CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-27574 OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE 21.02.2026 10
CVE-2026-27452 ASN.1 TypeScript Library: Decoding an INTEGER could leak the underlying ArrayBuffer 21.02.2026 9.2
CVE-2026-27471 ERP: Document access through endpoints due to missing validation 21.02.2026 9.3
CVE-2026-27211 Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse 21.02.2026 9.1
CVE-2026-27212 Swiper has a Prototype Pollution Vulnerability 21.02.2026 9.4
CVE-2026-27197 Sentry: Improper Authentication on SAML SSO process allows user identity linking 21.02.2026 9.1
CVE-2019-25441 thesystem 1.0 Command Injection via run_command endpoint 20.02.2026 9.3
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability 20.02.2026 9.8
CVE-2026-27112 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints 20.02.2026 9.4
CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 20.02.2026 9.3
CVE-2021-35402 20.02.2026 10
CVE-2026-2333 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 20.02.2026 9.2
CVE-2026-25715 Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements 20.02.2026 9.8
CVE-2026-21627 Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla 21.02.2026 9.5
CVE-2025-10970 SQLi in Kolay Software's Talentics 20.02.2026 9.8
CVE-2026-26064 calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution 20.02.2026 9.3
CVE-2026-26065 calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution 20.02.2026 9.3
CVE-2026-26980 Ghost has a SQL Injection in its Content API 20.02.2026 9.4
CVE-2026-26988 LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream 20.02.2026 9.3
CVE-2025-30410 21.02.2026 9.8
CVE-2025-30411 21.02.2026 10
CVE-2025-30412 21.02.2026 10
CVE-2025-30416 21.02.2026 10
CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control 20.02.2026 9.3
CVE-2026-27475 SPIP < 4.4.9 Insecure Deserialization 20.02.2026 9.2
CVE-2026-2409 20.02.2026 9.3
CVE-2026-26339 Hyland Alfresco Transformation Service Argument Injection RCE 20.02.2026 9.3
CVE-2026-24834 Kata Container to Guest micro VM privilege escalation 21.02.2026 9.4
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization 20.02.2026 9.2
CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution 20.02.2026 10
CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution 19.02.2026 9.3
CVE-2025-9953 SQLi in Database Software's Databank Accreditation Software 20.02.2026 9.8
CVE-2025-8350 Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS 20.02.2026 9.8
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability. 20.02.2026 10
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. 20.02.2026 9.1
CVE-2026-1994 s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover 19.02.2026 9.8
CVE-2026-2731 Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8 19.02.2026 10
CVE-2025-13563 Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-13851 Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration 19.02.2026 9.8
CVE-2026-0926 Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] 19.02.2026 9.8
CVE-2026-1405 Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload 19.02.2026 9.8
CVE-2025-12882 Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-15586 19.02.2026 10
CVE-2026-2686 SECCN Dingcheng G10 session_login.cgi qq os command injection 19.02.2026 9.3
CVE-2026-25548 InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning 19.02.2026 9.1
CVE-2019-25362 WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow 19.02.2026 9.3
CVE-2019-25364 Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow 19.02.2026 9.3
CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval 18.02.2026 9.3
CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition 18.02.2026 9.2
CVE-2026-27180 MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning 20.02.2026 9.3
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller 18.02.2026 9.3
