CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-2844 TimePictra Authentication Bypass Vulnerability 28.02.2026 9.3
CVE-2026-3010 TimePictra Stored Cross-Site Scripting 28.02.2026 9.3
CVE-2026-28515 openDCIM <= 23.04 Missing Authorization in install.php 27.02.2026 9.3
CVE-2026-28516 openDCIM <= 23.04 SQL Injection in Config::UpdateParameter 27.02.2026 9.3
CVE-2026-28517 openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter 27.02.2026 9.3
CVE-2026-28408 WeGIA lacks authentication verification in adicionar_tipo_docs_atendido.php 27.02.2026 9.8
CVE-2026-28409 WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection 27.02.2026 10
CVE-2026-28411 WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)` 27.02.2026 9.8
CVE-2026-28268 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse 27.02.2026 9.8
CVE-2026-27947 Group-Office Vulnerable to Remote Code Execution (RCE) 27.02.2026 9.4
CVE-2026-27755 SODOLA SL902-SWTGW124AS <= 200.1.20 Predictable Session ID 27.02.2026 9.3
CVE-2026-27751 SODOLA SL902-SWTGW124AS <= 200.1.20 Use of Default Credentials 27.02.2026 9.3
CVE-2026-2749 Path traversal in Centreon Open Tickets 27.02.2026 9.9
CVE-2026-2750 Command Injection via CLAPI generatetraps 27.02.2026 9.1
CVE-2025-15498 SQL Injection in Pro3W CMS 27.02.2026 9.3
CVE-2025-11252 SQLi in Signum Technologies' windesk.fm 27.02.2026 9.8
CVE-2025-11251 SQLi in Dayneks Software's E-Commerce Platform 27.02.2026 9.8
CVE-2026-2251 Path Traversal leading to Remote Code Execution (RCE) 28.02.2026 9.8
CVE-2025-12981 Listee <= 1.1.6 - Unauthenticated Privilege Escalation 27.02.2026 9.8
CVE-2026-3301 Totolink N300RH Web Management cstecgi.cgi setWebWlanIdx os command injection 27.02.2026 9.3
CVE-2026-28370 27.02.2026 9.1
CVE-2026-28363 27.02.2026 9.9
CVE-2026-21718 Copeland XWEB and XWEB Pro Use of a Broken or Risky Cryptographic Algorithm 27.02.2026 10
CVE-2026-24663 Copeland XWEB and XWEB Pro OS Command Injection 27.02.2026 9
CVE-2026-27028 Mobility46 mobility46.se Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-27767 SWITCH EV swtchenergy.com Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-27772 EV Energy ev.energy Missing Authentication for Critical Function 27.02.2026 9.4
CVE-2026-24731 EV2GO ev2go.io Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-20781 CloudCharge cloudcharge.se Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-25851 Chargemap chargemap.com Missing Authentication for Critical Function 26.02.2026 9.4
CVE-2026-28213 EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response 27.02.2026 9.8
CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover 26.02.2026 9.1
CVE-2026-22207 OpenViking Missing root_api_key Allows Anonymous ROOT Access 27.02.2026 9.3
CVE-2026-27966 Langflow has Remote Code Execution in CSV Agent 28.02.2026 9.8
CVE-2026-27969 Vitess users with backup storage access can write to arbitrary file paths on restore 26.02.2026 9.3
CVE-2026-27941 OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows 26.02.2026 10
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter 26.02.2026 9.3
CVE-2026-27613 CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam) 26.02.2026 10
CVE-2026-27498 n8n has Arbitrary Command Execution via File Write and Git Operations 26.02.2026 9
CVE-2026-27497 n8n has Potential Remote Code Execution via Merge Node 26.02.2026 9.4
CVE-2026-27577 n8n: Expression Sandbox Escape Leads to RCE 26.02.2026 9.4
CVE-2026-27493 n8n has Unauthenticated Expression Evaluation via Form Node 26.02.2026 9.5
CVE-2026-27495 n8n has a Sandbox Escape in its JavaScript Task Runner 26.02.2026 9.4
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change 26.02.2026 9.1
CVE-2026-0542 Remote Code Execution in ServiceNow AI Platform 26.02.2026 9.2
CVE-2026-24908 OpenEMR has SQL Injection in Patient API Sort Parameter 26.02.2026 10
CVE-2026-21902 Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated, network-based attacker to execute code as root 26.02.2026 9.3
CVE-2026-27739 Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline 27.02.2026 9.2
CVE-2026-20127 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability 26.02.2026 10
CVE-2026-20129 Cisco Catayst SD-WAN Authentication Bypass Vulnerability 26.02.2026 9.8
CVE-2026-27728 OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() 25.02.2026 10
CVE-2025-1242 Administrative Credentials Can Be Extracted Through Gardyn API Responses 25.02.2026 9.3
CVE-2026-27702 Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) 25.02.2026 9.9
CVE-2026-27699 Basic FTP has Path Traversal Vulnerability in its downloadToDir() method 27.02.2026 9.1
CVE-2026-2624 Authentication Bypass in ePati's Antikor NGFW 25.02.2026 9.8
CVE-2025-62878 Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern 26.02.2026 9.9
CVE-2026-25785 25.02.2026 9.3
CVE-2026-3179 A path traversal vulnerability was found in the FTP Backup on the ADM. 25.02.2026 9.2
CVE-2026-27597 @enclave-vm/core is vulnerable to Sandbox Escape 25.02.2026 10
CVE-2026-27637 FreeScout's Predictable Authentication Token Enables Account Takeover 25.02.2026 9.8
CVE-2026-27641 Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection 25.02.2026 9.8
