CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2020-37135	AMSS++ 4.7 - Backdoor Admin Account	06.02.2026	9.3
CVE-2026-25803	3DP-MANAGER Uses Hard-coded Credentials	06.02.2026	9.8
CVE-2026-25763	Command Injection on OpenProject repositories leads to Remote Code Execution	06.02.2026	9.4
CVE-2026-1731	Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)	06.02.2026	9.9
CVE-2026-1727	Information Disclosure via Bucket Squatting in Google Cloud Agentspace.	06.02.2026	9.1
CVE-2026-25544	Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters	06.02.2026	9.8
CVE-2026-25592	Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK	06.02.2026	10
CVE-2026-25632	EPyT-Flow has unsafe JSON deserialization (__type__)	06.02.2026	10
CVE-2026-25520	SandboxJS has a Sandbox Escape	06.02.2026	10
CVE-2026-25586	SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution	06.02.2026	10
CVE-2026-25587	SandboxJS has a Sandbox Escape	06.02.2026	10
CVE-2026-25641	SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses	06.02.2026	10
CVE-2026-1709	Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication	06.02.2026	9.4
CVE-2026-25643	Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape	06.02.2026	9.1
CVE-2026-25751	FUXA Unauthenticated Exposure of Plaintext Database Credentials	06.02.2026	9.1
CVE-2026-25752	FUXA Unauthenticated Remote Arbitrary Device Tag Write	06.02.2026	9.3
CVE-2026-25753	PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover)	06.02.2026	9.3
CVE-2025-69212	OpenSTAManager has an OS Command Injection in P7M File Processing	06.02.2026	9.4
CVE-2025-64111	Gogs's update .git/config file allows remote command execution	07.02.2026	9.3
CVE-2026-2017	IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow	06.02.2026	9.3
CVE-2026-1499	WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action	06.02.2026	9.8
CVE-2026-21643		07.02.2026	9.1
CVE-2026-21626	Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla	06.02.2026	9.2
CVE-2026-24300	Azure Front Door Elevation of Privilege Vulnerability	07.02.2026	9.8
CVE-2020-37123	Pinger 1.0 - Remote Code Execution	06.02.2026	9.3
CVE-2020-37125	Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution	05.02.2026	9.3
CVE-2025-62615	AutoGPT has SSRF vulnerability in ReadRSSFeedBlock	05.02.2026	9.3
CVE-2025-62616	AutoGPT has SSRF vulnerability in SendDiscordFileBlock	05.02.2026	9.3
CVE-2026-25579	Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints	05.02.2026	9.2
CVE-2026-25539	SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE	05.02.2026	9.1
CVE-2026-25547	Uncontrolled Resource Consumption in @isaacs/brace-expansion	05.02.2026	9.2
CVE-2026-25526	JinJava Bypass through ForTag leads to Arbitrary Java Execution	05.02.2026	9.8
CVE-2026-25521	Locutus is vulnerable to Prototype Pollution	05.02.2026	9.4
CVE-2025-13375	IBM Common Cryptographic Architecture Arbitrary Command Execution	06.02.2026	9.8
CVE-2026-25512	Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler	05.02.2026	9.4
CVE-2026-25481	Langroid has WAF Bypass Leading to RCE in TableChatAgent	04.02.2026	9.4
CVE-2026-25505	Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication	06.02.2026	9.8
CVE-2026-25160	Alist has Insecure TLS Config	05.02.2026	9.1
CVE-2025-64712	Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write	04.02.2026	9.8
CVE-2026-21893	n8n Vulnerable to Command Injection in Community Package Installation	04.02.2026	9.4
CVE-2026-25049	n8n Has an Expression Escape Vulnerability Leading to RCE	05.02.2026	9.4
CVE-2026-25052	n8n Improper File Access Controls Allow Arbitrary File Read by Authenticated Users	05.02.2026	9.4
