CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2026-22240	Plaintext Passwords Vulnerability in BLUVOYIX	14.01.2026	10
CVE-2026-22236	Improper Authentication Vulnerability in BLUVOYIX	14.01.2026	10
CVE-2026-22237	Exposed Internal API Documentation Vulnerability in BLUVOYIX	14.01.2026	10
CVE-2026-22238	Administrator Account Creation Vulnerability in BLUVOYIX	14.01.2026	10
CVE-2026-22239	Email Sending Vulnerability in BLUVOYIX	14.01.2026	10
CVE-2026-23550	WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability	14.01.2026	10
CVE-2025-14301	Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal	14.01.2026	9.8
CVE-2025-14502	News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion	14.01.2026	9.8
CVE-2026-22686	Sandbox Escape via Host Error Prototype Chain in enclave-vm	14.01.2026	10
CVE-2022-50893	VIAVIWEB Wallpaper Admin 1.0 - Code Execution via Image Upload	14.01.2026	9.3
CVE-2020-36911	Covenant 0.5 - Remote Code Execution (RCE)	14.01.2026	9.3
CVE-2022-50912	ImpressCMS 1.4.4 - Unrestricted File Upload	14.01.2026	9.3
CVE-2022-50919	Tdarr 2.00.15 - Command Injection	14.01.2026	9.3
CVE-2023-54329	Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE)	14.01.2026	9.3
CVE-2023-54330	Inbit Messenger 4.9.0 - Unauthenticated Remote SEH Overflow	14.01.2026	9.3
CVE-2023-54335	eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)	14.01.2026	9.3
CVE-2023-54339	Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter	14.01.2026	9.3
CVE-2026-23478	Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback	14.01.2026	10
CVE-2025-68271	Unauthenticated Remote Code Execution in openc3-api	13.01.2026	10
CVE-2025-47855		14.01.2026	9.3
CVE-2025-64155		14.01.2026	9.4
CVE-2025-12548	Github.com/che-incubator/che-code: eclipse che — unauthenticated rce and secret exfiltration via tcp/3333	13.01.2026	9
CVE-2026-22755	Remote code injection via upload_map.cgi in Legacy Vivotek Devices	13.01.2026	9.3
CVE-2025-11250	Authentication Bypass	13.01.2026	9.1
CVE-2025-40805		13.01.2026	10
CVE-2026-0491	Code Injection vulnerability in SAP Landscape Transformation	14.01.2026	9.1
CVE-2026-0498	Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise)	14.01.2026	9.1
CVE-2026-0500	Remote code execution in SAP Wily Introscope Enterprise Manager (WorkStation)	13.01.2026	9.6
CVE-2026-0501	SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials � General Ledger)	14.01.2026	9.9
CVE-2026-22813	Malicious website can execute commands on the local system through XSS in the OpenCode web UI	13.01.2026	9.4
CVE-2026-22799	emlog Arbitrary File Upload Vulnerability	13.01.2026	9.3
CVE-2026-22794	Account Takeover Vulnerability in Appsmith	13.01.2026	9.7
CVE-2025-12420	Unauthenticated Privilege Escalation in ServiceNow AI Platform	14.01.2026	9.3
CVE-2026-22785	orval MCP client is vulnerable to a code injection attack.	12.01.2026	9.3
CVE-2026-22781	TinyWeb CGI Command Injection	12.01.2026	10
CVE-2026-22783	Iris Allows Arbitrary File Deletion via Mass Assignment in Datastore File Management	12.01.2026	9.6
CVE-2026-22252	LibreChat MCP Stdio Remote Command Execution	12.01.2026	9.1
CVE-2025-41006	Multiple vulnerabilities in Imaster products Open configuration options	12.01.2026	9.3
CVE-2025-52694	Execution of arbitrary SQL commands	12.01.2026	10
CVE-2026-22688	WeKnora has Command Injection in MCP stdio test	12.01.2026	10
CVE-2025-65091	XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService	12.01.2026	10
CVE-2025-61686	React Router has Path Traversal in File Session Storage	10.01.2026	9.1
CVE-2026-22600	OpenProject is Vulnerable to Arbitrary File Read via ImageMagick SVG Coder	13.01.2026	9.1
CVE-2025-15501	Sangfor Operation and Maintenance Management System getCmd WriterHandle.getCmd os command injection	12.01.2026	9.3
CVE-2025-15500	Sangfor Operation and Maintenance Management System HTTP POST Request getHis os command injection	09.01.2026	9.3
CVE-2020-36875	AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execution	09.01.2026	9.3
CVE-2025-69425	Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE	09.01.2026	10
CVE-2025-69426	Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded SSH Credentials RCE	09.01.2026	10
CVE-2025-66050	No password set for administrative account in Vivotek IP7137 cameras	09.01.2026	9.3
CVE-2025-7072	Hardcoded credentials in KAON CG3000T/CG3000CT routers	09.01.2026	9.3
CVE-2025-64093	Unauthenticated Remote Code Execution via the device hostname	09.01.2026	10
CVE-2025-64090	Authenticated Remote Code Execution in device hostname	09.01.2026	10
CVE-2025-14741	Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element	09.01.2026	9.1
CVE-2025-70974		09.01.2026	10
