CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-26216 Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter 12.02.2026 10
CVE-2026-26217 Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling 12.02.2026 9.2
CVE-2026-26214 Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM 12.02.2026 9.1
CVE-2025-14014 Insecure File Upload in NTN Informatics' Smart Panel 12.02.2026 9.8
CVE-2025-10969 SQLi in Farktor Software's E-Commerce Package 12.02.2026 9.8
CVE-2026-1729 AdForest <= 6.0.12 - Authentication Bypass 12.02.2026 9.8
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE 12.02.2026 9.3
CVE-2026-26021 Prototype pollution in set-in 11.02.2026 9.4
CVE-2020-37186 Chevereto 3.13.4 Core - Remote Code Execution 11.02.2026 9.3
CVE-2026-24789 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2026-25084 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform 12.02.2026 9.8
CVE-2026-2248 Unauthenticated Remote Root Shell Access via Web Console in METIS WIC 12.02.2026 9.8
CVE-2026-2249 Unauthenticated Remote Command Execution via Web Console in METIS DFS 12.02.2026 9.8
CVE-2025-8668 Reflected XSS in E-Kalite Software Hardware Engineering's Turboard 11.02.2026 9.4
CVE-2025-66277 QTS, QuTS hero 12.02.2026 9.2
CVE-2025-8025 Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP 11.02.2026 9.8
CVE-2026-1357 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 11.02.2026 9.8
CVE-2026-26009 Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution 10.02.2026 10
CVE-2026-21531 Azure SDK for Python Remote Code Execution Vulnerability 11.02.2026 9.8
CVE-2026-25993 EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys 10.02.2026 9.3
CVE-2026-25728 ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition 11.02.2026 9.3
CVE-2025-11242 SSRF in Teknolist Computer's Okulistik 10.02.2026 9.8
CVE-2026-2095 Flowring|Agentflow - Authentication Bypass 10.02.2026 9.3
CVE-2026-2096 Flowring|Agentflow - Missing Authenticaton 10.02.2026 9.3
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) 11.02.2026 9.9
CVE-2026-0509 Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 10.02.2026 9.6
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting 11.02.2026 10
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration 11.02.2026 9.5
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API 11.02.2026 9.5
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration 11.02.2026 9.5
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write 11.02.2026 9.3
CVE-2026-25812 PlaciPy is Missing CSRF Protection on State-Changing Endpoints 10.02.2026 9.3
CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters 10.02.2026 9.3
CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims 10.02.2026 9.3
CVE-2026-25881 @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) 10.02.2026 9.1
CVE-2026-25885 PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats 10.02.2026 10
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE 10.02.2026 9.1
CVE-2025-66630 Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure 10.02.2026 9.2
CVE-2025-6830 SQLi in Xpoda Türkiye Information Technology's Password Module 11.02.2026 9.8
CVE-2026-25848 10.02.2026 9.1
CVE-2026-22903 Stack Overflow via SESSIONID Cookie in lighttpd 09.02.2026 9.8
CVE-2026-22904 Stack Overflow via Oversized Cookie Fields in lighttpd 09.02.2026 9.8
CVE-2026-22906 Hardcoded Key Allows Credential Disclosure 09.02.2026 9.8
CVE-2026-2234 HGiga|C&Cm@il - Missing Authentication 09.02.2026 9.3
CVE-2026-1868 Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway 09.02.2026 9.9
CVE-2026-1615 09.02.2026 9.2
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 09.02.2026 9.8
CVE-2026-25858 macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure 10.02.2026 9.3
CVE-2020-37135 AMSS++ 4.7 - Backdoor Admin Account 10.02.2026 9.3
CVE-2026-25803 3DP-MANAGER Uses Hard-coded Credentials 09.02.2026 9.8
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution 09.02.2026 9.4