CVE-2026-27743 SPIP referer_spam <= 1.2.1 Unauthenticated SQL Injection 26.02.2026 9.3
CVE-2026-27744 SPIP tickets < 4.3.3 Unauthenticated RCE 26.02.2026 9.3
CVE-2026-27595 Parse Dashboard has incomplete authentication on AI Agent endpoint 27.02.2026 9.9
CVE-2026-27608 Parse Dashboard Missing Authorization on Agent Endpoint 25.02.2026 9.3
CVE-2026-27614 Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering 25.02.2026 9.3
CVE-2026-27626 OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks 27.02.2026 10
CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover 25.02.2026 9.1
CVE-2026-24849 OpenEMR Arbitrary File Read Vulnerability 25.02.2026 10
CVE-2026-27593 Statamic is vulnerable to account takeover via password reset link injection 27.02.2026 9.3
CVE-2026-21410 InSAT MasterSCADA BUK-TS SQL Injection 26.02.2026 9.3
CVE-2026-22553 InSAT MasterSCADA BUK-TS OS Command Injection 26.02.2026 9.3
CVE-2026-26341 Tattile Smart+ / Vega / Basic <= 1.181.5 Default Credentials 24.02.2026 9.3
CVE-2026-26222 DocLink .NET Remoting Unauthenticated Arbitrary File Read/Write RCE 27.02.2026 10
CVE-2026-27507 Binardat 10G08-0800GSM Network Switch Hard-coded Credentials 27.02.2026 9.3
CVE-2026-27515 Binardat 10G08-0800GSM Network Switch Predictable Session Identifiers 27.02.2026 9.3
CVE-2026-27584 ActualBudget server is Missing Authentication for SimpleFIN and Pluggy AI bank sync endpoints 27.02.2026 9.2
CVE-2026-27208 api-gateway-deploy Affected by Exploitable Command Injection via Unprivileged Root Execution 27.02.2026 9.2
CVE-2025-14577 PHP Function Injection in Slican NPC/IPL/IPM/IPU 24.02.2026 9.3
CVE-2025-11165 24.02.2026 9.4
CVE-2025-40541 SolarWinds Serv-U Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-40538 SolarWinds Serv-U Broken Access Control Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-40539 SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-40540 SolarWinds Serv-U Type Confusion Remote Code Execution Vulnerability 26.02.2026 9.1
CVE-2025-13942 26.02.2026 9.8
CVE-2026-26198 ormar is vulnerable to SQL Injection through aggregate functions min() and max() 24.02.2026 9.8
CVE-2026-23693 ElementsKit Elementor Addons < 3.7.9 Unauthenticated Mailchimp REST Endpoint 25.02.2026 9.3
CVE-2025-41002 SQL injection in Infoticketing 24.02.2026 9.3
CVE-2026-24494 SQL injection vulnerability in Order Up Online Ordering System 23.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2026-2844 TimePictra Authentication Bypass Vulnerability 28.02.2026
CVE-2026-3010 TimePictra Stored Cross-Site Scripting 28.02.2026
CVE-2025-13673 Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code 28.02.2026 7.5
CVE-2026-2471 WP Mail Logging <= 1.15.0 - Unauthenticated PHP Object Injection via Email Log Message Field 28.02.2026 7.5
CVE-2026-1542 Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection 28.02.2026
CVE-2026-28426 Statamic vulnerable to privilege escalation via stored cross-site scripting 27.02.2026 8.7
CVE-2026-27759 Featured Image from Content < 1.7 Authenticated SSRF via save_post 27.02.2026
CVE-2026-28423 Statamic Vulnerable to Server-Side Request Forgery via Glide 27.02.2026 6.8
CVE-2026-28424 Statamic's missing authorization allows access to email addresses 27.02.2026 6.5
CVE-2026-28425 Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs 27.02.2026 8
CVE-2026-28515 openDCIM <= 23.04 Missing Authorization in install.php 27.02.2026
CVE-2026-28516 openDCIM <= 23.04 SQL Injection in Config::UpdateParameter 27.02.2026
CVE-2026-28517 openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter 27.02.2026
CVE-2026-2647 27.02.2026
CVE-2026-28419 Vim has Heap-based Buffer Underflow in Emacs tags parsing 28.02.2026 5.3
CVE-2026-28420 Vim has Heap-based Buffer Overflow and OOB Read in :terminal 28.02.2026 4.4
CVE-2026-28421 Vim has a heap-buffer-overflow and a segmentation fault 28.02.2026 5.3
CVE-2026-28422 Vim has stack-buffer-overflow in build_stl_str_hl() 28.02.2026 2.2
CVE-2026-28418 Vim has Heap-based Buffer Overflow in Emacs tags parsing 28.02.2026 4.4
CVE-2026-28408 WeGIA lacks authentication verification in adicionar_tipo_docs_atendido.php 27.02.2026 9.8
CVE-2026-28409 WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection 27.02.2026 10
CVE-2026-28411 WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)` 27.02.2026 9.8
CVE-2026-28415 Gradio has Open Redirect in OAuth Flow 27.02.2026 4.3
CVE-2026-28416 Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing 27.02.2026 8.2
CVE-2026-28417 Vim has OS Command Injection in netrw 28.02.2026 4.4
CVE-2026-27167 Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret 27.02.2026 0
CVE-2026-27939 Statamic allows Authenticated Control Panel users to escalate privileges via elevated session bypass 27.02.2026 8.8
CVE-2026-28414 Gradio has Absolute Path Traversal on Windows with Python 3.13+ 27.02.2026 7.5
CVE-2026-28406 kaniko has tar archive path traversal in build context extraction allows writing files outside destination directory 27.02.2026 8.2
CVE-2026-28407 malcontent's nested archive extraction failure can drop content from scan inputs 27.02.2026