CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-2550 EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload 16.02.2026 9.3
CVE-2026-2577 Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge 16.02.2026 10
CVE-2026-26366 JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials 15.02.2026 9.3
CVE-2026-26369 JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup 15.02.2026 9.3
CVE-2025-32058 Stack Overflow in processing requests over INC interface on RH850 side of Infotainment ECU 15.02.2026 9.3
CVE-2026-1490 Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation 15.02.2026 9.8
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration 14.02.2026 9.8
CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action 14.02.2026 9.8
CVE-2026-26273 Known affected by Account Takeover via Password Reset Token Leakage 13.02.2026 9.8
CVE-2026-26333 Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE 13.02.2026 10
CVE-2026-26335 Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE 13.02.2026 9.3
CVE-2026-26190 Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise 13.02.2026 9.8
CVE-2026-26221 Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE 13.02.2026 10
CVE-2019-25322 Heatmiser Netmonitor 3.03 - Hardcoded Credentials 13.02.2026 9.3
CVE-2026-26068 emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection) 13.02.2026 9.3
CVE-2026-1358 Airleader Master Unrestricted Upload of File with Dangerous Type 13.02.2026 9.8
CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels. 13.02.2026 9.1
CVE-2026-26011 Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution 13.02.2026 9.3
CVE-2026-26020 AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__) 12.02.2026 9.4
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint 12.02.2026 9.1
CVE-2026-24044 ESS Community Helm Chart has a weak server key generation method 12.02.2026 9.2
CVE-2026-26218 newbee-mall Default Seeded Administrator Credentials Allow Account Takeover 12.02.2026 9.3
CVE-2026-26219 newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking 12.02.2026 9.3
CVE-2026-26216 Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter 12.02.2026 10
CVE-2026-26217 Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling 12.02.2026 9.2
CVE-2026-26214 Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM 12.02.2026 9.1
CVE-2025-14014 Insecure File Upload in NTN Informatics' Smart Panel 12.02.2026 9.8
CVE-2025-10969 SQLi in Farktor Software's E-Commerce Package 12.02.2026 9.8
CVE-2026-1729 AdForest <= 6.0.12 - Authentication Bypass 12.02.2026 9.8
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE 12.02.2026 9.3
CVE-2026-26021 Prototype pollution in set-in 12.02.2026 9.4
CVE-2020-37186 Chevereto 3.13.4 Core - Remote Code Execution 12.02.2026 9.3
CVE-2026-24789 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2026-25084 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform 12.02.2026 9.8
CVE-2026-2248 Unauthenticated Remote Root Shell Access via Web Console in METIS WIC 12.02.2026 9.8
CVE-2026-2249 Unauthenticated Remote Command Execution via Web Console in METIS DFS 12.02.2026 9.8
CVE-2025-8668 Reflected XSS in E-Kalite Software Hardware Engineering's Turboard 11.02.2026 9.4
CVE-2025-66277 QTS, QuTS hero 12.02.2026 9.2
CVE-2025-8025 Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP 11.02.2026 9.8
CVE-2026-1357 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 11.02.2026 9.8
CVE-2026-26009 Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution 10.02.2026 10
CVE-2026-21531 Azure SDK for Python Remote Code Execution Vulnerability 13.02.2026 9.8
CVE-2026-25993 EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys 10.02.2026 9.3
CVE-2026-25728 ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition 11.02.2026 9.3
CVE-2025-11242 SSRF in Teknolist Computer's Okulistik 10.02.2026 9.8
CVE-2026-2095 Flowring|Agentflow - Authentication Bypass 10.02.2026 9.3
CVE-2026-2096 Flowring|Agentflow - Missing Authenticaton 10.02.2026 9.3
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) 11.02.2026 9.9
CVE-2026-0509 Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 10.02.2026 9.6
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting 11.02.2026 10
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration 11.02.2026 9.5
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API 11.02.2026 9.5
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration 11.02.2026 9.5
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write 11.02.2026 9.3
CVE-2026-25812 PlaciPy is Missing CSRF Protection on State-Changing Endpoints 10.02.2026 9.3
CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters 10.02.2026 9.3
CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims 10.02.2026 9.3
CVE-2026-25881 @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) 10.02.2026 9.1
CVE-2026-25885 PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats 10.02.2026 10

Latest Updates

CVE Title Updated Score
CVE-2026-2563 JingDong JD Cloud Box AX6600 jdcapp_rpc controlDevice get_status privilege escalation 16.02.2026
CVE-2025-65715 16.02.2026
CVE-2025-65716 16.02.2026
CVE-2025-65717 16.02.2026
