CVE-2008-4128
Cisco IOS is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability that is currently being actively exploited in the wild.
Critical vulnerabilities, curated daily for security professionals
Sunday's disclosures concentrate on network infrastructure and application-delivery software, led by a maximum-severity flaw in the @fastify http-proxy module (CVE-2026-16117, CVSS 10) and a critical weakness in VMware's Avi Load Balancer (CVE-2026-47865, CVSS 9.8). The set includes 4 critical CVEs, down 87% from 30 the prior day, alongside 61 high-priority CVEs, up 9% from 56. Additional critical issues affect the OpenHTJ2K image codec (CVE-2026-51807, CVSS 9.8) and SurrealDB (CVE-2025-71392, CVSS 9.4). Attack patterns skew toward remote code execution and request-routing abuse in proxy and load-balancer components, with SonicWall SMA1000 appliances and Microsoft SharePoint among products showing confirmed exploitation. Patches are not yet reflected as available for the tracked critical issues (0%), so teams should prioritize mitigations and vendor advisory monitoring.
Immediate action: Prioritize the @fastify http-proxy module, VMware Avi Load Balancer, and SonicWall SMA1000 appliances, which represent the highest-impact and actively exploited exposures. With no vendor patches yet confirmed for the tracked critical issues, apply available mitigations, restrict exposed management interfaces, and monitor vendor advisories for fixes.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
Cisco IOS is susceptible to a Cross-Site Request Forgery (CSRF) vulnerability that is currently being actively exploited in the wild.
Microsoft SharePoint Server contains a vulnerability involving missing authentication for critical functions, allowing unauthenticated remote access.
A Server-side request forgery (SSRF) vulnerability in the SonicWall SMA1000 Work Place interface allows remote unauthenticated attackers to force the appliance to make unauthorized network requests.
SonicWall SMA1000 appliances are vulnerable to code injection, which can be exploited by an authenticated administrator to execute arbitrary code.
An unauthenticated, easily exploitable vulnerability in the Oracle Payments product of E-Business Suite allows remote attackers to compromise the service via HTTP.
A deserialization of untrusted data vulnerability in Microsoft SharePoint allows an unauthenticated, remote attacker to execute arbitrary code.
An OS command injection vulnerability in FortiSandbox allows unauthenticated attackers to execute unauthorized commands via specifically crafted HTTP requests.
Fortinet FortiSandbox is vulnerable to OS command injection, allowing unauthenticated attackers to execute unauthorized code on the appliance.
Microsoft Active Directory Federation Services is affected by a vulnerability involving insufficient granularity of access control.
The KNX Protocol Connection Authorization Option 1 contains an overly restrictive account lockout mechanism vulnerability that is currently being exploited in the wild.
VMware Avi Load Balancer is vulnerable to an authentication bypass, allowing unauthenticated attackers with network access to compromise the Avi Control plane.
A buffer overflow vulnerability in OpenHTJ2K up to version 0.18.4 allows unauthenticated attackers to execute arbitrary code via a malicious JPEG 2000 file.
The @fastify/http-proxy package fails to correctly rewrite request prefixes when URL-encoded, allowing attackers to bypass configured path restrictions and access sensitive internal endpoints.
SurrealDB is vulnerable to a second-order command injection via the export command, where malicious table or field names can lead to arbitrary code execution during database import.
OpenPLC_v3 is vulnerable to a heap-based buffer overflow in the getData() function within the Modbus master implementation, potentially allowing memory corruption.
A vulnerability in Microsoft Remote Desktop Web Client and Windows Admin Center allows an unauthenticated attacker to disclose sensitive personal information over the network.
VMware Avi Load Balancer is vulnerable to a remote code execution flaw that allows an authenticated attacker with high privileges to inject and execute arbitrary code.
VMware Avi Load Balancer contains a remote code execution vulnerability that allows an authenticated attacker with high privileges to inject and execute arbitrary code.
The Wire library for gRPC and protocol buffers contains an improper validation of array index vulnerability, which may lead to denial of service conditions.
Pimcore is susceptible to a missing authorization vulnerability that allows authenticated users to perform unauthorized actions within the data management platform.
SimpleSAMLphp is vulnerable to an insufficient verification of data authenticity, allowing authenticated users to potentially bypass security controls.
The Quotes llama WordPress plugin contains a SQL injection vulnerability that allows unauthenticated attackers to read sensitive database information, including password hashes.
VMware Avi Load Balancer is affected by a local privilege escalation vulnerability due to improper privilege management.
VMware Avi Load Balancer is vulnerable to directory traversal, which may allow an authenticated user to access sensitive files outside of the intended directory structure.
VMware Avi Load Balancer is subject to a privilege escalation vulnerability that allows authenticated users to gain unauthorized access to sensitive functions.
VMware Avi Load Balancer is affected by an authorization bypass vulnerability that allows authenticated users to perform unauthorized actions.
A code injection vulnerability in uproot allows malicious ROOT files to execute arbitrary code during runtime by exploiting the dynamic generation of Python classes from TStreamerInfo records.
A stored cross-site scripting (XSS) vulnerability in the parisneo lollms API allows attackers to inject malicious scripts that execute in the context of other users, including administrators.
A path traversal vulnerability in @fastify/http-proxy allows unauthenticated remote attackers to access restricted directory structures on the host system.
SEPPmail Secure Email Gateway improperly uses the GET method for sensitive operations, leading to the potential exposure of session tokens within logs or browser history.
QueryWeaver contains an authentication bypass vulnerability allowing unauthenticated attackers to obtain valid session tokens by submitting signup requests with known victim email addresses.
ProFTPD mod_sftp is susceptible to a heap-based buffer overflow that can be triggered by an authenticated user, potentially leading to memory corruption or arbitrary code execution.
