CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration 14.02.2026 9.8
CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action 14.02.2026 9.8
CVE-2026-26273 Known affected by Account Takeover via Password Reset Token Leakage 13.02.2026 9.8
CVE-2026-26333 Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE 13.02.2026 10
CVE-2026-26335 Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE 13.02.2026 9.3
CVE-2026-26190 Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise 13.02.2026 9.8
CVE-2026-26221 Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE 13.02.2026 10
CVE-2019-25322 Heatmiser Netmonitor 3.03 - Hardcoded Credentials 13.02.2026 9.3
CVE-2026-26068 emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection) 13.02.2026 9.3
CVE-2026-1358 Airleader Master Unrestricted Upload of File with Dangerous Type 13.02.2026 9.8
CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels. 13.02.2026 9.1
CVE-2026-26011 Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution 13.02.2026 9.3
CVE-2026-26020 AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__) 12.02.2026 9.4
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint 12.02.2026 9.1
CVE-2026-24044 ESS Community Helm Chart has a weak server key generation method 12.02.2026 9.2
CVE-2026-26218 newbee-mall Default Seeded Administrator Credentials Allow Account Takeover 12.02.2026 9.3
CVE-2026-26219 newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking 12.02.2026 9.3
CVE-2026-26216 Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter 12.02.2026 10
CVE-2026-26217 Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling 12.02.2026 9.2
CVE-2026-26214 Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM 12.02.2026 9.1
CVE-2025-14014 Insecure File Upload in NTN Informatics' Smart Panel 12.02.2026 9.8
CVE-2025-10969 SQLi in Farktor Software's E-Commerce Package 12.02.2026 9.8
CVE-2026-1729 AdForest <= 6.0.12 - Authentication Bypass 12.02.2026 9.8
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE 12.02.2026 9.3
CVE-2026-26021 Prototype pollution in set-in 12.02.2026 9.4
CVE-2020-37186 Chevereto 3.13.4 Core - Remote Code Execution 12.02.2026 9.3
CVE-2026-24789 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2026-25084 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform 12.02.2026 9.8
CVE-2026-2248 Unauthenticated Remote Root Shell Access via Web Console in METIS WIC 12.02.2026 9.8
CVE-2026-2249 Unauthenticated Remote Command Execution via Web Console in METIS DFS 12.02.2026 9.8
CVE-2025-8668 Reflected XSS in E-Kalite Software Hardware Engineering's Turboard 11.02.2026 9.4
CVE-2025-66277 QTS, QuTS hero 12.02.2026 9.2
CVE-2025-8025 Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP 11.02.2026 9.8
CVE-2026-1357 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 11.02.2026 9.8
CVE-2026-26009 Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution 10.02.2026 10
CVE-2026-21531 Azure SDK for Python Remote Code Execution Vulnerability 13.02.2026 9.8
CVE-2026-25993 EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys 10.02.2026 9.3
CVE-2026-25728 ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition 11.02.2026 9.3
CVE-2025-11242 SSRF in Teknolist Computer's Okulistik 10.02.2026 9.8
CVE-2026-2095 Flowring|Agentflow - Authentication Bypass 10.02.2026 9.3
CVE-2026-2096 Flowring|Agentflow - Missing Authenticaton 10.02.2026 9.3
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) 11.02.2026 9.9
CVE-2026-0509 Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 10.02.2026 9.6
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting 11.02.2026 10
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration 11.02.2026 9.5
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API 11.02.2026 9.5
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration 11.02.2026 9.5
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write 11.02.2026 9.3
CVE-2026-25812 PlaciPy is Missing CSRF Protection on State-Changing Endpoints 10.02.2026 9.3
CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters 10.02.2026 9.3
CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims 10.02.2026 9.3
CVE-2026-25881 @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) 10.02.2026 9.1
CVE-2026-25885 PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats 10.02.2026 10
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE 10.02.2026 9.1
CVE-2025-66630 Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure 10.02.2026 9.2
CVE-2025-6830 SQLi in Xpoda Türkiye Information Technology's Password Module 11.02.2026 9.8
CVE-2026-25848 10.02.2026 9.1
CVE-2026-22903 Stack Overflow via SESSIONID Cookie in lighttpd 09.02.2026 9.8
CVE-2026-22904 Stack Overflow via Oversized Cookie Fields in lighttpd 09.02.2026 9.8
CVE-2026-22906 Hardcoded Key Allows Credential Disclosure 09.02.2026 9.8
CVE-2026-2234 HGiga|C&Cm@il - Missing Authentication 09.02.2026 9.3