CVE-2026-25053	n8n is Vulnerable to OS Command Injection in Git Node	05.02.2026	9.4
CVE-2026-25056	n8n Arbitrary File Write leading to RCE in n8n Merge Node	05.02.2026	9.4
CVE-2026-25115	n8n is vulnerable to Python sandbox escape	05.02.2026	9.4
CVE-2025-5329	SQLi in Martcode Software's Delta Course Automation	04.02.2026	9.8
CVE-2025-59818	Authenticated Remote Code Execution via the file name of an uploaded file	04.02.2026	10
CVE-2026-1633	Synectix LAN 232 TRIO Missing Authentication for Critical Function	04.02.2026	10
CVE-2026-1632	RISS SRL MOMA Seismic Station Missing Authentication for Critical Function	04.02.2026	9.3
CVE-2020-37071	CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution	04.02.2026	9.3
CVE-2020-37092	Netis E1+ 1.2.32533 - Backdoor Account (root)	04.02.2026	9.3
CVE-2026-1341	Missing Authentication for Critical Function in Avation Light Engine Pro	04.02.2026	9.3
CVE-2026-25150	Prototype Pollution via FormData Processing in Qwik City	04.02.2026	9.3
CVE-2026-25510	CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor	04.02.2026	10
CVE-2025-65078	Untrusted search path vulnerability in Embedded Solutions Framework	06.02.2026	9.3
CVE-2026-1803	Ziroom ZHOME A0101 Dropbear SSH Service default credentials	03.02.2026	9.2
CVE-2025-10878		04.02.2026	10
CVE-2026-25237	PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails	04.02.2026	9.2
CVE-2026-25238	PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation	04.02.2026	9.2
CVE-2026-25241	PEAR is Vulnerable to SQL Injection in /get/<package>/<version> Endpoint	04.02.2026	9.3
CVE-2025-70841		04.02.2026	10
CVE-2026-1568	Rapid7 InsightVM Signature Validation Vulnerability	04.02.2026	9.6
CVE-2025-5319	SQLi in Emit Informatics' DIGITA Efficiency Management System	04.02.2026	9.8
CVE-2026-1432	SQL injection (SQLi) on the Buroweb platform	03.02.2026	9.3
CVE-2026-24465		03.02.2026	9.3
CVE-2026-24936	An improper input validation vulnerability was found in ADM while joining a AD Domain.	04.02.2026	9.5
CVE-2025-66480	Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction	03.02.2026	9.8
CVE-2026-22778	vLLM leaks a heap address when PIL throws an error	03.02.2026	9.8
CVE-2026-23515	RCE - Command Injection in Signal K set-system-time plugin	03.02.2026	10
CVE-2026-24471	Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary ('Confused Deputy')	03.02.2026	9.3
CVE-2026-25134	Group-Office Argument Injection in MaintenanceController::actionZipLanguage	04.02.2026	9.4
CVE-2026-25137	NixOs Odoo database and filestore publicly accessible with default odoo configuration	04.02.2026	9.1
CVE-2026-25142	SandboxJS Prototype Pollution -> Sandbox Escape -> RCE	04.02.2026	10
CVE-2022-50981	Multiple Innomic VibroLine VLX HD 5.0 and avibia AVLX weak password requirements	02.02.2026	9.8
CVE-2024-2356	Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui	02.02.2026	9.6
CVE-2024-5386	Account Hijacking via Password Reset Token Leak in lunary-ai/lunary	02.02.2026	9.6
CVE-2024-5986	Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3	02.02.2026	9.1
CVE-2026-25200		03.02.2026	9.8
CVE-2026-25202		03.02.2026	9.8
CVE-2026-25069	SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion	02.02.2026	9.3

Latest Updates

CVE	Title	Updated	Score
CVE-2026-2090	SourceCodester Online Class Record System search.php sql injection	07.02.2026
CVE-2026-2089	SourceCodester Online Class Record System controller.php sql injection	07.02.2026
CVE-2026-2088	PHPGurukul Beauty Parlour Management System accepted-appointment.php sql injection	07.02.2026
CVE-2026-2087	SourceCodester Online Class Record System login.php sql injection	07.02.2026