CVE-2025-14009 Zip Slip Vulnerability in nltk/nltk Leading to Remote Code Execution 19.02.2026 10
CVE-2025-70152 18.02.2026 9.8
CVE-2025-70150 18.02.2026 9.8
CVE-2025-15579 An Insecure Deserialization vulnerability has been discovered in OpenText™ Directory Services. 18.02.2026 9.5
CVE-2026-2329 Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow 18.02.2026 9.3
CVE-2026-1435 Incorrect management of session invalidation vulnerability in Graylog Web Interface 18.02.2026 9.3
CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action 18.02.2026 9.8
CVE-2026-1670 Honeywell CCTV Products Missing Authentication for Critical Function 18.02.2026 9.3
CVE-2026-22769 19.02.2026 10
CVE-2026-23647 Glory RBG-100 Recycler System Hard-coded OS Credentials 18.02.2026 9.3
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access 17.02.2026 9.4
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE 17.02.2026 9.3
CVE-2026-2564 Intelbras VIP 3260 Z IA OutsideCmd password recovery 17.02.2026 9.2
CVE-2026-2550 EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload 17.02.2026 9.3
CVE-2026-2577 Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge 17.02.2026 10
CVE-2026-26366 JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials 17.02.2026 9.3
CVE-2026-26369 JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup 17.02.2026 9.3
CVE-2025-32058 Stack Overflow in processing requests over INC interface on RH850 side of Infotainment ECU 17.02.2026 9.3
CVE-2026-1490 Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation 17.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2026-2871 Tenda A21 SetIpMacBind fromSetIpMacBind stack-based overflow 21.02.2026
CVE-2026-2869 janet-lang janet handleattr specials.c janetc_varset out-of-bounds 21.02.2026
CVE-2026-2870 Tenda A21 formSetQosBand set_qosMib_list stack-based overflow 21.02.2026
CVE-2026-2867 itsourcecode Vehicle Management System billaction.php sql injection 21.02.2026
CVE-2026-1787 LearnPress Export Import <= 4.1.0 - Missing Authentication to Unauthenticated Migrated Course Deletion 21.02.2026 4.8
CVE-2026-27492 Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused 21.02.2026 4.7
CVE-2026-27574 OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE 21.02.2026 10
CVE-2026-27579 CollabPlatform : CORS Misconfiguration Allows Arbitrary Origin With Credentials Leading to Authenticated Account Data Exposure 21.02.2026 7.4
CVE-2026-27576 OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs 21.02.2026
CVE-2026-27488 OpenClaw hardened cron webhook delivery against SSRF 21.02.2026
CVE-2026-27486 OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup 21.02.2026
CVE-2026-27487 OpenClaw: Prevent shell injection in macOS keychain credential write 21.02.2026 7.6
CVE-2025-14339 weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion 21.02.2026 6.5
CVE-2026-27482 Ray: Dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion) 21.02.2026 5.9
CVE-2026-27484 OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows 21.02.2026
CVE-2026-27485 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection 21.02.2026
CVE-2026-27480 Static Web Server: Timing-Based Username Enumeration in Basic Authentication 21.02.2026 5.3
CVE-2026-27479 Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch 21.02.2026 7.7
CVE-2026-27464 Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE 21.02.2026 7.7
CVE-2026-27470 ZoneMinder: Second-Order SQL Injection in `getNearEvents()` via Stored Event Name and Cause Fields 21.02.2026 8.8
CVE-2026-27469 Isso: Stored XSS via comment website field 21.02.2026 6.1
CVE-2026-2864 feng_ha_ha/megagao ssm-erp/production_ssm PictureController.java pictureDelete path traversal 21.02.2026
CVE-2026-2865 itsourcecode Agri-Trading Online Shopping System HTTP POST Request productcontroller.php sql injection 21.02.2026