CVE-2026-2562 JingDong JD Cloud Box AX6600 jdcweb_rpc jdcapi cast_streen privilege escalation 16.02.2026
CVE-2026-2561 JingDong JD Cloud Box AX6600 jdcweb_rpc jdcapi web_get_ddns_uptime privilege escalation 16.02.2026
CVE-2026-2032 Interrupted page loads in new tabs could allow website spoofing under trusted domains in Firefox iOS 16.02.2026
CVE-2026-2447 Heap buffer overflow in libvpx 16.02.2026
CVE-2026-2560 kalcaddle kodbox Media File Preview Plugin VideoResize.class.php run os command injection 16.02.2026
CVE-2026-1333 Use of Uninitialized Variable vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 16.02.2026 7.8
CVE-2026-1334 Out-Of-Bounds Read vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 16.02.2026 7.8
CVE-2026-1335 Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS Desktop 2025 through Release SOLIDWORKS Desktop 2026 16.02.2026 7.8
CVE-2026-2558 GeekAI net_handler.go Download server-side request forgery 16.02.2026
CVE-2026-2557 cskefu File Upload MediaController.java upload cross site scripting 16.02.2026
CVE-2026-2556 cskefu Endpoint MediaController.java server-side request forgery 16.02.2026
CVE-2025-14350 Information disclosure via channel mentions in posts 16.02.2026 4.3
CVE-2025-14573 Team Admin Bypass of Invite Permissions via allow_open_invite Field 16.02.2026 3.8
CVE-2026-1046 Arbitrary application execution via unvalidated server-controlled URLs in Help menu 16.02.2026 7.6
CVE-2025-13821 User profile update exposes password hash and MFA secrets 16.02.2026 5.7
CVE-2026-2555 JeecgBoot Retrieval-Augmented Generation AiragKnowledgeController.java importDocumentFromZip deserialization 16.02.2026
CVE-2025-2418 Open Redirect in TR7's Web Application Firewall 16.02.2026 4.3
CVE-2026-2553 tushar-2223 Hotel-Management-System HTTP POST Request home.php sql injection 16.02.2026
CVE-2026-2552 ZenTao Editor control.php delete path traversal 16.02.2026
CVE-2026-2415 Unsafe variable evaluation in email templates 16.02.2026
CVE-2026-2451 Unsafe variable evaluation in email templates 16.02.2026
CVE-2026-2452 Unsafe variable evaluation in email templates 16.02.2026
CVE-2026-2551 ZenTao Backup control.php delete path traversal 16.02.2026
CVE-2025-59903 Multiple vulnerabilities in Kubysoft 16.02.2026
CVE-2025-59904 Multiple vulnerabilities in Kubysoft 16.02.2026
CVE-2026-0997 Mattermost Zoom Plugin channel preference API lacks authorization checks 16.02.2026 4.3
CVE-2026-0998 Mattermost Zoom Plugin allows unauthorized meeting creation and post modification via insufficient API access controls 16.02.2026 4.3
CVE-2026-2550 EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload 16.02.2026
CVE-2026-2577 Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge 16.02.2026 10
CVE-2025-59905 Reflected Cross-Site Scripting (XSS) in Kubysoft 16.02.2026
CVE-2026-0999 Authentication bypass via userID login when email and username login are disabled 16.02.2026 5.4
CVE-2026-2549 zhanghuanhao LibrarySystem 图书馆管理系统 BookController.java access control 16.02.2026
CVE-2026-2548 WAYOS FBM-220G rc sub_40F820 command injection 16.02.2026
CVE-2026-2547 LigeroSmart index.pl AgentDashboard cross site scripting 16.02.2026
CVE-2026-2546 LigeroSmart index.pl cross site scripting 16.02.2026
CVE-2026-2544 yued-fe LuLu UI run.js child_process.exec os command injection 16.02.2026
CVE-2026-2545 LigeroSmart index.pl cross site scripting 16.02.2026
CVE-2026-2543 vichan-devel vichan Password Change pages.php unverified password change 16.02.2026
CVE-2026-2542 Total VPN win-service.exe unquoted search path 16.02.2026
CVE-2026-0929 RegistrationMagic < 6.0.7.2 - Subscriber+ Form Creation 16.02.2026
CVE-2026-2538 Flos Freeware Notepad2 Msimg32.dll uncontrolled search path 16.02.2026
CVE-2026-2537 Comfast CF-E4 HTTP POST Request mbox-config command injection 16.02.2026
CVE-2026-2536 opencc JFlow Workflow WF_Admin_AttrFlow.java Imp_Done xml external entity reference 16.02.2026
CVE-2026-2535 Comfast CF-N1 V2 mbox-config sub_44AB9C command injection 16.02.2026
CVE-2026-2533 Tosei Self-service Washing Machine tosei_datasend.php command injection 16.02.2026
CVE-2026-2534 Comfast CF-N1 V2 mbox-config sub_44AC4C command injection 16.02.2026
CVE-2026-2530 Wavlink WL-WN579A3 wireless.cgi AddMac command injection 16.02.2026
CVE-2026-2531 MindsDB File Upload security.py clear_filename server-side request forgery 16.02.2026
CVE-2026-2532 lintsinghua DeepAudit IP Address embedding_config.py server-side request forgery 16.02.2026
CVE-2026-2527 Wavlink WL-WN579A3 login.cgi command injection 16.02.2026
CVE-2026-2528 Wavlink WL-WN579A3 wireless.cgi Delete_Mac_list command injection 16.02.2026
CVE-2026-2529 Wavlink WL-WN579A3 wireless.cgi DeleteMac command injection 16.02.2026
CVE-2026-2525 Free5GC PFCP UDP Endpoint denial of service 16.02.2026
CVE-2026-2526 Wavlink WL-WN579A3 wireless.cgi multi_ssid command injection 16.02.2026
CVE-2026-2523 Open5GS SMF gn-handler.c smf_gn_handle_create_pdp_context_request assertion 16.02.2026
CVE-2026-2524 Open5GS MME mme_s11_handle_create_session_response denial of service 16.02.2026
CVE-2026-2522 Open5GS MME esm-build.c memory corruption 15.02.2026
CVE-2026-2521 Open5GS SGW-C sgwc_s5c_handle_create_session_response memory corruption 15.02.2026