CVE-2026-2086	UTT HiPER 810G Management formFireWall strcpy buffer overflow	07.02.2026
CVE-2026-2085	D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection	07.02.2026
CVE-2026-2084	D-Link DIR-823X set_language os command injection	07.02.2026
CVE-2026-2083	code-projects Social Networking Site delete_post.php sql injection	07.02.2026
CVE-2026-2082	D-Link DIR-823X set_mac_clone os command injection	07.02.2026
CVE-2026-2081	D-Link DIR-823X set_password os command injection	07.02.2026
CVE-2026-2080	UTT HiPER 810 formUser setSysAdm command injection	07.02.2026
CVE-2025-15476	The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification	07.02.2026	4.3
CVE-2025-15477	The Bucketlister <= 0.1.5 - Authenticated (Contributor+) SQL Injection via `category` and `id` Shortcode Attributes	07.02.2026	6.5
CVE-2026-0555	Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard_actions' AJAX Endpoint	07.02.2026	6.4
CVE-2026-1082	TITLE ANIMATOR <= 1.0 - Cross-Site Request Forgery to Settings Update	07.02.2026	4.3
CVE-2026-1570	Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	07.02.2026	6.4
CVE-2026-1573	OMIGO <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	07.02.2026	6.4
CVE-2026-1608	Video Onclick <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	07.02.2026	6.4
CVE-2026-1611	Wikiloops Track Player <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	07.02.2026	6.4
CVE-2026-1613	Wonka Slide <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	07.02.2026	6.4
CVE-2026-1634	Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']	07.02.2026	6.1
CVE-2026-1643	MP-Ukagaka <= 1.5.2 - Reflected Cross-Site Scripting	07.02.2026	6.1
CVE-2026-1675	Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key	07.02.2026	5.3
CVE-2026-2079	yeqifu warehouse Menu Management MenuController.java deleteMenu improper authorization	07.02.2026
CVE-2026-2078	yeqifu warehouse Permission Management PermissionController.java deletePermission improper authorization	07.02.2026
CVE-2026-2077	yeqifu warehouse Role Management RoleController.java deleteRole improper authorization	07.02.2026
CVE-2026-2076	yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authorization	07.02.2026
CVE-2025-15491	Post Slides <= 1.0.1 - Contributor+ Local File Inclusion	07.02.2026
CVE-2025-12159	Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	07.02.2026	6.4
CVE-2025-12803	Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode	07.02.2026	6.4
CVE-2025-13463	Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid	07.02.2026	6.4
CVE-2025-15267	Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode	07.02.2026	6.4
CVE-2026-2075	yeqifu warehouse Role-Permission Binding RoleController.java saveRolePermission access control	07.02.2026
CVE-2026-2074	O2OA HTTP POST Request check xml external entity reference	07.02.2026
CVE-2025-31990	HCL DevOps Velocity is susceptible to a Denial of Service vulnerability	07.02.2026	6.8
CVE-2026-25837		07.02.2026
CVE-2026-25838		07.02.2026
CVE-2026-25839		07.02.2026
CVE-2026-25840		07.02.2026
CVE-2026-25841		07.02.2026
CVE-2026-25842		07.02.2026
CVE-2026-25843		07.02.2026
CVE-2026-25844		07.02.2026
CVE-2026-25845		07.02.2026
CVE-2026-2073	itsourcecode School Management System index.php sql injection	07.02.2026
CVE-2026-2071	UTT 进取 520W formP2PLimitConfig strcpy buffer overflow	07.02.2026
CVE-2020-37079	Wing FTP Server < 6.2.7 - Cross-site Request Forgery	06.02.2026
CVE-2020-37095	Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)	06.02.2026
CVE-2020-37106	Business Live Chat Software 1.0 - Cross-Site Request Forgery (Add Admin)	06.02.2026