CVE-2026-1731 Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) 10.02.2026 9.9
CVE-2026-1727 Information Disclosure via Bucket Squatting in Google Cloud Agentspace. 09.02.2026 9.1
CVE-2026-25544 Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters 09.02.2026 9.8
CVE-2026-25592 Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK 09.02.2026 10
CVE-2026-25632 EPyT-Flow has unsafe JSON deserialization (__type__) 06.02.2026 10
CVE-2026-25520 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25586 SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution 06.02.2026 10
CVE-2026-25587 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25641 SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses 06.02.2026 10
CVE-2026-1709 Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication 09.02.2026 9.4
CVE-2026-25643 Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape 06.02.2026 9.1
CVE-2026-25751 FUXA Unauthenticated Exposure of Plaintext Database Credentials 09.02.2026 9.1
CVE-2026-25752 FUXA Unauthenticated Remote Arbitrary Device Tag Write 09.02.2026 9.3
CVE-2026-25753 PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) 09.02.2026 9.3
CVE-2025-69212 OpenSTAManager has an OS Command Injection in P7M File Processing 09.02.2026 9.4
CVE-2025-64111 Gogs's update .git/config file allows remote command execution 07.02.2026 9.3
CVE-2026-2017 IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow 06.02.2026 9.3
CVE-2026-1499 WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action 06.02.2026 9.8
CVE-2026-21643 11.02.2026 9.1
CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla 06.02.2026 9.2
CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability 11.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2025-70886 12.02.2026
CVE-2026-26216 Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter 12.02.2026
CVE-2026-26217 Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling 12.02.2026
CVE-2025-69634 12.02.2026
CVE-2026-26214 Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM 12.02.2026
CVE-2023-31313 12.02.2026 7.2
CVE-2026-1104 FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download 12.02.2026 8.8
CVE-2025-14014 Insecure File Upload in NTN Informatics' Smart Panel 12.02.2026 9.8
CVE-2026-1320 Secure Copy Content Protection and Content Locking <= 4.9.8 - Unauthenticated Stored Cross-Site Scripting via X-Forwarded-For Header 12.02.2026 7.2
CVE-2025-10969 SQLi in Farktor Software's E-Commerce Package 12.02.2026 9.8
CVE-2025-13002 XSS in Farktor Software's E-Commerce Package 12.02.2026 8.2
CVE-2025-13004 IDOR in Farktor Software's E-Commerce Package 12.02.2026 6.3
CVE-2026-2003 PostgreSQL oidvector discloses a few bytes of memory 12.02.2026 4.3
CVE-2026-2004 PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code 12.02.2026 8.8
CVE-2026-2005 PostgreSQL pgcrypto heap buffer overflow executes arbitrary code 12.02.2026 8.8
CVE-2026-2006 PostgreSQL missing validation of multibyte character length executes arbitrary code 12.02.2026 8.8
CVE-2026-2007 PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory 12.02.2026 8.2
CVE-2026-1316 Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter 12.02.2026 7.2
CVE-2026-1671 Activity Log for WordPress <= 1.2.8 - Missing Authorization to Sensitive Information Exposure via Log File 12.02.2026 6.5
CVE-2025-15574 Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection 12.02.2026
CVE-2025-15575 Missing Firmware Authenticity Checks in Solax Power Pocket WiFi models 12.02.2026
CVE-2025-15573 Missing Certificate Validation for Solax Power Pocket WiFi models MQTT Cloud Connection 12.02.2026
CVE-2026-2276 Reflected Cross-Site Scripting in the Wix web application 12.02.2026
CVE-2026-1356 Converter for Media – Optimize images | Convert WebP & AVIF <= 6.5.1 - Unauthenticated Server-Side Request Forgery via src 12.02.2026 4.8
CVE-2025-41117 XSS in Grafana Explore stack trace 12.02.2026 6.8
CVE-2026-21722 Public Dashboards time range restriction on annotations can be bypassed 12.02.2026 5.3