CVE-2026-1868 Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway 09.02.2026 9.9
CVE-2026-1615 09.02.2026 9.2
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 09.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2025-71202 iommu/sva: invalidate stale IOTLB entries for kernel address space 14.02.2026
CVE-2026-23141 btrfs: send: check for inline extents in range_is_hole_in_parent() 14.02.2026
CVE-2026-23142 mm/damon/sysfs-scheme: cleanup access_pattern subdirs on scheme dir setup failure 14.02.2026
CVE-2026-23143 virtio_net: Fix misalignment bug in struct virtnet_info 14.02.2026
CVE-2026-23144 mm/damon/sysfs: cleanup attrs subdirs on context dir setup failure 14.02.2026
CVE-2026-23145 ext4: fix iloc.bh leak in ext4_xattr_inode_update_ref 14.02.2026
CVE-2025-71201 netfs: Fix early read unlock of page with EOF in middle 14.02.2026
CVE-2026-23132 drm/bridge: synopsys: dw-dp: fix error paths of dw_dp_bind 14.02.2026
CVE-2026-23133 wifi: ath10k: fix dma_free_coherent() pointer 14.02.2026
CVE-2026-23134 slab: fix kmalloc_nolock() context check for PREEMPT_RT 14.02.2026
CVE-2026-23135 wifi: ath12k: fix dma_free_coherent() pointer 14.02.2026
CVE-2026-23136 libceph: reset sparse-read state in osd_fault() 14.02.2026
CVE-2026-23137 of: unittest: Fix memory leak in unittest_data_add() 14.02.2026
CVE-2026-23138 tracing: Add recursion protection in kernel stack trace recording 14.02.2026
CVE-2026-23139 netfilter: nf_conncount: update last_gc only when GC has been performed 14.02.2026
CVE-2026-23140 bpf, test_run: Subtract size of xdp_frame from allowed metadata size 14.02.2026
CVE-2025-71200 mmc: sdhci-of-dwcmshc: Prevent illegal clock reduction in HS200/HS400 mode 14.02.2026
CVE-2026-23113 io_uring/io-wq: check IO_WQ_BIT_EXIT inside work run loop 14.02.2026
CVE-2026-23114 arm64/fpsimd: ptrace: Fix SVE writes on !SME systems 14.02.2026
CVE-2026-23115 serial: Fix not set tty->port race condition 14.02.2026
CVE-2026-23116 pmdomain: imx8m-blk-ctrl: Remove separate rst and clk mask for 8mq vpu 14.02.2026
CVE-2026-23117 ice: add missing ice_deinit_hw() in devlink reinit path 14.02.2026
CVE-2026-23118 rxrpc: Fix data-race warning and potential load/store tearing 14.02.2026
CVE-2026-23119 bonding: provide a net pointer to __skb_flow_dissect() 14.02.2026
CVE-2026-23120 l2tp: avoid one data-race in l2tp_tunnel_del_work() 14.02.2026
CVE-2026-23121 mISDN: annotate data-race around dev->work 14.02.2026
CVE-2026-23122 igc: Reduce TSN TX packet buffer from 7KB to 5KB per queue 14.02.2026
CVE-2026-23123 interconnect: debugfs: initialize src_node and dst_node to empty strings 14.02.2026
CVE-2026-23124 ipv6: annotate data-race in ndisc_router_discovery() 14.02.2026
CVE-2026-23125 sctp: move SCTP_CMD_ASSOC_SHKEY right after SCTP_CMD_PEER_INIT 14.02.2026
CVE-2026-23126 netdevsim: fix a race issue related to the operation on bpf_bound_progs list 14.02.2026
CVE-2026-23127 perf: Fix refcount warning on event->mmap_count increment 14.02.2026
CVE-2026-23128 arm64: Set __nocfi on swsusp_arch_resume() 14.02.2026
CVE-2026-23129 dpll: Prevent duplicate registrations 14.02.2026
CVE-2026-23130 wifi: ath12k: fix dead lock while flushing management frames 14.02.2026
CVE-2026-23131 platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names 14.02.2026
CVE-2026-2312 Media Library Folders <= 8.3.6 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Attachment Deletion and Rename 14.02.2026 4.3
CVE-2026-1512 Essential Addons for Elementor <= 6.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Info Box Widget 14.02.2026 6.4
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration 14.02.2026 9.8
CVE-2026-0550 myCred <= 2.9.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode 14.02.2026 6.4
CVE-2026-1249 MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 5.3 - 5.10 - Authenticated (Author+) Server-Side Request Forgery 14.02.2026 5
CVE-2026-1254 Modula Image Gallery – Photo Grid & Video Gallery <= 2.13.6 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post/Page Editing 14.02.2026 4.3
CVE-2026-1258 Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints 14.02.2026 4.9
CVE-2026-1843 Super Page Cache <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log 14.02.2026 7.2
CVE-2025-14852 MDirector Newsletter <= 4.5.8 - Cross-Site Request Forgery to Plugin Settings Update 14.02.2026 4.3
CVE-2025-14873 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery 14.02.2026 4.3
CVE-2025-15483 Link Hopper <= 2.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'hop_name' Parameter 14.02.2026 4.4
CVE-2025-6792 One to one user Chat by WPGuppy <= 1.1.4 - Unauthenticated Information Disclosure via Chat Message Interception 14.02.2026 5.3
CVE-2026-0557 WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode 14.02.2026 6.4
CVE-2026-0559 MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'stm_lms_courses_grid_display' Shortcode 14.02.2026 6.4
