CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-26288 Everon api.everon.io Missing Authentication for Critical Function 06.03.2026 9.3
CVE-2026-26051 Mobiliti e-mobi.hu Missing Authentication for Critical Function 06.03.2026 9.3
CVE-2026-2330 CVE-2026-2330 06.03.2026 9.4
CVE-2026-2331 CVE-2026-2331 06.03.2026 9.8
CVE-2026-29183 SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution 06.03.2026 9.3
CVE-2026-29058 AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php 06.03.2026 9.8
CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization 06.03.2026 9.3
CVE-2026-28508 Idno: Unauthenticated SSRF via URL Unfurl Endpoint 06.03.2026 9.2
CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import 06.03.2026 9.3
CVE-2026-28785 Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import 06.03.2026 9.3
CVE-2025-59542 Chamilo: Account Takeover via Stored XSS in Course Learning Paths 06.03.2026 9.1
CVE-2025-59543 Chamilo: Account Takeover via Stored XSS in Course Description 06.03.2026 9.1
CVE-2026-28497 TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling) 06.03.2026 9.3
CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php 06.03.2026 9.8
CVE-2026-28502 WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction 06.03.2026 9.3
CVE-2026-29046 TinyWeb: HTTP Header Control Character Injection into CGI Environment 06.03.2026 9.2
CVE-2026-22552 ePower epower.ie Missing Authentication for Critical Function 05.03.2026 9.3
CVE-2026-21536 Microsoft Devices Pricing Program Remote Code Execution Vulnerability 05.03.2026 9.8
CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement 05.03.2026 9.2
CVE-2026-28446 OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching 05.03.2026 9.2
CVE-2026-28466 OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass 05.03.2026 9.4
CVE-2026-28470 OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes 05.03.2026 9.2
CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake 05.03.2026 9.2
CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing 05.03.2026 9.3
CVE-2026-28484 OpenClaw 2026.2.15 - Option Injection in pre-commit Hook via Malicious Filenames 05.03.2026 9.3
CVE-2026-21622 Password Reset Tokens Do Not Expire 05.03.2026 9.5
CVE-2025-55208 Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files 06.03.2026 9.1
CVE-2026-29188 File Browser: TUS Delete Endpoint Bypasses Delete Permission Check 06.03.2026 9.1
CVE-2026-0848 Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading 05.03.2026 10
CVE-2026-28353 Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release 05.03.2026 10
CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification 05.03.2026 9.3
CVE-2026-24457 05.03.2026 9.1
CVE-2026-27944 Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure 05.03.2026 9.8
CVE-2026-30789 RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks 05.03.2026 9.3
CVE-2026-30790 RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force 05.03.2026 9.3
CVE-2026-30797 RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server 05.03.2026 9.3
CVE-2026-30792 RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings 06.03.2026 9.1
CVE-2026-30793 RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confirmation 05.03.2026 9.3
CVE-2026-30794 RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure 05.03.2026 9.1
CVE-2026-2599 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' 05.03.2026 9.8
CVE-2026-21628 Extension - astroidframe.work - Unauthenticated Remote Code Execution in Astroid Framework 2.0.0 - 3.3.10 for Joomla 05.03.2026 10
CVE-2026-28536 05.03.2026 9.6
CVE-2026-2743 SEPPmail User Web Interface Arbitrary File Write to RCE 05.03.2026 10
CVE-2026-1678 dns: memory‑safety issue in the DNS name parser 05.03.2026 9.4
