CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-41002 SQL injection in Infoticketing 23.02.2026 9.3
CVE-2026-24494 SQL injection vulnerability in Order Up Online Ordering System 23.02.2026 9.8
CVE-2026-27574 OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE 21.02.2026 10
CVE-2026-27452 ASN.1 TypeScript Library: Decoding an INTEGER could leak the underlying ArrayBuffer 21.02.2026 9.2
CVE-2026-27471 ERP: Document access through endpoints due to missing validation 21.02.2026 9.3
CVE-2026-27211 Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse 21.02.2026 9.1
CVE-2026-27212 Swiper has a Prototype Pollution Vulnerability 21.02.2026 9.4
CVE-2026-27197 Sentry: Improper Authentication on SAML SSO process allows user identity linking 21.02.2026 9.1
CVE-2019-25441 thesystem 1.0 Command Injection via run_command endpoint 20.02.2026 9.3
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability 20.02.2026 9.8
CVE-2026-27112 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints 20.02.2026 9.4
CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 20.02.2026 9.3
CVE-2021-35402 20.02.2026 10
CVE-2026-2333 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 20.02.2026 9.2
CVE-2026-25715 Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements 20.02.2026 9.8
CVE-2026-21627 Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla 23.02.2026 9.5
CVE-2025-10970 SQLi in Kolay Software's Talentics 20.02.2026 9.8
CVE-2026-26064 calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution 20.02.2026 9.3
CVE-2026-26065 calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution 20.02.2026 9.3
CVE-2026-26980 Ghost has a SQL Injection in its Content API 20.02.2026 9.4
CVE-2026-26988 LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream 20.02.2026 9.3
CVE-2025-30410 21.02.2026 9.8
CVE-2025-30411 21.02.2026 10
CVE-2025-30412 21.02.2026 10
CVE-2025-30416 21.02.2026 10
CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control 20.02.2026 9.3
CVE-2026-27475 SPIP < 4.4.9 Insecure Deserialization 20.02.2026 9.2
CVE-2026-2409 20.02.2026 9.3
CVE-2026-26339 Hyland Alfresco Transformation Service Argument Injection RCE 20.02.2026 9.3
CVE-2026-24834 Kata Container to Guest micro VM privilege escalation 21.02.2026 9.4
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization 20.02.2026 9.2
CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution 20.02.2026 10
CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution 19.02.2026 9.3
CVE-2025-9953 SQLi in Database Software's Databank Accreditation Software 20.02.2026 9.8
CVE-2025-8350 Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS 20.02.2026 9.8
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability. 20.02.2026 10
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. 20.02.2026 9.1
CVE-2026-1994 s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover 19.02.2026 9.8
CVE-2026-2731 Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8 19.02.2026 10
CVE-2025-13563 Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-13851 Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration 19.02.2026 9.8
CVE-2026-0926 Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] 19.02.2026 9.8
CVE-2026-1405 Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload 19.02.2026 9.8
CVE-2025-12882 Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-15586 19.02.2026 10
CVE-2026-2686 SECCN Dingcheng G10 session_login.cgi qq os command injection 23.02.2026 9.3
CVE-2026-25548 InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning 19.02.2026 9.1
CVE-2019-25362 WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow 19.02.2026 9.3
CVE-2019-25364 Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow 19.02.2026 9.3
CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval 18.02.2026 9.3
CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition 18.02.2026 9.2
CVE-2026-27180 MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning 20.02.2026 9.3
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller 18.02.2026 9.3
CVE-2025-14009 Zip Slip Vulnerability in nltk/nltk Leading to Remote Code Execution 19.02.2026 10
CVE-2025-70152 18.02.2026 9.8
CVE-2025-70150 18.02.2026 9.8
CVE-2025-15579 An Insecure Deserialization vulnerability has been discovered in OpenText™ Directory Services. 18.02.2026 9.5
CVE-2026-2329 Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow 18.02.2026 9.3
CVE-2026-1435 Incorrect management of session invalidation vulnerability in Graylog Web Interface 18.02.2026 9.3
CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action 18.02.2026 9.8
CVE-2026-1670 Honeywell CCTV Products Missing Authentication for Critical Function 18.02.2026 9.3
CVE-2026-22769 19.02.2026 10
CVE-2026-23647 Glory RBG-100 Recycler System Hard-coded OS Credentials 18.02.2026 9.3
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access 17.02.2026 9.4
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE 17.02.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2025-70045 23.02.2026
CVE-2026-2697 Indirect Object Reference (IDOR) in Security Center 23.02.2026 6.3
CVE-2025-70043 23.02.2026
CVE-2025-70044 23.02.2026
CVE-2026-3016 UTT HiPER 810G formP2PLimitConfig strcpy buffer overflow 23.02.2026
CVE-2026-3015 UTT HiPER 810G formPolicyRouteConf strcpy buffer overflow 23.02.2026
CVE-2025-69700 23.02.2026
CVE-2026-21420 23.02.2026 7.3
CVE-2025-59873 Session Token Exposure via URL Query Parameters 23.02.2026 5.9
CVE-2025-40701 Reflected Cross-Site scripting (XSS) in SOTE's SOTESHOP 23.02.2026
CVE-2025-40986 Reflected Cross-Site Scripting in PideTuCita 23.02.2026
CVE-2026-2985 Tiandy Video Surveillance System 视频监控平台 CLSBODownLoad.java downloadImage server-side request forgery 23.02.2026
CVE-2026-2984 SourceCodester Student Result Management System drop_user.php denial of service 23.02.2026
CVE-2025-41002 SQL injection in Infoticketing 23.02.2026
CVE-2026-2983 SourceCodester Student Result Management System Bulk Import import_users.php access control 23.02.2026
CVE-2026-23552 Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy 23.02.2026
CVE-2026-25747 Apache Camel: Deserialization of Untrusted Data in Camel LevelDB 23.02.2026
CVE-2026-2981 UTT HiPER 810G formTaskEdit_ap strcpy buffer overflow 23.02.2026
CVE-2026-2980 UTT HiPER 810G setSysAdm strcpy buffer overflow 23.02.2026
CVE-2026-26365 23.02.2026 4
CVE-2026-2979 FastApiAdmin Scheduled Task API controller.py user_avatar_upload_controller unrestricted upload 23.02.2026
CVE-2026-2978 FastApiAdmin Scheduled Task API controller.py upload_file_controller unrestricted upload 23.02.2026
CVE-2026-1367 SQL Injection 23.02.2026 8.3
CVE-2026-2977 FastApiAdmin Scheduled Task API controller.py upload_controller unrestricted upload 23.02.2026
CVE-2026-2976 FastApiAdmin Download Endpoint controller.py download_controller information disclosure 23.02.2026
CVE-2026-2975 FastApiAdmin Custom Documentation Endpoint init_app.py reset_api_docs information disclosure 23.02.2026
CVE-2026-2974 AliasVault App Backup aliasvault.xml backup 23.02.2026
CVE-2026-2972 a466350665 Smart-SSO Role Edit UserController.java save cross site scripting 23.02.2026
CVE-2026-2971 a466350665 Smart-SSO Login login.html cross site scripting 23.02.2026
CVE-2026-2969 datapizza-labs datapizza-ai Jinja2 Template prompt.py ChatPromptTemplate special elements used in a template engine 23.02.2026
CVE-2026-2970 datapizza-labs datapizza-ai cache.py RedisCache deserialization 23.02.2026
CVE-2026-2967 Cesanta Mongoose TCP Sequence Number net_builtin.c getpeer verification of source 23.02.2026
CVE-2026-2968 Cesanta Mongoose Poly1305 Authentication Tag tls_chacha20.c mg_chacha20_poly1305_decrypt signature verification 23.02.2026
CVE-2026-2998 eAI Technologies|ERP - DLL Hijacking 23.02.2026
CVE-2026-2965 07FLYCMS/07FLY-CMS/07FlyCRM System Extension edit.html cross site scripting 23.02.2026
CVE-2026-2966 Cesanta Mongoose DNS Transaction ID dns.c mg_sendnsreq random values 23.02.2026
CVE-2026-2997 WisdomGarden|Tronclass - Insecure Direct Object Reference 23.02.2026 5.4
CVE-2026-24494 SQL injection vulnerability in Order Up Online Ordering System 23.02.2026 9.8
CVE-2026-2964 higuma web-audio-recorder-js Dynamic Config Handling WebAudioRecorder.js extend prototype pollution 23.02.2026
CVE-2026-2962 D-Link DWR-M960 Scheduled Reboot Configuration Endpoint formDateReboot sub_460F30 stack-based overflow 23.02.2026
CVE-2026-2963 Jinher OA C6 OfficeSupplyTypeRight.aspx sql injection 23.02.2026
CVE-2026-2960 D-Link DWR-M960 formDhcpv6s sub_468D64 stack-based overflow 23.02.2026
CVE-2026-2961 D-Link DWR-M960 VPN Configuration Endpoint formVpnConfigSetup sub_4196C4 stack-based overflow 23.02.2026
CVE-2026-2588 Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems 22.02.2026
CVE-2026-2958 D-Link DWR-M960 formWsc sub_457C5C stack-based overflow 22.02.2026
CVE-2026-2959 D-Link DWR-M960 formNewSchedule sub_44E0F8 stack-based overflow 22.02.2026
CVE-2026-2957 qinming99 dst-admin File BackupController.java deleteBackup denial of service 23.02.2026
CVE-2026-2956 qinming99 dst-admin restore revertBackup command injection 22.02.2026