CVE-2026-0693 Allow HTML in Category Descriptions <= 1.2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Category Descriptions 14.02.2026 4.4
CVE-2026-0727 Accordion and Accordion Slider <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Attachment Metadata Modification 14.02.2026 5.4
CVE-2026-0735 User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter 14.02.2026 4.4
CVE-2026-0736 Chatbot for WordPress by Collect.chat ⚡️ <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta Field 14.02.2026 6.4
CVE-2026-0745 User Language Switch <= 1.6.10 - Authenticated (Administrator+) Server-Side Request Forgery via 'info_language' Parameter 14.02.2026 7.2
CVE-2026-0751 Payment Page | Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter 14.02.2026 6.4
CVE-2026-0753 Super Simple Contact Form <= 1.6.2 - Reflected Cross-Site Scripting via 'sscf_name' Parameter 14.02.2026 7.2
CVE-2026-1096 Best-wp-google-map <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'latitude' Shortcode Attribute 14.02.2026 6.4
CVE-2026-1187 ZoomifyWP Free <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'filename' Shortcode Attribute 14.02.2026 6.4
CVE-2026-1303 MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection 14.02.2026 5.3
CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action 14.02.2026 9.8
CVE-2026-1394 WP Quick Contact Us <= 1.0 - Cross-Site Request Forgery to Settings Update 14.02.2026 4.3
CVE-2026-1792 Geo Widet <= 1.0 - Reflected Cross-Site Scripting 14.02.2026 6.1
CVE-2026-1795 Address Bar Ads <= 1.0.0 - Reflected Cross-Site Scripting 14.02.2026 6.1
CVE-2026-1796 StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting 14.02.2026 6.1
CVE-2026-1901 QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 14.02.2026 6.4
CVE-2026-1903 Ravelry Designs Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sb_ravelry_designs' Shortcode 'layout' Attribute 14.02.2026 6.4
CVE-2026-1905 Sphere Manager <= 1.0.2 - Authenticated (Contributor+) Cross-Site Scripting via 'width' Shortcode Attribute 14.02.2026 6.4
CVE-2026-1910 UpMenu <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute 14.02.2026 6.4
CVE-2026-1915 Simple Plyr <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'poster' Shortcode Attribute 14.02.2026 6.4
CVE-2026-1939 Percent to Infograph <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 14.02.2026 6.4
CVE-2026-1944 CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update 14.02.2026 5.3
CVE-2026-1985 Press3D <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block 14.02.2026 6.4
CVE-2026-1987 Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification 14.02.2026 5.4
CVE-2026-1988 Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute 14.02.2026 7.5
CVE-2026-2022 Smart Forms <= 2.6.99 - Missing Authorization to Authenticated (Subscriber+) Campaign Data Exposure 14.02.2026 4.3
CVE-2026-2024 PhotoStack Gallery <= 0.4.1 - Unauthenticated SQL Injection via 'postid' Parameter 14.02.2026 7.5
CVE-2026-1932 Appointment Booking Calendar Plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification 14.02.2026 5.3
CVE-2026-2469 14.02.2026 7.6
CVE-2026-0692 BlueSnap Payment Gateway for WooCommerce <= 3.3.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation 14.02.2026 7.5
CVE-2026-1164 Easy Voice Mail <= 1.2.5 - Unauthenticated Stored Cross-Site Scripting via 'message' 14.02.2026 6.1
CVE-2026-1754 personal-authors-category <= 0.3 - Reflected Cross-Site Scripting 14.02.2026 6.1
CVE-2026-1904 Simple Wp colorfull Accordion <= 1.0 - Authenticated (Contributor+) Cross-Site Scripting via 'title' Shortcode Attribute 14.02.2026 6.4
CVE-2026-1912 Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute 14.02.2026 6.4
CVE-2026-1983 SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion 14.02.2026 4.3
CVE-2026-2027 AMP Enhancer <= 1.0.49 - Authenticated (Administrator+) Stored Cross-Site Scripting via AMP Custom CSS Setting 14.02.2026 4.4
CVE-2026-2144 Magic Login Mail or QR Code <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage 14.02.2026 8.1
CVE-2025-13681 BFG Tools – Extension Zipper <= 1.0.7 - Authenticated (Administrator+) Path Traversal via 'first_file' Parameter 14.02.2026 4.9
CVE-2025-13973 StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure 14.02.2026 5.3
CVE-2025-14067 Easy Form Builder <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Response Data Exposure 14.02.2026 5.3
CVE-2025-14608 WP Last Modified Info <= 1.9.5 - Insecure Direct Object Reference to Authenticated (Author+) Post Metadata Modification 14.02.2026 5.3
CVE-2026-26295 14.02.2026
CVE-2026-26296 14.02.2026
CVE-2026-26297 14.02.2026
CVE-2026-26298 14.02.2026
CVE-2026-26299 14.02.2026
CVE-2026-26300 14.02.2026
CVE-2026-26301 14.02.2026
CVE-2026-26302 14.02.2026
CVE-2026-26303 14.02.2026
CVE-2026-24853 Caido has an insufficient patch for DNS rebind leading to RCE 13.02.2026 8.1