CVE-2025-15577 Valmet DNA Web server arbitrary file read access 12.02.2026
CVE-2025-14892 Prime Listing Manager <= 1.1 - Unauthenticated Privilege Escalation 12.02.2026
CVE-2026-2327 12.02.2026 5.3
CVE-2026-25676 12.02.2026
CVE-2026-2391 qs's arrayLimit bypass in comma parsing allows denial of service 12.02.2026
CVE-2026-26085 12.02.2026
CVE-2026-26086 12.02.2026
CVE-2026-26087 12.02.2026
CVE-2026-26088 12.02.2026
CVE-2026-26089 12.02.2026
CVE-2026-26090 12.02.2026
CVE-2026-26091 12.02.2026
CVE-2026-26092 12.02.2026
CVE-2026-1537 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure 12.02.2026 5.3
CVE-2026-26234 JUNG Smart Visu Server - Improper Neutralization of HTTP Headers for Scripting Syntax 12.02.2026
CVE-2026-26235 JUNG Smart Visu Server 1.1.1050 - 'JUNG Smart Visu Server' Missing Authentication 12.02.2026
CVE-2026-0969 Arbitrary code execution in React server-side rendering of untrusted MDX content 12.02.2026 8.8
CVE-2026-23856 12.02.2026 7.8
CVE-2026-23857 12.02.2026 8.2
CVE-2026-1729 AdForest <= 6.0.12 - Authentication Bypass 12.02.2026 9.8
CVE-2025-43403 11.02.2026
CVE-2025-43417 11.02.2026
CVE-2025-43537 11.02.2026
CVE-2025-46290 11.02.2026
CVE-2025-46300 11.02.2026
CVE-2025-46301 11.02.2026
CVE-2025-46302 11.02.2026
CVE-2025-46303 11.02.2026
CVE-2025-46304 12.02.2026
CVE-2025-46305 11.02.2026
CVE-2025-46310 11.02.2026
CVE-2026-20601 11.02.2026
CVE-2026-20602 11.02.2026
CVE-2026-20603 11.02.2026
CVE-2026-20605 11.02.2026
CVE-2026-20606 11.02.2026
CVE-2026-20608 11.02.2026
CVE-2026-20609 11.02.2026
CVE-2026-20610 12.02.2026
CVE-2026-20611 11.02.2026
CVE-2026-20612 11.02.2026
CVE-2026-20614 11.02.2026
CVE-2026-20615 11.02.2026
CVE-2026-20616 11.02.2026
CVE-2026-20617 11.02.2026
CVE-2026-20618 11.02.2026
CVE-2026-20619 11.02.2026
CVE-2026-20620 11.02.2026
CVE-2026-20621 11.02.2026
CVE-2026-20623 11.02.2026
CVE-2026-20624 11.02.2026
CVE-2026-20625 11.02.2026
CVE-2026-20626 11.02.2026
CVE-2026-20627 11.02.2026
CVE-2026-20628 11.02.2026
CVE-2026-20629 11.02.2026
CVE-2026-20630 11.02.2026
CVE-2026-20634 11.02.2026
CVE-2026-20635 11.02.2026
CVE-2026-20636 11.02.2026
CVE-2026-20638 11.02.2026
CVE-2026-20640 11.02.2026
CVE-2026-20641 11.02.2026
CVE-2026-20642 11.02.2026
CVE-2026-20644 11.02.2026
CVE-2026-20645 11.02.2026
CVE-2026-20646 11.02.2026
CVE-2026-20647 11.02.2026
CVE-2026-20648 11.02.2026
CVE-2026-20649 11.02.2026
CVE-2026-20650 11.02.2026
CVE-2026-20652 11.02.2026
CVE-2026-20653 11.02.2026
CVE-2026-20654 11.02.2026
CVE-2026-20655 11.02.2026
CVE-2026-20656 11.02.2026
CVE-2026-20658 11.02.2026
CVE-2026-20660 11.02.2026
CVE-2026-20661 11.02.2026
CVE-2026-20662 11.02.2026
CVE-2026-20663 11.02.2026
CVE-2026-20666 11.02.2026
CVE-2026-20667 11.02.2026
CVE-2026-20669 11.02.2026
CVE-2026-20671 11.02.2026
CVE-2026-20673 11.02.2026
CVE-2026-20674 11.02.2026
CVE-2026-20675 11.02.2026
CVE-2026-20676 11.02.2026
CVE-2026-20677 11.02.2026
CVE-2026-20678 11.02.2026
CVE-2026-20680 11.02.2026
CVE-2026-20681 11.02.2026
CVE-2026-20682 11.02.2026
CVE-2026-20700 12.02.2026
CVE-2025-64074 11.02.2026
CVE-2025-67135 12.02.2026
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE 12.02.2026
CVE-2026-1669 Arbitrary File Read in Keras via HDF5 External Datasets 12.02.2026
CVE-2024-50619 12.02.2026
CVE-2024-50617 12.02.2026
CVE-2026-26029 sf-mcp-server has a Command Injection in query_records tool due to unsafe use of child_process.exec 12.02.2026 7.5
CVE-2026-26031 Frappe LMS affected by unauthorised user was able to access the full list of batch enrolled students 12.02.2026
CVE-2026-26012 vaultwarden has Full Cipher Enumeration Ignoring Organization Collection Permissions 11.02.2026 6.5
CVE-2026-26019 @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation 11.02.2026 4.1
CVE-2026-26021 Prototype pollution in set-in 11.02.2026
CVE-2026-26023 Client‑side DOM XSS in the web chat app of Dify when using echarts 11.02.2026
CVE-2026-26014 Pion DTLS uses random nonce generation with AES GCM ciphers risks leaking the authentication key 11.02.2026 5.9