CVE-2026-29127 Incorrect Permission Assignment(777) on `monitor` Users Home Directory Containing SUID Root Binaries in IDC SFX2100 05.03.2026 9.2
CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing 04.03.2026 9.3
CVE-2026-2833 HTTP Request Smuggling via Premature Upgrade 04.03.2026 9.3
CVE-2026-29000 pac4j-jwt JwtAuthenticator Authentication Bypass 05.03.2026 10
CVE-2026-20079 05.03.2026 10
CVE-2026-20131 05.03.2026 10
CVE-2026-28783 Craft has a Twig Function Blocklist Bypass 06.03.2026 9.4
CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates 06.03.2026 9.4
CVE-2026-27441 PDF Password CMDi 04.03.2026 9.5
CVE-2026-27442 zip_attachments Path Traversal 04.03.2026 9.3
CVE-2026-27446 Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation 05.03.2026 9.3
CVE-2026-29120 Insecure, Hardcoded Root Password Stored in Anaconda Configuration File On IDC SFX2100 Satellite Receiver 05.03.2026 9.2
CVE-2026-28777 Hardcoded and Insecure Credentials for "User" Local Account with SSH Access On IDC SFX2100 Satellite Receiver 05.03.2026 9.2
CVE-2026-28773 Authenticated OS Command Injection via Ping Utility Leading to RCE as Root 05.03.2026 9.3
CVE-2026-28774 Authenticated OS Command Injection via Traceroute Utility leads to Root RCE 05.03.2026 9.3
CVE-2026-28775 Unauthenticated RCE via SNMP Default Writable Community String 05.03.2026 10
CVE-2026-27971 Qwik affected by unauthenticated RCE via server$ Deserialization 04.03.2026 9.2
CVE-2026-28289 FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution 05.03.2026 10
CVE-2026-26279 Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection 04.03.2026 9.1
CVE-2026-26266 AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering 04.03.2026 9.3
CVE-2026-24898 OpenEMR has an Unauthenticated MedEx Token Disclosure 04.03.2026 10
CVE-2026-25146 OpenEMR's payments gateway_api_key secret rendered into client JS code 04.03.2026 9.6
CVE-2026-27012 Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php 04.03.2026 9.8
CVE-2026-3485 D-Link DIR-868L SSDP Service sub_1BF84 os command injection 03.03.2026 9.3
CVE-2026-3437 Improper Restriction of Operations within the Bounds of a Memory Buffer in Portwell Engineering Toolkits 03.03.2026 9.3
CVE-2026-22891 03.03.2026 9.8
CVE-2026-22886 03.03.2026 9.8
CVE-2026-1492 User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration 03.03.2026 9.8
CVE-2026-2628 All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass 03.03.2026 9.8
CVE-2025-50187 Chamilo: Evaluation of untrusted user input leads to Remote Code Execution 02.03.2026 9.8
CVE-2026-23600 03.03.2026 10
CVE-2025-12462 Blind SQL Injection in DobryCMS 02.03.2026 9.3
CVE-2025-14532 Remote Code Execution via Unrestricted File Upload in DobryCMS 02.03.2026 9.3
CVE-2026-3431 Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion 02.03.2026 9.8
CVE-2026-3432 Sim Studio AI - Unauthenticated OAuth Token Theft 02.03.2026 9.3
CVE-2025-30035 Lack of API authentication allowing session generation for any user 02.03.2026 9
CVE-2025-30042 Session generation possible with certificate number only 02.03.2026 9
CVE-2025-30044 RCE on uhcapache user permissions 02.03.2026 9.4
CVE-2026-2584 SQL Injection in Ciser System SL firmware 02.03.2026 9.3
CVE-2026-2999 Changing|IDExpert Windows Logon Agent - Remote Code Execution 02.03.2026 9.3
CVE-2026-3000 Changing|IDExpert Windows Logon Agent - Remote Code Execution 02.03.2026 9.3
CVE-2026-3422 e-Excellence|U-Office Force - Insecure Deserialization 02.03.2026 9.3
CVE-2026-2844 TimePictra Authentication Bypass Vulnerability 02.03.2026 9.3
CVE-2026-3010 TimePictra Stored Cross-Site Scripting 02.03.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2026-26017 CoreDNS ACL Bypass 06.03.2026 7.7