CVE-2025-14736	Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field	09.01.2026	9.8
CVE-2026-22234	OPEXUS eCasePortal unauthenticated IDOR	08.01.2026	9.3
CVE-2025-59468		09.01.2026	9
CVE-2025-59469		09.01.2026	9
CVE-2025-59470		09.01.2026	9

Latest Updates

CVE	Title	Updated	Score
CVE-2025-14457	Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion	15.01.2026	3.7
CVE-2025-14448	WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields	15.01.2026	5.4
CVE-2026-23574		15.01.2026
CVE-2026-23575		15.01.2026
CVE-2026-23576		15.01.2026
CVE-2026-23577		15.01.2026
CVE-2026-23578		15.01.2026
CVE-2026-23579		15.01.2026
CVE-2026-23580		15.01.2026
CVE-2026-23581		15.01.2026
CVE-2026-23582		15.01.2026
CVE-2025-12166	Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters	14.01.2026	7.5
CVE-2025-12533		14.01.2026
CVE-2025-14058		14.01.2026
CVE-2026-0600	Nexus Repository 3 - Server-Side Request Forgery in Proxy Repository Configuration	14.01.2026
CVE-2025-13154		14.01.2026
CVE-2025-13453		14.01.2026
CVE-2025-13454		14.01.2026
CVE-2025-13455		14.01.2026
CVE-2026-0421		14.01.2026
CVE-2026-0601	Nexus Repository 3 - Cross-Site Scripting	14.01.2026
CVE-2026-0861	Integer overflow in memalign leads to heap corruption	14.01.2026
CVE-2026-23512	SumatraPDF has an Untrusted Search Path in sumatrapdf/src/AppTools.cpp	14.01.2026	8.6
CVE-2026-0959	Out-of-bounds Write in Wireshark	14.01.2026	5.3
CVE-2026-0960	Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark	14.01.2026	4.7
CVE-2026-0961	Out-of-bounds Write in Wireshark	14.01.2026	5.5
CVE-2026-0962	Out-of-bounds Write in Wireshark	14.01.2026	5.3
CVE-2026-22036	Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion	14.01.2026	3.7
CVE-2025-11224	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab	15.01.2026	7.7
CVE-2025-14556	XSS in Drupal 7 Flag Module	14.01.2026
CVE-2025-14557	XSS in Drupal 7 Facebook Pixel Module	14.01.2026
CVE-2025-33206		15.01.2026	7.8
CVE-2025-71164	Typesetter CMS Reflected XSS via Editing.php	14.01.2026
CVE-2025-71165	Typesetter CMS Reflected XSS via Status.php	14.01.2026
CVE-2025-71166	Typesetter CMS Reflected XSS via Move Message Handling	14.01.2026
CVE-2026-23492	Pimcore has a Blind SQL Injection in Admin Search Find API due to an incomplete fix for CVE-2023-30848	14.01.2026	8.8
CVE-2026-23497	Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages	14.01.2026
CVE-2026-23498	Shopware Improper Control of Generation of Code in Twig rendered views	14.01.2026	7.2
CVE-2026-23477	Rocket.Chat Unauthorized Access to OAuth App Details	14.01.2026	7.7
CVE-2026-22819	Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts	14.01.2026	5.9
CVE-2026-22855	FreeRDP has a heap-buffer-overflow in smartcard_unpack_set_attrib_call	14.01.2026
CVE-2026-22856	FreeRDP has a heap-use-after-free in create_irp_thread	14.01.2026
CVE-2026-22857	FreeRDP has a heap-use-after-free in irp_thread_func	14.01.2026
CVE-2026-22858	FreeRDP has a global-buffer-overflow in crypto_base64_decode	14.01.2026
CVE-2026-22859	FreeRDP has a heap-buffer-overflow in urb_select_configuration	14.01.2026
CVE-2026-22851	FreeRDP RDPGFX ResetGraphics race leads to use-after-free in SDL client (sdl->primary)	14.01.2026
CVE-2026-22852	FreeRDP has a heap-buffer-overflow in audin_process_formats	14.01.2026
CVE-2026-22853	FreeRDP has a heap-buffer-overflow in ndr_read_uint8Array	14.01.2026
CVE-2026-22854	FreeRDP has a heap-buffer-overflow in drive_process_irp_read	14.01.2026
CVE-2025-63644		14.01.2026
CVE-2025-70747		14.01.2026
CVE-2025-65397		14.01.2026
CVE-2025-71021		14.01.2026
CVE-2025-65396		14.01.2026
CVE-2025-67833		14.01.2026
CVE-2025-67834		14.01.2026
CVE-2025-67835		14.01.2026
CVE-2026-22779	BlackSheep ClientSession is vulnerable to CRLF injection	14.01.2026
CVE-2026-22787	html2pdf.js has a cross-site scripting vulnerability	14.01.2026
CVE-2026-21889	Weblate leaks information via screenshots	14.01.2026
CVE-2026-22694	AliasVault is Missing Origin Validation in Android Passkey Credential Provider	14.01.2026	6.1
CVE-2026-22708	Cursor has a Terminal Tool Allowlist Bypass via Environment Variables	14.01.2026
CVE-2025-37181	Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface	14.01.2026	7.2
CVE-2025-37182	Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface	14.01.2026	7.2
CVE-2025-37183	Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface	14.01.2026	7.2
CVE-2025-37184	Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention	14.01.2026	6.5
CVE-2025-37185	Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface	14.01.2026	5.5
CVE-2025-70968		14.01.2026
CVE-2025-67399		14.01.2026
CVE-2025-14242	Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing	14.01.2026