CVE-2020-37107	Core FTP LE 2.2 - Denial of Service	06.02.2026
CVE-2020-37109	aSc TimeTables 2020.11.4 - Denial of Service	06.02.2026
CVE-2020-37122	SpotFTP-FTP Password Recover 2.4.8 - Denial of Service	06.02.2026
CVE-2020-37135	AMSS++ 4.7 - Backdoor Admin Account	06.02.2026
CVE-2020-37141	AMSS++ v 4.31 - 'id' SQL Injection	06.02.2026
CVE-2020-37146	Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure	06.02.2026
CVE-2020-37147	ATutor 2.2.4 - 'id' SQL Injection	06.02.2026
CVE-2020-37154	eLection 2.0 - 'id' SQL Injection	06.02.2026
CVE-2020-37155	Core FTP Lite 1.3 - Denial of Service (PoC)	06.02.2026
CVE-2020-37157	DBPower C300 HD Camera - Remote Configuration Disclosure	06.02.2026
CVE-2020-37159	Cuckoo Clock 5.0 - Buffer Overflow	06.02.2026
CVE-2020-37160	SprintWork 2.3.1 - Local Privilege Escalation	06.02.2026
CVE-2020-37161	Wedding Slideshow Studio 1.36 - 'Name' Buffer Overflow	06.02.2026
CVE-2020-37162	Wedding Slideshow Studio 1.36 - 'Key' Buffer Overflow	06.02.2026
CVE-2020-37163	QuickDate 1.3.2 - SQL Injection	06.02.2026
CVE-2020-37164	AbsoluteTelnet 11.12 - "license entry" Denial of Service	06.02.2026
CVE-2020-37165	AbsoluteTelnet 11.12 - "license name" Denial of Service	06.02.2026
CVE-2020-37166	AbsoluteTelnet 11.12 - 'SSH2/username' Denial of Service	06.02.2026
CVE-2020-37170	TapinRadio 2.12.3 - 'address' Denial of Service	06.02.2026
CVE-2020-37171	TapinRadio 2.12.3 - 'username' Denial of Service	06.02.2026
CVE-2026-25793	Nebula Has Possible Blocklist Bypass via ECDSA Signature Malleability	06.02.2026
CVE-2026-25803	3DP-MANAGER Uses Hard-coded Credentials	06.02.2026	9.8
CVE-2026-25804	Antrea has invalid enforcement order for network policy rules caused by integer overflow	06.02.2026
CVE-2026-25644	DataHub's LDAP Ingestion Source vulnerable to MITM attack through TLS downgrade	06.02.2026	7.5
CVE-2026-25749	Heap Overflow in Vim	06.02.2026	6.6
CVE-2026-25754	AdonisJS multipart body parsing has Prototype Pollution issue	06.02.2026	7.2
CVE-2026-25762	AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection	06.02.2026	7.5
CVE-2026-25757	Unauthenticated Spree Commerce users can view completed guest orders by Order ID	06.02.2026
CVE-2026-2070	UTT 进取 520W formPolicyRouteConf strcpy buffer overflow	06.02.2026
CVE-2023-6763		06.02.2026
CVE-2026-25763	Command Injection on OpenProject repositories leads to Remote Code Execution	06.02.2026
CVE-2026-25764	OpenProject vulnerable to Stored HTML injection	06.02.2026	3.5
CVE-2026-2069	ggml-org llama.cpp GBNF Grammar llama-grammar.cpp llama_grammar_advance_stack stack-based overflow	06.02.2026
CVE-2026-1731	Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)	06.02.2026
CVE-2026-1727	Information Disclosure via Bucket Squatting in Google Cloud Agentspace.	06.02.2026
CVE-2026-25760	Website Path Traversal / Arbitrary File Read (Authenticated) in Sliver	06.02.2026	6.5
CVE-2026-2068	UTT 进取 520W formSyslogConf strcpy buffer overflow	06.02.2026
CVE-2025-68621	Trilium Notes has a Timing Attack Vulnerability in /api/login/sync	06.02.2026	7.4
CVE-2026-25123	Homarr affected by Unauthenticated SSRF / Port-Scan Primitive via widget.app.ping	06.02.2026	5.3
CVE-2026-25533	Enclave has a sandbox escape via infinite recursion and error objects	06.02.2026
CVE-2026-25758	Spree allows unauthenticated users can access all guest addresses	06.02.2026
CVE-2026-25516	NiceGUI's XSS vulnerability in ui.markdown() allows arbitrary JavaScript execution through unsanitized HTML content	06.02.2026	6.1
CVE-2026-25732	NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write	06.02.2026	7.5