SurrealDB versions prior to 1.0.1 contain a vulnerability related to incorrect default permissions, which may allow unauthorized data access or modification.
SurrealDB is vulnerable to a query injection attack via the RPC API, allowing authenticated users to execute unauthorized commands.
A stack-based buffer overflow in the Scheduler Name Handler component of Shibby Tomato 1.28 allows for remote exploitation.
A stack-based buffer overflow in the web monitoring module of Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124 allows remote attackers to trigger memory corruption.
An out-of-bounds write flaw in the setup_conntrack function of Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124 allows unauthenticated remote attackers to trigger memory corruption.
The @fastify/reply-from package contains a vulnerability that allows for unintended proxy interactions, functioning as a confused deputy.
SurrealDB is affected by a format string vulnerability that allows authenticated users to execute arbitrary code via scripting functions.
The urwid web display backend uses a cryptographically weak pseudo-random number generator, leading to potential information exposure.
The OpenShift incluster-checks tool contains a privilege escalation flaw allowing authenticated users to gain root access on cluster nodes via privileged debug pods.
SurrealDB versions prior to 1.1.0 are susceptible to a denial of service vulnerability caused by an uncaught exception during HTTP header processing.
IBM Engineering AI Hub is vulnerable to the improper use of sensitive information in HTTP query strings, which could lead to unauthorized data exposure.
The oras-go Go library for managing OCI artifacts is vulnerable to server-side request forgery (SSRF) due to improper input validation.
IBM Langflow OSS contains a path traversal vulnerability that could allow an unauthenticated attacker to access restricted files on the system.
The JSONata library is vulnerable to a denial of service attack through inefficient regular expression complexity, which can be triggered by specifically crafted input.
IBM PowerVM Novalink is vulnerable to a denial of service attack via a specially-crafted request that causes uncontrolled resource consumption.
A resource allocation vulnerability in DataDog dd-trace-dotnet allows for uncontrolled resource consumption due to the lack of proper limits or throttling.
Vimesoft Enterprise Video Platform contains a missing authentication vulnerability for critical functions, allowing unauthenticated remote attackers to potentially access sensitive information.
FOSSASIA open-event-server suffers from a missing authentication vulnerability, specifically affecting the member roster export via the CSV export endpoint.
IKAS Technology E-Commerce software contains a vulnerability involving the improper insertion of sensitive information into sent data.
Proliz's OBS contains a vulnerability that leads to the unauthorized insertion of sensitive information into outgoing data streams.
NetGIS contains an XML external entity (XXE) vulnerability that permits unauthorized information disclosure via improper restriction of XML references.
Gerapy is susceptible to authentication bypass and missing authentication vulnerabilities, allowing unauthorized access to application functions.
The simpleui package by newpanjing contains a critical authentication vulnerability that allows unauthorized access to application functions.
An improper authorization vulnerability in the zevorn rt-claw RPC handler allows unauthenticated remote attackers to manipulate system tools and gain elevated privileges.
A SQL injection vulnerability in the SourceCodester Class and Exam Timetabling System allows remote, unauthenticated attackers to execute arbitrary database queries via the edit_rooma.php file.
An unauthenticated SQL injection vulnerability in SourceCodester Class and Exam Timetabling System allows remote attackers to execute arbitrary SQL commands via the edit_room1.php script.
A Server-Side Request Forgery (SSRF) vulnerability exists in zevorn rt-claw versions 0.1 and 0.2.0, allowing unauthenticated remote attackers to trigger unauthorized network requests.
An authorization bypass vulnerability exists in zevorn rt-claw versions 0.1 and 0.2.0, which may allow unauthenticated remote attackers to perform actions restricted to authorized users.
A Server-Side Request Forgery (SSRF) vulnerability has been identified in zevorn rt-claw versions 0.1 and 0.2.0, enabling unauthenticated remote attackers to perform unauthorized network requests.
A Server-Side Request Forgery vulnerability exists in zevorn rt-claw, allowing unauthenticated attackers to potentially perform unauthorized requests.
A Server-Side Request Forgery vulnerability in Sipeed PicoClaw allows unauthenticated attackers to manipulate server-side requests.
A Server-Side Request Forgery vulnerability in poco-ai poco-claw allows unauthenticated attackers to manipulate server-side requests.
The Hospital Bed Management System contains a SQL injection vulnerability that allows unauthenticated attackers to potentially access or manipulate database information.
SurrealDB contains an improper authorization vulnerability that allows authenticated users with low privileges to access sensitive data through improper select permissions.
SurrealDB is susceptible to a denial-of-service vulnerability via the SQL endpoint due to an uncaught exception, which can be triggered by authenticated users.
SurrealDB is susceptible to a memory exhaustion vulnerability caused by improper handling of excessive size values in string operations.
SurrealDB is vulnerable to a CPU exhaustion attack due to an infinite loop flaw triggered by improper handling of nested for loops.
A heap-based buffer overflow vulnerability in the xdgmime library within Red Hat Enterprise Linux may allow for arbitrary code execution or service disruption via malicious file processing.
The oras-go library is affected by path traversal and improper link resolution vulnerabilities, potentially allowing unauthorized file access.
Sangoma Switchvox SMB Edition contains an authenticated local file inclusion vulnerability that allows attackers to access sensitive files on the server.
osTicket suffers from an incorrect authorization vulnerability that may allow authenticated users to perform unauthorized actions.
Hashtopolis server contains an authorization bypass vulnerability in the web interface chunk activity component, allowing authenticated users to access unauthorized data.
A stored cross-site scripting (XSS) vulnerability in Sangoma Switchvox SMB Edition allows authenticated users to inject malicious scripts into the web interface.