CVE-2026-27466 BigBlueButton: Exposed ClamAV port enables Denial of Service 21.02.2026 7.2
CVE-2026-27467 BigBlueButton: Audio from participants to the server initially unmuted 21.02.2026 2
CVE-2026-27206 Zumba Json Serializer has a potential PHP Object Injection via Unrestricted @type in unserialize() 21.02.2026 8.1
CVE-2026-27452 ASN.1 TypeScript Library: Decoding an INTEGER could leak the underlying ArrayBuffer 21.02.2026
CVE-2026-27458 LinkAce: Stored XSS in Atom Feed via CDATA Escape in List Description 21.02.2026
CVE-2026-27471 ERP: Document access through endpoints due to missing validation 21.02.2026
CVE-2026-2861 Foswiki Changes/Viewfile/Oops information disclosure 21.02.2026
CVE-2026-2863 feng_ha_ha/megagao ssm-erp/production_ssm FileServiceImpl.java deleteFile path traversal 21.02.2026
CVE-2026-26045 Moodle: moodle: improper validation in file restore functionality leading to remote code execution 21.02.2026
CVE-2026-26046 Moodle: moodle: improper input sanitization in tex filter administration setting 21.02.2026
CVE-2026-26047 Moodle: moodle: uncontrolled resource consumption in tex formula editor leading to denial of service 21.02.2026
CVE-2026-27211 Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse 21.02.2026
CVE-2026-27212 Swiper has a Prototype Pollution Vulnerability 21.02.2026
CVE-2026-27205 Flask session does not add `Vary: Cookie` header when accessed in some ways 21.02.2026
CVE-2026-27210 Pannellum has a XSS vulnerability in hot spot attributes 21.02.2026
CVE-2026-27198 Formwork Improperly Manages Privileges During User Creation 21.02.2026 8.8
CVE-2026-27199 Werkzeug safe_join() allows Windows special device names 21.02.2026
CVE-2026-27196 Statamic affected by privilege escalation via stored Cross-site Scripting 21.02.2026 8.1
CVE-2026-27197 Sentry: Improper Authentication on SAML SSO process allows user identity linking 21.02.2026 9.1
CVE-2026-2860 feng_ha_ha/megagao ssm-erp/production_ssm EmployeeController.java improper authorization 21.02.2026
CVE-2026-27193 Feathers exposes internal headers via unencrypted session cookie 21.02.2026
CVE-2026-27194 D-Tale affected by Remote Code Execution through the /save-column-filter endpoint 21.02.2026
CVE-2026-27527 21.02.2026
CVE-2026-27528 21.02.2026
CVE-2026-27529 21.02.2026
CVE-2026-27530 21.02.2026
CVE-2026-27531 21.02.2026
CVE-2026-27532 21.02.2026
CVE-2026-27533 21.02.2026
CVE-2026-27534 21.02.2026
CVE-2026-27191 Feathers: Open Redirect in OAuth callback enables account takeover 21.02.2026
CVE-2026-27192 Feathers has an origin validation bypass via prefix matching 21.02.2026
CVE-2025-65995 Apache Airflow: Disclosure of secrets to UI via kwargs 21.02.2026
CVE-2026-27170 OpenSift: SSRF risk in URL ingestion endpoint 20.02.2026 7.1
CVE-2026-27189 OpenSift: Race-prone local persistence could cause state corruption/loss 21.02.2026 6.6
CVE-2026-27169 OpenSift: Persistent XSS Chat Tool Rendering 20.02.2026 8.9
CVE-2026-27168 SAIL: Heap-based Buffer Overflow in Sail-codecs-xwd 20.02.2026 8.8
CVE-2026-27203 eBay API MCP Server Affected by Environment Variable Injection 20.02.2026 8.3
CVE-2026-27161 Unauthenticated Information Disclosure via .htaccess Reliance in Sensitive Directories 20.02.2026
CVE-2026-27202 GetSimple CMS: Uploaded Files (feature) Arbitrary File Read Vulnerability 20.02.2026
CVE-2026-27134 Strimzi: All CAs from a custom CA chain consisting of multiple CAs are trusted for mTLS user autentication 20.02.2026 8.1
CVE-2026-27146 GetSimple CMS: Cross-Site Request Forgery (CSRF) in File Upload Allows Arbitrary Uploads 20.02.2026
CVE-2026-27147 GetSimple CMS: Stored Cross-Site Scripting (XSS) via SVG File Upload (Authenticated) 20.02.2026
CVE-2018-25158 Chamilo LMS 1.11.8 Arbitrary File Upload via elfinder 20.02.2026
CVE-2019-25431 delpino73 Blue-Smiley-Organizer 1.32 SQL Injection via datetime 20.02.2026
