| CVE-2026-26216 |
Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter |
12.02.2026 |
10 |
| CVE-2026-26217 |
Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling |
12.02.2026 |
9.2 |
| CVE-2026-26214 |
Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM |
12.02.2026 |
9.1 |
| CVE-2025-14014 |
Insecure File Upload in NTN Informatics' Smart Panel |
12.02.2026 |
9.8 |
| CVE-2025-10969 |
SQLi in Farktor Software's E-Commerce Package |
12.02.2026 |
9.8 |
| CVE-2026-1729 |
AdForest <= 6.0.12 - Authentication Bypass |
12.02.2026 |
9.8 |
| CVE-2026-26215 |
manga-image-translator Shared API Unsafe Deserialization RCE |
12.02.2026 |
9.3 |
| CVE-2026-26021 |
Prototype pollution in set-in |
11.02.2026 |
9.4 |
| CVE-2020-37186 |
Chevereto 3.13.4 Core - Remote Code Execution |
11.02.2026 |
9.3 |
| CVE-2026-24789 |
ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function |
11.02.2026 |
9.3 |
| CVE-2026-25084 |
ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function |
11.02.2026 |
9.3 |
| CVE-2025-12059 |
Improper Access Control in Logo Software's Logo j-Platform |
12.02.2026 |
9.8 |
| CVE-2026-2248 |
Unauthenticated Remote Root Shell Access via Web Console in METIS WIC |
12.02.2026 |
9.8 |
| CVE-2026-2249 |
Unauthenticated Remote Command Execution via Web Console in METIS DFS |
12.02.2026 |
9.8 |
| CVE-2025-8668 |
Reflected XSS in E-Kalite Software Hardware Engineering's Turboard |
11.02.2026 |
9.4 |
| CVE-2025-66277 |
QTS, QuTS hero |
12.02.2026 |
9.2 |
| CVE-2025-8025 |
Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP |
11.02.2026 |
9.8 |
| CVE-2026-1357 |
Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload |
11.02.2026 |
9.8 |
| CVE-2026-26009 |
Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution |
10.02.2026 |
10 |
| CVE-2026-21531 |
Azure SDK for Python Remote Code Execution Vulnerability |
11.02.2026 |
9.8 |
| CVE-2026-25993 |
EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys |
10.02.2026 |
9.3 |
| CVE-2026-25728 |
ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition |
11.02.2026 |
9.3 |
| CVE-2025-11242 |
SSRF in Teknolist Computer's Okulistik |
10.02.2026 |
9.8 |
| CVE-2026-2095 |
Flowring|Agentflow - Authentication Bypass |
10.02.2026 |
9.3 |
| CVE-2026-2096 |
Flowring|Agentflow - Missing Authenticaton |
10.02.2026 |
9.3 |
| CVE-2026-0488 |
Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) |
11.02.2026 |
9.9 |
| CVE-2026-0509 |
Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform |
10.02.2026 |
9.6 |
| CVE-2026-25893 |
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting |
11.02.2026 |
10 |
| CVE-2026-25894 |
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration |
11.02.2026 |
9.5 |
| CVE-2026-25895 |
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API |
11.02.2026 |
9.5 |
| CVE-2026-25938 |
FUXA Unauthenticated Remote Code Execution in Node-RED Integration |
11.02.2026 |
9.5 |
| CVE-2026-25939 |
FUXA Unauthenticated Remote Arbitrary Scheduler Write |
11.02.2026 |
9.3 |
| CVE-2026-25812 |
PlaciPy is Missing CSRF Protection on State-Changing Endpoints |
10.02.2026 |
9.3 |
| CVE-2026-25814 |
NoSQL Injection Risk via Unsanitized Query Parameters |
10.02.2026 |
9.3 |
| CVE-2026-25875 |
PlaciPy Admin Privilege Escalation via Trusted JWT Claims |
10.02.2026 |
9.3 |
| CVE-2026-25881 |
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) |