CVE-2026-26018 CoreDNS Loop Detection Denial of Service Vulnerability 06.03.2026 7.5
CVE-2026-27123 06.03.2026
CVE-2026-20748 Everon api.everon.io Insufficient Session Expiration 06.03.2026 7.3
CVE-2026-20882 Mobiliti e-mobi.hu Improper Restriction of Excessive Authentication Attempts 06.03.2026 7.5
CVE-2026-24696 Everon api.everon.io Improper Restriction of Excessive Authentication Attempts 06.03.2026 7.5
CVE-2026-26288 Everon api.everon.io Missing Authentication for Critical Function 06.03.2026 9.4
CVE-2026-27027 Everon api.everon.io Insufficiently Protected Credentials 06.03.2026 6.5
CVE-2026-27764 Mobiliti e-mobi.hu Insufficient Session Expiration 06.03.2026 7.3
CVE-2026-27777 Mobiliti e-mobi.hu Insufficiently Protected Credentials 06.03.2026 6.5
CVE-2026-26051 Mobiliti e-mobi.hu Missing Authentication for Critical Function 06.03.2026 9.4
CVE-2026-2752 06.03.2026 5.3
CVE-2026-2753 06.03.2026 7.5
CVE-2026-2754 06.03.2026 7.5
CVE-2026-1799 06.03.2026
CVE-2022-4947 06.03.2026
CVE-2018-25161 Warranty Tracking System 11.06.3 SQL Injection via SearchCustomer.php 06.03.2026
CVE-2018-25162 2-Plan Team 1.0.4 Arbitrary File Upload via managefile.php 06.03.2026
CVE-2018-25163 BitZoom 1.0 SQL Injection via rollno Parameter 06.03.2026
CVE-2018-25164 EverSync 0.5 Arbitrary File Download via files Directory 06.03.2026
CVE-2018-25165 Galaxy Forces MMORPG 0.5.8 SQL Injection via ads.php 06.03.2026
CVE-2018-25166 Meneame English Pligg 5.8 SQL Injection via search Parameter 06.03.2026
CVE-2018-25167 Net-Billetterie 2.9 SQL Injection via login.inc.php 06.03.2026
CVE-2018-25168 Precurio Intranet Portal 2.0 Cross-Site Request Forgery Add Admin 06.03.2026
CVE-2018-25169 AMPPS 2.7 Denial of Service via Malformed Socket Connection 06.03.2026
CVE-2018-25170 DoceboLMS 1.2 SQL Injection via lesson.php 06.03.2026
CVE-2018-25171 EdTv 2 SQL Injection via id Parameter 06.03.2026
CVE-2018-25172 Pedidos 1.0 SQL Injection via load_proveedores.php 06.03.2026
CVE-2018-25173 Rmedia SMS 1.0 SQL Injection via editgrp.php 06.03.2026
CVE-2018-25174 ABC ERP 0.6.4 Cross-Site Request Forgery via _configurar_perfil.php 06.03.2026
CVE-2018-25175 Alienor Web Libre 2.0 SQL Injection via index.php 06.03.2026
CVE-2018-25176 Alive Parish 2.0.4 SQL Injection and Arbitrary File Upload 06.03.2026
CVE-2018-25177 Data Center Audit 2.6.2 Cross-Site Request Forgery via dca_resetpw.php 06.03.2026
CVE-2018-25178 Easyndexer 1.0 Arbitrary File Download via showtif.php 06.03.2026
CVE-2018-25179 Gumbo CMS 0.99 SQL Injection via settings endpoint 06.03.2026
CVE-2018-25180 Maitra 1.7.2 SQL Injection and Database File Download 06.03.2026
CVE-2018-25181 Musicco 2.0.0 Arbitrary Directory Download via Path Traversal 06.03.2026
CVE-2018-25182 Silurus Classifieds Script 2.0 SQL Injection via wcategory.php 06.03.2026
CVE-2018-25184 Surreal ToDo 0.6.1.2 Local File Inclusion via index.php 06.03.2026
CVE-2018-25186 Tina4 Stack 1.0.3 Cross-Site Request Forgery via profile 06.03.2026
CVE-2018-25187 Tina4 Stack 1.0.3 SQL Injection and Database File Download 06.03.2026
CVE-2018-25188 Webiness Inventory 2.3 SQL Injection via WsModelGrid.php 06.03.2026
CVE-2018-25189 Data Center Audit 2.6.2 SQL Injection via username Parameter 06.03.2026
CVE-2018-25190 Easyndexer 1.0 Cross-Site Request Forgery via createuser.php 06.03.2026
CVE-2018-25191 Facturation System 1.0 SQL Injection via editar_producto.php 06.03.2026
CVE-2018-25192 GPS Tracking System 2.12 SQL Injection via username Parameter 06.03.2026
CVE-2018-25193 Mongoose Web Server 6.9 Denial of Service via Socket Connection 06.03.2026
CVE-2018-25194 Nominas 0.27 SQL Injection via username Parameter 06.03.2026
CVE-2018-25196 ServerZilla 1.0 SQL Injection via email Parameter 06.03.2026
CVE-2018-25197 PlayJoom 0.10.1 SQL Injection via catid Parameter 06.03.2026