CVE-2019-25432 Part-DB 0.4 Authentication Bypass via login.php 20.02.2026
CVE-2019-25434 SpotAuditor 5.3.1.0 Denial of Service via Registration Name Field 20.02.2026
CVE-2019-25435 Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow DEP Bypass 20.02.2026
CVE-2019-25436 Sricam DeviceViewer 3.12.0.1 Password Change Security Bypass 20.02.2026
CVE-2019-25437 Foscam Video Management System 1.1.6.6 Buffer Overflow Denial of Service 20.02.2026
CVE-2019-25438 LabCollector 5.423 SQL Injection via login.php 20.02.2026
CVE-2019-25441 thesystem 1.0 Command Injection via run_command endpoint 20.02.2026
CVE-2019-25447 OrientDB 3.0.17 Cross-Site Request Forgery 20.02.2026
CVE-2019-25448 OrientDB 3.0.17 Stored Cross-Site Scripting via User Creation 20.02.2026
CVE-2019-25449 OrientDB 3.0.17 Reflected Cross-Site Scripting via document endpoint 20.02.2026
CVE-2019-25451 phpMoAdmin 1.1.5 Cross-Site Request Forgery via moadmin.php 20.02.2026
CVE-2019-25453 phpMoAdmin 1.1.5 Reflected Cross-Site Scripting via moadmin.php 20.02.2026
CVE-2019-25454 phpMoAdmin 1.1.5 Stored Cross-Site Scripting via collection Parameter 20.02.2026
CVE-2026-27119 Svelte affected by XSS in SSR `<option>` element 20.02.2026
CVE-2026-27121 Svelte affected by cross-site scripting via spread attributes in Svelte SSR 20.02.2026
CVE-2026-27122 Svelte SSR does not validate dynamic element tag names in `<svelte:element>` 20.02.2026
CVE-2026-27125 Svelte SSR attribute spreading includes inherited properties from prototype chain 20.02.2026
CVE-2026-27133 Strimzi All CAs from CA chain will be trusted in Kafka Connect and Kafka MirrorMaker 2 target clusters 20.02.2026 5.9
CVE-2026-2490 RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability 20.02.2026
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability 20.02.2026
CVE-2026-2033 MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2034 Sante DICOM Viewer Pro DCM File Parsing Buffer Overflow Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2035 Deciso OPNsense diag_backup.php filename Command Injection Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2036 GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2037 GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2038 GFI Archiver MArc.Core Missing Authorization Authentication Bypass Vulnerability 20.02.2026
CVE-2026-2039 GFI Archiver MArc.Store Missing Authorization Authentication Bypass Vulnerability 20.02.2026
CVE-2026-2040 PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability 20.02.2026
CVE-2026-2041 Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2042 Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2043 Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability 20.02.2026
CVE-2026-2044 GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability 21.02.2026
CVE-2026-2045 GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability 21.02.2026
CVE-2026-2047 GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability 21.02.2026
CVE-2026-2048 GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability 21.02.2026
CVE-2026-2492 TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability 20.02.2026
CVE-2026-0777 Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability 20.02.2026
CVE-2026-0797 GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability 20.02.2026
CVE-2026-27113 Liquid Prompt arbitrary command injection via crafted Git branch names in gitstatusd backend 20.02.2026 6.3
CVE-2026-2858 wren-lang wren Source File wren_compiler.c peekChar out-of-bounds 20.02.2026
CVE-2026-27111 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints 20.02.2026
CVE-2026-27112 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints 20.02.2026
CVE-2026-27118 Cache poisoning in @sveltejs/adapter-vercel 20.02.2026
CVE-2026-27120 Leaf-kit html escaping does not work on characters that are part of extended grapheme cluster 20.02.2026 6.1