CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access 17.02.2026 9.4
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE 17.02.2026 9.3
CVE-2026-2564 Intelbras VIP 3260 Z IA OutsideCmd password recovery 17.02.2026 9.2
CVE-2026-2550 EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload 17.02.2026 9.3
CVE-2026-2577 Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge 16.02.2026 10
CVE-2026-26366 JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials 15.02.2026 9.3
CVE-2026-26369 JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup 15.02.2026 9.3
CVE-2025-32058 Stack Overflow in processing requests over INC interface on RH850 side of Infotainment ECU 15.02.2026 9.3
CVE-2026-1490 Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation 15.02.2026 9.8
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration 14.02.2026 9.8
CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action 14.02.2026 9.8
CVE-2026-26273 Known affected by Account Takeover via Password Reset Token Leakage 13.02.2026 9.8
CVE-2026-26333 Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE 13.02.2026 10
CVE-2026-26335 Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE 13.02.2026 9.3
CVE-2026-26190 Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise 13.02.2026 9.8
CVE-2026-26221 Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE 13.02.2026 10
CVE-2019-25322 Heatmiser Netmonitor 3.03 - Hardcoded Credentials 13.02.2026 9.3
CVE-2026-26068 emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection) 13.02.2026 9.3
CVE-2026-1358 Airleader Master Unrestricted Upload of File with Dangerous Type 13.02.2026 9.8
CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels. 13.02.2026 9.1
CVE-2026-26011 Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution 13.02.2026 9.3
CVE-2026-26020 AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__) 12.02.2026 9.4
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint 12.02.2026 9.1
CVE-2026-24044 ESS Community Helm Chart has a weak server key generation method 12.02.2026 9.2
CVE-2026-26218 newbee-mall Default Seeded Administrator Credentials Allow Account Takeover 12.02.2026 9.3
CVE-2026-26219 newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking 12.02.2026 9.3
CVE-2026-26216 Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter 12.02.2026 10
CVE-2026-26217 Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling 12.02.2026 9.2
CVE-2026-26214 Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM 12.02.2026 9.1
CVE-2025-14014 Insecure File Upload in NTN Informatics' Smart Panel 12.02.2026 9.8
CVE-2025-10969 SQLi in Farktor Software's E-Commerce Package 12.02.2026 9.8
CVE-2026-1729 AdForest <= 6.0.12 - Authentication Bypass 12.02.2026 9.8
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE 12.02.2026 9.3
CVE-2026-26021 Prototype pollution in set-in 12.02.2026 9.4
CVE-2020-37186 Chevereto 3.13.4 Core - Remote Code Execution 12.02.2026 9.3
CVE-2026-24789 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2026-25084 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform 12.02.2026 9.8
CVE-2026-2248 Unauthenticated Remote Root Shell Access via Web Console in METIS WIC 12.02.2026 9.8
CVE-2026-2249 Unauthenticated Remote Command Execution via Web Console in METIS DFS 12.02.2026 9.8
CVE-2025-8668 Reflected XSS in E-Kalite Software Hardware Engineering's Turboard 11.02.2026 9.4
CVE-2025-66277 QTS, QuTS hero 12.02.2026 9.2
CVE-2025-8025 Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP 11.02.2026 9.8
CVE-2026-1357 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 11.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2025-70828 17.02.2026
CVE-2025-70830 17.02.2026
CVE-2026-2617 Beetel 777VR1 Telnet Service/SSH Service insecure default initialization of resource 17.02.2026
CVE-2022-41650 WordPress Custom Content by Country plugin <= 3.1.2 - Broken Access Control vulnerability 17.02.2026 6.5
CVE-2024-31118 WordPress SP Project & Document Manager plugin <= 4.70 - Broken Access Control to XSS vulnerability 17.02.2026 6.5
CVE-2025-70829 17.02.2026
CVE-2026-2616 Beetel 777VR1 Web Management hard-coded credentials 17.02.2026
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access 17.02.2026
CVE-2026-23861 17.02.2026 5.4
CVE-2025-7706 Improper Access Control in TUBITAK BILGEM's Liderahenk 17.02.2026 6.1
CVE-2026-25087 Apache Arrow: Potential use-after-free when reading IPC file with pre-buffering 17.02.2026
CVE-2026-2615 Wavlink WL-NU516U1 firewall.cgi singlePortForwardDelete command injection 17.02.2026
CVE-2025-8303 XSS in EKA Software's Real Estate Script V5 (With Doping Module – Store Module – New Language System) 17.02.2026 6.5
CVE-2025-7631 Time-Based Blind SQLi in Tumeva Internet Technologies' Tumeva News Software 17.02.2026 8.6
CVE-2026-2247 SQL Injection in Clickedu's SaaS platform 17.02.2026
CVE-2026-2608 Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization 17.02.2026 4.3
CVE-2026-25903 Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates 17.02.2026
CVE-2026-1216 RSS Aggregator <= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter 17.02.2026 7.2
CVE-2026-0829 Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending 17.02.2026
CVE-2026-1657 EventPrime <= 4.2.8.4 - Missing Authorization to Unauthenticated Image Upload via 'ep_upload_file_media' AJAX Endpoint 17.02.2026 5.3
CVE-2026-2002 Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 17.02.2026 4.4
CVE-2026-2592 Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update 17.02.2026 7.7
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE 17.02.2026
CVE-2025-12062 WP Maps <= 4.8.6 - Authenticated (Subscriber+) Limited Local File Inclusion 17.02.2026 8.8
CVE-2026-2439 Concierge::Sessions versions from 0.8.1 before 0.8.5 for Perl generate insecure session ids 17.02.2026
CVE-2025-15578 Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely 17.02.2026
CVE-2026-2474 Crypt::URandom versions from 0.41 before 0.55 for Perl is vulnerable to a heap buffer overflow in the XS function crypt_urandom_getrandom() 17.02.2026