CVE-2018-25198 eToolz 3.4.8.0 Denial of Service via Buffer Overflow 06.03.2026
CVE-2018-25199 OOP CMS BLOG 1.0 SQL Injection via search parameter 06.03.2026
CVE-2018-25200 OOP CMS BLOG 1.0 Cross-Site Request Forgery via addUser.php 06.03.2026
CVE-2026-28080 WordPress Rank Math SEO PRO plugin <= 3.0.95 - Broken Access Control vulnerability 06.03.2026 4.3
CVE-2026-28106 WordPress B2BKing Premium plugin <= 5.3.80 - Open Redirection vulnerability 06.03.2026 4.7
CVE-2024-35644 WordPress Preferred Languages plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability 06.03.2026 5.9
CVE-2026-1468 Cross-Site Request Forgery in QuickCMS 06.03.2026
CVE-2026-3589 WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF 06.03.2026
CVE-2026-23925 Unauthorized host creation via configuration.import API by low-privilege user with write permissions 06.03.2026
CVE-2026-2330 CVE-2026-2330 06.03.2026 9.4
CVE-2026-2331 CVE-2026-2331 06.03.2026 9.8
CVE-2026-29059 Windmill: SUPERADMIN_SECRET (rarely used) can be accessed publicly 06.03.2026
CVE-2026-29062 jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion 06.03.2026
CVE-2026-29073 SiYuan: Direct SQL Query API accessible to Reader-level users enables unauthorized database access 06.03.2026
CVE-2026-29074 SVGO: DoS through entity expansion in DOCTYPE (Billion Laughs) 06.03.2026 7.5
CVE-2026-29183 SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution 06.03.2026 9.3
CVE-2026-2830 WP All Import <= 4.0.0 - Reflected Cross-Site Scripting via 'filepath' 06.03.2026 6.1
CVE-2026-29038 changedetection.io: Reflected XSS in RSS Tag Error Response 06.03.2026 6.1
CVE-2026-29039 changedetection.io: XPath - Arbitrary File Read via unparsed-text() 06.03.2026
CVE-2026-29042 Nuclio Shell Runtime Command Injection Leading to Privilege Escalation 06.03.2026
CVE-2026-29048 HumHub: XSS in Button component 06.03.2026
CVE-2026-29049 melange: unbounded HTTP download in `melange update-cache` can exhaust disk in CI 06.03.2026 4.3
CVE-2026-29058 AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php 06.03.2026 9.8
CVE-2026-29065 changedetection.io: Zip Slip vulnerability in the backup restore functionality 06.03.2026
CVE-2026-28438 CocoIndex Doris target connector didn't verify table name when constructing ALTER TABLE statements 06.03.2026
CVE-2026-28799 PJSIP: Heap use-after-free in PJSIP presence subscription termination handler 06.03.2026
CVE-2026-28800 Natro Macro: Malicious actions allowed through Discord RC Commands by any user 06.03.2026 6.4
CVE-2026-28801 Natro Macro: Code Injection through Pattern/Path files 06.03.2026 6.6
CVE-2026-28802 Authlib: Setting `alg: none` and a blank signature appears to bypass signature verification 06.03.2026
CVE-2026-28804 pypdf: Inefficient decoding of ASCIIHexDecode streams 06.03.2026
CVE-2026-29068 PJSIP: Stack buffer overflow in Opus codec parser 06.03.2026
CVE-2026-28795 OpenChatBI: Critical Path Traversal Vulnerability in save_report Tool of OpenChatBI 06.03.2026
CVE-2026-1128 WP eCommerce <= 3.15.1 - Coupon Deletion via CSRF 06.03.2026
CVE-2026-2446 Powerpack for LearnDash < 1.3.0 - Unauthenticated Arbitrary Option Update 06.03.2026
CVE-2026-28428 Talishar: Authentication Bypass via Empty authKey Parameter Allows Unauthenticated Game Actions 06.03.2026 5.3
CVE-2026-28429 Talishar: Critical Path Traversal in gameName Parameter 06.03.2026 7.5
CVE-2026-28682 Gokapi: Data Leak in Upload Status Stream 06.03.2026 6.4
CVE-2026-28683 Gokapi: Stored XSS in SVG Hotlinks 06.03.2026 8.7
CVE-2026-28685 Kimai: API invoice endpoint missing customer-level access control (IDOR) 06.03.2026 6.5
CVE-2026-28787 OneUptime has WebAuthn 2FA bypass: server accepts client-supplied challenge instead of server-stored value, allowing credential replay 06.03.2026 8.2
CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization 06.03.2026
CVE-2026-29060 Gokapi: Privilege escalation with auth token 06.03.2026 5
CVE-2026-29061 Gokapi: Privilege escalation via incomplete API-key permission revocation on user rank demotion 06.03.2026 5.4
CVE-2026-29084 Gokapi: CSRF in Login Endpoint 06.03.2026 4.6
CVE-2026-25877 Chartbrew: Insecure Direct Object Reference (IDOR) in Chart Operations 06.03.2026 6.5
CVE-2026-25887 Chartbrew: Remote Code Execution (RCE) via MongoDB Dataset Query 06.03.2026 7.2
CVE-2026-25888 Chartbrew: Remote Code Execution (RCE) via Vulnerable API 06.03.2026 8.8
CVE-2026-27005 Chartbrew: SQL injection in date-type variable handling (applyMysqlOrPostgresVariables) 06.03.2026
CVE-2026-27603 Chartbrew: Unauthenticated Chart Filter Endpoint: POST /project/:project_id/chart/:chart_id/filter missing verifyToken + checkPermissions 06.03.2026
CVE-2026-27605 Chartbrew: Stored Cross-Site Scripting (XSS) via File Upload API 06.03.2026 6.3
CVE-2026-28507 Idno: Remote Code Execution via Chained Import File Write and Template Path Traversal 06.03.2026
CVE-2026-28508 Idno: Unauthenticated SSRF via URL Unfurl Endpoint 06.03.2026
CVE-2026-28509 LangBot has a Cross Site Scripting(XSS) Vulnerability 06.03.2026 6.3
CVE-2026-28675 OpenSift: Sensitive implementation details exposed via raw exception messages and token-returning endpoints 06.03.2026 5.3
CVE-2026-28676 OpenSift: Insufficient path containment checks in storage helpers could allow path traversal-style file operations 06.03.2026 8.8
CVE-2026-28677 OpenSift: Insufficient URL destination restrictions in ingest flow could enable SSRF-style internal access 06.03.2026 8.2
CVE-2026-28679 HomeGallery: Path Traversal (Arbitrary File Read) 06.03.2026 8.6
CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import 06.03.2026 9.3
CVE-2026-28681 IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links 06.03.2026 8.1
CVE-2026-28785 Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import 06.03.2026
CVE-2025-55289 Chamilo: Stored Cross Site Scripting in Skills Argumentation 06.03.2026 8.8
CVE-2025-59540 Chamilo: Stored Cross-Site Scripting (XSS) in Chamilo LMS Exercise Feedback 06.03.2026
CVE-2025-59541 Chamilo: CSRF Vulnerability in Project Deletion 06.03.2026 8.1
CVE-2025-59542 Chamilo: Account Takeover via Stored XSS in Course Learning Paths 06.03.2026 9.1
CVE-2025-59543 Chamilo: Account Takeover via Stored XSS in Course Description 06.03.2026 9.1
CVE-2025-59544 Chamilo: Unauthorized access to update category of any user 06.03.2026
CVE-2026-29041 Chamilo: Authenticated Remote Code Execution via Unrestricted File Upload 06.03.2026 8.8
CVE-2026-25962 MarkUs: Zip bomb in config upload enables DoS 06.03.2026 6.5
CVE-2026-27807 MarkUs: YAML alias (‘billion laughs’) DoS in config upload 06.03.2026 4.9
CVE-2026-28497 TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling) 06.03.2026
CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php 06.03.2026 9.8
CVE-2026-28502 WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction 06.03.2026
CVE-2026-29046 TinyWeb: HTTP Header Control Character Injection into CGI Environment 06.03.2026
CVE-2026-29093 WWBN AVideo: Unauthenticated PHP session store exposed to host network via published memcached port 06.03.2026 8.1
CVE-2026-3616 DefaultFuction Jeson Customer Relationship Management System edit.php sql injection 06.03.2026
CVE-2026-3613 Wavlink WL-NU516U1 login.cgi sub_401A0C stack-based overflow 06.03.2026
CVE-2026-3610 HSC Cybersecurity Mailinspector URL mliUserValidation.php cross site scripting 06.03.2026
CVE-2026-3612 Wavlink WL-NU516U1 OTA Online Upgrade adm.cgi sub_405AF4 command injection 06.03.2026