UnknownMultiple Products
A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-6029
9.8
UnknownMultiple Products
A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.
CVSS Base9.8
β
CRSSelect profile
CVE-2026-34178
9.1π
ArchLXD
A backup import validation flaw in Canonical LXD allows authenticated remote attackers to bypass project restrictions and achieve full host compromise.
CVSS Base9.1
β
CRSSelect profile
CVE-2025-13926
9.8
UnknownMultiple Products
An attacker could use data obtained by sniffing the network traffic to
forge packets in order to make arbitrary requests to Contemporary
Controls BASC 20T.
CVSS Base9.8
β
CRSSelect profile
CVE-2025-57735
9.1
WhenMultiple Products
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+
Users are recommended to upgrade to version 3.2.0, which fixes this issue.
CVSS Base9.1
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-13914
8.7
SSHNetworks Apstra
A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM
attacker to impersonate managed devices
CVSS Base8.7
β
CRSSelect profile
CVE-2026-5866
8.8
GoogleChrome prior
Use after free in Media in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39623
7.5
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39684
7.5
HPProgram
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39891
8.8
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5908
8.8
GoogleChrome prior
Integer overflow in Media in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5909
8.8
GoogleChrome prior
Integer overflow in Media in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5910
8.8
GoogleChrome prior
Integer overflow in Media in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5912
8.8
GoogleChrome prior
Integer overflow in WebRTC in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5914
8.8
GoogleChrome prior
Type Confusion in CSS in Google Chrome prior to 147
CVSS Base8.8
β
CRSSelect profile
CVE-2026-4326
8.8
WordPressis vulnerable
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-40113
8.4
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base8.4
β
CRSSelect profile
CVE-2026-30478
8.8
GatewayGeo MapServerMultiple Products
A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable
CVSS Base8.8
β
CRSSelect profile
CVE-2023-54359
8.2π Late Disclosure
WordPressadivaha Travel
WordPress adivaha Travel Plugin 2
CVSS Base8.2
β
CRSSelect profile
CVE-2026-5907
8.1
GoogleChrome prior
Insufficient data validation in Media in Google Chrome prior to 147
CVSS Base8.1
β
CRSSelect profile
CVE-2026-5915
8.1
GoogleChrome prior
Insufficient validation of untrusted input in WebML in Google Chrome prior to 147
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39942
8.5
UnknownMultiple Products
Directus is a real-time API and App dashboard for managing SQL database content
CVSS Base8.5
β
CRSSelect profile
CVE-2026-40149
7.9
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base7.9
β
CRSSelect profile
CVE-2026-40150
7.7
Teamssystem
PraisonAIAgents is a multi-agent teams system
CVSS Base7.7
β
CRSSelect profile
CVE-2026-39889
7.5
Teamssystem
PraisonAI is a multi-agent teams system
CVSS Base7.5
β
CRSSelect profile
CVE-2026-3243
8.8
WordPressis vulnerable
The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39974
8.5
OracleMultiple Products
n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations
CVSS Base8.5
β
CRSSelect profile
CVE-2026-5436
8.1
WordPressis vulnerable
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5
CVSS Base8.1
β
CRSSelect profile
CVE-2026-4351
8.1
WordPressis vulnerable
The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2
CVSS Base8.1
β
CRSSelect profile
CVE-2026-33785
8.8
CLI of JuniperNetworks Junos
A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39429
8.2
Kubernetesand container
kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads
CVSS Base8.2
β
CRSSelect profile
CVE-2026-28261
7.8
DellElastic Cloud
Dell Elastic Cloud Storage, version 3
CVSS Base7.8
β
CRSSelect profile
CVE-2026-34734
7.8
F5is software
HDF5 is software for managing data
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33788
7.8
Flexible PICNetworks Junos
A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33793