10.02.2026 |
9.1 |
| CVE-2026-25885 |
PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats |
10.02.2026 |
10 |
| CVE-2026-25057 |
Zip Slip in MarkUs config upload allowing RCE |
10.02.2026 |
9.1 |
| CVE-2025-66630 |
Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure |
10.02.2026 |
9.2 |
| CVE-2025-6830 |
SQLi in Xpoda Türkiye Information Technology's Password Module |
11.02.2026 |
9.8 |
| CVE-2026-25848 |
|
10.02.2026 |
9.1 |
| CVE-2026-22903 |
Stack Overflow via SESSIONID Cookie in lighttpd |
09.02.2026 |
9.8 |
| CVE-2026-22904 |
Stack Overflow via Oversized Cookie Fields in lighttpd |
09.02.2026 |
9.8 |
| CVE-2026-22906 |
Hardcoded Key Allows Credential Disclosure |
09.02.2026 |
9.8 |
| CVE-2026-2234 |
HGiga|C&Cm@il - Missing Authentication |
09.02.2026 |
9.3 |
| CVE-2026-1868 |
Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway |
09.02.2026 |
9.9 |
| CVE-2026-1615 |
|
09.02.2026 |
9.2 |
| CVE-2025-15027 |
JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user |
09.02.2026 |
9.8 |
| CVE-2026-25858 |
macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure |
10.02.2026 |
9.3 |
| CVE-2020-37135 |
AMSS++ 4.7 - Backdoor Admin Account |
10.02.2026 |
9.3 |
| CVE-2026-25803 |
3DP-MANAGER Uses Hard-coded Credentials |
09.02.2026 |
9.8 |
| CVE-2026-25763 |
Command Injection on OpenProject repositories leads to Remote Code Execution |
09.02.2026 |
9.4 |
| CVE-2026-1731 |
Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) |
10.02.2026 |
9.9 |
| CVE-2026-1727 |
Information Disclosure via Bucket Squatting in Google Cloud Agentspace. |
09.02.2026 |
9.1 |
| CVE-2026-25544 |
Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters |
09.02.2026 |
9.8 |
| CVE-2026-25592 |
Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK |
09.02.2026 |
10 |
| CVE-2026-25632 |
EPyT-Flow has unsafe JSON deserialization (__type__) |
06.02.2026 |
10 |
| CVE-2026-25520 |
SandboxJS has a Sandbox Escape |
06.02.2026 |
10 |
| CVE-2026-25586 |
SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution |
06.02.2026 |
10 |
| CVE-2026-25587 |
SandboxJS has a Sandbox Escape |
06.02.2026 |
10 |
| CVE-2026-25641 |
SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses |
06.02.2026 |
10 |
| CVE-2026-1709 |
Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication |
09.02.2026 |
9.4 |
| CVE-2026-25643 |
Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape |
06.02.2026 |
9.1 |
| CVE-2026-25751 |
FUXA Unauthenticated Exposure of Plaintext Database Credentials |
09.02.2026 |
9.1 |
| CVE-2026-25752 |
FUXA Unauthenticated Remote Arbitrary Device Tag Write |
09.02.2026 |
9.3 |
| CVE-2026-25753 |
PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) |
09.02.2026 |
9.3 |
| CVE-2025-69212 |
OpenSTAManager has an OS Command Injection in P7M File Processing |
09.02.2026 |
9.4 |
| CVE-2025-64111 |
Gogs's update .git/config file allows remote command execution |
07.02.2026 |
9.3 |
| CVE-2026-2017 |
IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow |
06.02.2026 |
9.3 |
| CVE-2026-1499 |
WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action |
06.02.2026 |
9.8 |
| CVE-2026-21643 |
|
11.02.2026 |
9.1 |
| CVE-2026-21626 |
Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla |
06.02.2026 |
9.2 |
| CVE-2026-24300 |
Azure Front Door Elevation of Privilege Vulnerability |
11.02.2026 |
9.8 |