7.8
User InterfaceNetworks Junos
An Execution with Unnecessary Privileges vulnerabilityΒ in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system
CVSS Base7.8
β
CRSSelect profile
CVE-2026-4498
7.7
ArchRBAC scope
Execution with Unnecessary Privileges (CWE-250) in Kibanaβs Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse (CAPEC-122)
CVSS Base7.7
β
CRSSelect profile
CVE-2025-62188
7.5
ApacheDolphinScheduler
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35169
8.7
Archand Imaging
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research
CVSS Base8.7
β
CRSSelect profile
CVE-2026-34578
8.2
Archfilter without
OPNsense is a FreeBSD based firewall and routing platform
CVSS Base8.2
β
CRSSelect profile
CVE-2026-35446
7.7
Archand Imaging
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research
CVSS Base7.7
β
CRSSelect profile
CVE-2026-33350
7.5
Archand Imaging
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research
CVSS Base7.5
β
CRSSelect profile
CVE-2026-34392
7.5
Archand Imaging
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research
CVSS Base7.5
β
CRSSelect profile
CVE-2026-25203
7.8
SamsungMagicINFO
Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability
This issue affects MagicINFO 9 Server: less than 21
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33466
8.1
ArchMultiple Products
Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139)
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40070
8.1
UnknownMultiple Products
BSV Ruby SDK is the Ruby SDK for the BSV blockchain
CVSS Base8.1
β
CRSSelect profile
CVE-2026-3396
7.5
InforMultiple Products
WCAPF β WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4
CVSS Base7.5
β
CRSSelect profile
CVE-2026-5815
8.8
D-LinkDIR
A vulnerability was detected in D-Link DIR-645 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5830
8.8
TendaAC15
A vulnerability was identified in Tenda AC15 15
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5979
8.8
D-LinkDIR
A vulnerability was detected in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5980
8.8
D-LinkDIR
A flaw has been found in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5981
8.8
D-LinkDIR
A vulnerability has been found in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5982
8.8
D-LinkDIR
A vulnerability was found in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5983
8.8
D-LinkDIR
A vulnerability was determined in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5984
8.8
D-LinkDIR
A vulnerability was identified in D-Link DIR-605L 2
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5988
8.8
TendaF451
A vulnerability was detected in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5989
8.8
TendaF451
A flaw has been found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5990
8.8
TendaF451
A vulnerability has been found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5991
8.8
TendaF451
A vulnerability was found in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-5992
8.8
TendaF451
A vulnerability was determined in Tenda F451 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6012
8.8
D-LinkDIR
A security vulnerability has been detected in D-Link DIR-513 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6013
8.8
D-LinkDIR
A vulnerability was detected in D-Link DIR-513 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6014
8.8
D-LinkDIR
A flaw has been found in D-Link DIR-513 1
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6015
8.8
TendaAC9
A vulnerability has been found in Tenda AC9 15
CVSS Base8.8
β
CRSSelect profile
CVE-2026-6016
8.8
TendaAC9
A vulnerability was found in Tenda AC9 15
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39853
7.8
MSIMultiple Products
osslsigncode is a tool that implements Authenticode signing and timestamping
CVSS Base7.8
β
CRSSelect profile
CVE-2026-5173
8.5
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16
CVSS Base8.5
β
CRSSelect profile
CVE-2026-1584
7.5
UnknownMultiple Products
A flaw was found in gnutls
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39621
8.8
WebMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server
CVSS Base8.8
β
CRSSelect profile
CVE-2026-4436
8.6
UnknownMultiple Products
A low-privileged remote attacker can send Modbus packets to manipulate
register values that are inputs to the odorant injection logic such that
too much or too little odorant is injected into a gas line
CVSS Base8.6
β
CRSSelect profile
CVE-2026-5329
8.5
priorMultiple Products
Rapid7 Velociraptor versions prior to 0
CVSS Base8.5
β
CRSSelect profile
CVE-2025-45057
7.5
D-LinkDI
D-Link DI-8300 v16
CVSS Base7.5
β
CRSSelect profile
CVE-2025-45058
7.5
D-LinkDI
D-Link DI-8300 v16
CVSS Base7.5
β
CRSSelect profile
CVE-2025-12664
7.5
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13
CVSS Base7.5
β
CRSSelect profile
CVE-2026-1092
7.5
versionshas remediated
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39911
8.8
throughMultiple Products
Hashgraph Guardian through version 3
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39981
8.8
UnknownMultiple Products
AGiXT is a dynamic AI Agent Automation Platform
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35638
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-35639
8.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.8
β
CRSSelect profile
CVE-2026-39983
8.6
FTPMultiple Products
basic-ftp is an FTP client for Node
CVSS Base8.6
β
CRSSelect profile
CVE-2026-35478
8.3
UnknownMultiple Products
InvenTree is an Open Source Inventory Management System
CVSS Base8.3
β
CRSSelect profile
CVE-2026-5208
8.2
UnknownMultiple Products
Command injection in alerts in CoolerControl/coolercontrold <4
CVSS Base8.2
β
CRSSelect profile
CVE-2026-39393
8.1
ArchMultiple Products
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support
CVSS Base8.1
β
CRSSelect profile
CVE-2026-39394
8.1
ArchMultiple Products
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support
CVSS Base8.1
β
CRSSelect profile
CVE-2026-40093
8.1
UnknownMultiple Products
nimiq-blockchain provides persistent block storage for Nimiq's Rust implementation
CVSS Base8.1
β
CRSSelect profile
CVE-2026-34512
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-35645
8.1
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base8.1
β
CRSSelect profile
CVE-2026-27806
7.8
UnknownMultiple Products
Fleet is open source device management software
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40029
7.8
parseusbsMultiple Products
parseusbs before 1
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40030
7.8
parseusbsMultiple Products
parseusbs before 1
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40031
7.8
IBMMultiple Products
MemProcFS before 5
CVSS Base7.8
β
CRSSelect profile
CVE-2026-40032
7.8
placeholderMultiple Products
UAC (Unix-like Artifacts Collector) before 3
CVSS Base7.8
β
CRSSelect profile
CVE-2026-35625
7.8
OpenClawMultiple Products
OpenClaw before 2026
CVSS Base7.8
β
CRSSelect profile
CVE-2026-28704
7.8
UnknownMultiple Products
Emocheck insecurely loads Dynamic Link Libraries (DLLs)
CVSS Base7.8
β
CRSSelect profile
CVE-2026-33461
7.7
InforMultiple Products
Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122)
CVSS Base7.7
β
CRSSelect profile
CVE-2026-39843
7.7
UnknownMultiple Products
Plane is an an open-source project management tool
CVSS Base7.7
β
CRSSelect profile
CVE-2026-5301
7.6
StoredMultiple Products
Stored XSS in log viewer in CoolerControl/coolercontrol-ui <4
CVSS Base7.6
β
CRSSelect profile
CVE-2026-30075
7.5
OpenAirInterfaceMultiple Products
OpenAirInterface Version 2
CVSS Base7.5
β
CRSSelect profile
CVE-2026-30080
7.5
UnknownMultiple Products
OpenAirInterface v2
CVSS Base7.5
β
CRSSelect profile
CVE-2026-33756
7.5
UnknownMultiple Products
Saleor is an e-commerce platform
CVSS Base7.5
β
CRSSelect profile
CVE-2026-35401
7.5
UnknownMultiple Products
Saleor is an e-commerce platform
CVSS Base7.5
β
CRSSelect profile
CVE-2026-23869
7.5
ReactMultiple Products
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack and react-server-dom-webpack (versions 19
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39863
7.5
SignalingMultiple Products
Kamailio is an open source implementation of a SIP Signaling Server
CVSS Base7.5
β
CRSSelect profile
CVE-2026-39885
7.5
UnknownMultiple Products
FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP)