CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2026-32865	OPEXUS eComplaint and eCase insecure password reset	19.03.2026	9.2
CVE-2026-22557		19.03.2026	10
CVE-2026-27065	WordPress BuilderPress plugin <= 2.0.1 - Local File Inclusion vulnerability	19.03.2026	9.8
CVE-2026-27067	WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability	19.03.2026	9.1
CVE-2025-60233	WordPress Zuut theme <= 1.4.2 - PHP Object Injection vulnerability	19.03.2026	9.8
CVE-2025-60237	WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability	19.03.2026	9.8
CVE-2026-27413	WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability	19.03.2026	9.3
CVE-2026-27540	WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability	19.03.2026	9
CVE-2026-27542	WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vulnerability	19.03.2026	9.8
CVE-2026-32731	ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction	18.03.2026	10
CVE-2026-32698	OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution	19.03.2026	9.1
CVE-2026-32703	OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy	18.03.2026	9.1
CVE-2026-25873	OmniGen2-RL Reward Server Unsafe Deserialization RCE	19.03.2026	9.3
CVE-2026-32633	Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`	18.03.2026	9.1
CVE-2026-2991	KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token	18.03.2026	9.8
CVE-2026-25449	WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability	18.03.2026	9.8
CVE-2026-30884	mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key	18.03.2026	9.6
CVE-2026-31938	jsPDF has HTML Injection in New Window paths	18.03.2026	9.6
CVE-2026-21994		18.03.2026	9.8
CVE-2026-32841	Edimax GS-5008PL <= 1.00.54 Global Authentication State Across All Clients	18.03.2026	9.2
CVE-2026-25769	Wazuh Cluster vulnerable to Remote Code Execution via Insecure Deserialization	18.03.2026	9.1
CVE-2026-25770	Wazuh has Privilege Escalation to Root via Cluster Protocol File Write	18.03.2026	9.1
CVE-2026-25534	Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames	17.03.2026	9.1
CVE-2026-32292	GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting	17.03.2026	9.3
CVE-2026-32295	JetKVM insufficient login rate limiting	17.03.2026	9.3
CVE-2026-32297	Angeet ES3 KVM unauthenticated arbitrary file write	17.03.2026	9.3
CVE-2026-3564	ScreenConnect Instance Level Cryptographic Material Exposure	18.03.2026	9
CVE-2026-4312	DrangSoft｜GCB/FCB Audit Software - Missing Authentication	17.03.2026	9.3
CVE-2026-28430	Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php	17.03.2026	9.3
CVE-2026-27962	Authlib JWS JWK Header Injection: Signature Verification Bypass	18.03.2026	9.1
CVE-2026-4254	Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow	16.03.2026	9.3
CVE-2026-23489	Fields GLPI plugin vulnerable to RCE in dropdown generation	16.03.2026	9.1
CVE-2026-4252	Tenda AC8 IPv6 check_is_ipv6 ip address for authentication	16.03.2026	9.3
CVE-2025-62319	Boolean-Based SQL Injection in Multiple Unica Components	17.03.2026	9.8
CVE-2017-20223	Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference	16.03.2026	9.3
CVE-2017-20224	Telesquare SKT LTE Router SDT-CS3B1 WebDAV Arbitrary File Upload	16.03.2026	9.3
CVE-2026-4184	D-Link DIR-816 goahead form2Wl5BasicSetup.cgi stack-based overflow	16.03.2026	9.3
CVE-2026-4183	D-Link DIR-816 goahead form2WlanBasicSetup.cgi stack-based overflow	16.03.2026	9.3
CVE-2026-4181	D-Link DIR-816 goahead form2RepeaterStep2.cgi stack-based overflow	16.03.2026	9.3
CVE-2026-4182	D-Link DIR-816 goahead form2Wl5RepeaterStep2.cgi stack-based overflow	16.03.2026	9.3
CVE-2016-20024	ZKTeco ZKTime.Net 3.0.1.6 Insecure File Permissions Privilege Escalation	16.03.2026	9.3
CVE-2016-20026	ZKTeco ZKBioSecurity 3.0 Hardcoded Credentials Remote Code Execution	16.03.2026	9.3
CVE-2016-20030	ZKTeco ZKBioSecurity 3.0 User Enumeration via authLoginAction	16.03.2026	9.3
CVE-2026-4170	Topsec TopACM HTTP Request nmc_sync.php os command injection	16.03.2026	9.3
CVE-2026-4164	Wavlink WL-WN578W2 POST Request wireless.cgi GuestWifi command injection	17.03.2026	9.3
CVE-2026-4163	Wavlink WL-WN579A3 POST Request wireless.cgi GuestWifi command injection	17.03.2026	9.3
CVE-2025-15060	claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability	16.03.2026	9.8
CVE-2026-32621	Apollo Federation has prototype pollution via incomplete key sanitization	16.03.2026	9.9
CVE-2026-32626	AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection	16.03.2026	9.7
CVE-2026-31886	Dagu has a Path Traversal via `dagRunId` in Inline DAG Execution	13.03.2026	9.1
CVE-2026-31806	FreeRDP has a Heap Buffer Overflow in nsc_process_message() via Unchecked SURFACE_BITS_COMMAND Bitmap Dimensions	15.03.2026	9.3
CVE-2026-32746		19.03.2026	9.8
CVE-2026-26954	SandboxJS has a Sandbox Escape	16.03.2026	10
CVE-2026-3891	Pix for WooCommerce <= 1.5.0 - Unauthenticated Arbitrary File Upload	13.03.2026	9.8
CVE-2026-22193	wpDiscuz before 7.6.47 - SQL Injection in getAllSubscriptions()	13.03.2026	9.2
CVE-2026-32301	Centrifugo: SSRF via unverified JWT claims interpolated into dynamic JWKS endpoint URL	13.03.2026	9.3
CVE-2026-32304	Locutus: RCE via unsanitized input in create_function()	13.03.2026	9.8
CVE-2026-32306	OneUptime ClickHouse SQL Injection via Aggregate Query Parameters	14.03.2026	10
CVE-2026-3611	Honeywell IQ4x BMS Controller Missing authentication for critical function	13.03.2026	10
CVE-2026-32248	Parse Server: Account takeover via operator injection in authentication data identifier	13.03.2026	9.3
CVE-2026-32251	Tolgee has an XXE Injection in Translation Import	13.03.2026	9.3
CVE-2026-32242	Parse Server OAuth2 adapter shares mutable state across providers via singleton instance	12.03.2026	9.1

Latest Updates

CVE	Title	Updated	Score
CVE-2026-30404		19.03.2026
CVE-2026-32865	OPEXUS eComplaint and eCase insecure password reset	19.03.2026
CVE-2026-32866	OPEXUS eComplaint and eCase stored XSS via profile first and last name	19.03.2026
CVE-2026-32867	OPEXUS eComplaint unauthenticated file upload	19.03.2026	5.4
CVE-2026-32868	OPEXUS eComplaint and eCASE XSS via my information	19.03.2026
CVE-2026-32869	OPEXUS eComplaint and eCASE XSS via Name of Organization field	19.03.2026
CVE-2026-3029	CVE-2026-3029	19.03.2026
CVE-2026-30402		19.03.2026
CVE-2025-69720		19.03.2026
CVE-2026-27043	WordPress Photography theme <= 7.7.5 - Arbitrary File Upload vulnerability	19.03.2026	7.2
CVE-2026-32843	Linkit ONE Location Aware Sensor System (LASS) Reflected XSS via PM25.php	19.03.2026
CVE-2026-22557		19.03.2026	10
CVE-2026-22558		19.03.2026	7.7
CVE-2026-2369	Libsoup: libsoup: buffer overread due to integer underflow when handling zero-length resources	19.03.2026
CVE-2026-30711		19.03.2026
CVE-2026-4427	Github.com/jackc/pgproto3: pgproto3: denial of service via negative field length in datarow message	19.03.2026
CVE-2026-4424	Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing	19.03.2026
CVE-2026-4426	Libarchive: libarchive: denial of service via malformed iso file processing	19.03.2026
CVE-2025-71257	BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM Authentication Bypass	19.03.2026
CVE-2025-71258	BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM Blind SSRF in searchWeb	19.03.2026
CVE-2025-71259	BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM Blind SSRF in externalfeed/RSS	19.03.2026
CVE-2025-71260	BMC 20.20.02 <= 20.24.01.001 FootPrints ITSM VIEWSTATE Deserialization RCE	19.03.2026
CVE-2026-3511		19.03.2026	8.6
CVE-2006-10002	XML::Parser versions through 2.47 for Perl could overflow the pre-allocated buffer size cause a heap corruption (double free or corruption) and crashes	19.03.2026
CVE-2006-10003	XML::Parser versions through 2.47 for Perl has an off-by-one heap buffer overflow in st_serial_stack	19.03.2026
CVE-2026-3658	Appointment Booking Calendar <= 1.6.10.0 - Unauthenticated SQL Injection via 'fields' Parameter	19.03.2026	7.5
CVE-2025-14716	Unauthorized access to information	19.03.2026	6.5
CVE-2026-21788	HCL Connections is vulnerable to cross-site scripting (XSS)	19.03.2026	5.4
CVE-2026-27068	WordPress Website LLMs.txt plugin <= 8.2.6 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2026-27070	WordPress Everest Forms Pro plugin <= 1.9.10 - Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2025-62043	WordPress WPCasa plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability	19.03.2026	6.5
CVE-2025-67618	WordPress Brookside theme <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2025-68836	WordPress Table of Contents Creator plugin <= 1.6.4.1 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2026-25438	WordPress Gutenberg Blocks – Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2026-25442	WordPress Kentha theme <= 4.7.2 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2026-25443	WordPress Fraud Prevention For Woocommerce plugin <= 2.3.3 - Arbitrary Content Deletion vulnerability	19.03.2026	7.5
CVE-2026-25445	WordPress WishList Member X plugin <= 3.29.0 - PHP Object Injection vulnerability	19.03.2026	8.8
CVE-2026-27065	WordPress BuilderPress plugin <= 2.0.1 - Local File Inclusion vulnerability	19.03.2026	9.8
CVE-2026-27067	WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability	19.03.2026	9.1
CVE-2025-32223	WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability	19.03.2026	6.5
CVE-2025-50001	WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2025-53222	WordPress tagDiv Opt-In Builder plugin <= 1.7.3 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2025-60233	WordPress Zuut theme <= 1.4.2 - PHP Object Injection vulnerability	19.03.2026	9.8
CVE-2025-60237	WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability	19.03.2026	9.8
CVE-2024-42210	HCL Unica Marketing Operations v12.1.8 and lower is affected by a Stored cross-site scripting (XSS) vulnerability	19.03.2026	7.6
CVE-2026-3475	Instant Popup Builder <= 1.1.7 - Unauthenticated Arbitrary Shortcode Execution via 'token' Parameter	19.03.2026	5.3
CVE-2026-25312	WordPress EventPrime plugin <= 4.2.8.3 - Payment Bypass vulnerability	19.03.2026	7.5
CVE-2026-25471	WordPress Admin Safety Guard plugin <= 1.2.6 - Broken Authentication vulnerability	19.03.2026	8.1
CVE-2026-27091	WordPress UiPress lite plugin <= 3.5.09 - Broken Access Control vulnerability	19.03.2026	6.3
CVE-2026-27093	WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability	19.03.2026	8.1
CVE-2026-2571	Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter	19.03.2026	4.3
CVE-2026-4006	Draft List <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'display_name' Parameter	19.03.2026	6.4
CVE-2026-4068	Add Custom Fields to Media <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion via 'delete' Parameter	19.03.2026	4.3
CVE-2026-4120	Info Cards <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Attributes	19.03.2026	6.4
CVE-2026-27096	WordPress ColorFolio - Freelance Designer WordPress Theme theme <= 1.3 - Deserialization of untrusted data vulnerability	19.03.2026	8.1
CVE-2026-27397	WordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object References (IDOR) vulnerability	19.03.2026	6.5
CVE-2026-27413	WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability	19.03.2026	9.3
CVE-2026-27540	WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability	19.03.2026	9
CVE-2026-27542	WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vulnerability	19.03.2026	9.8
CVE-2026-28044	WordPress WP Rocket plugin <= 3.19.4 - Cross Site Scripting (XSS) vulnerability	19.03.2026	5.9
CVE-2026-28070	WordPress WP eMember plugin <= v10.2.2 - Broken Access Control vulnerability	19.03.2026	5.3
CVE-2026-28073	WordPress WP eMember theme <= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability	19.03.2026	7.1
CVE-2026-1238	SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'	19.03.2026	7.2
CVE-2025-13995	IBM QRadar SIEM Information Disclosure	19.03.2026	5
CVE-2025-15051	IBM QRadar SIEM Cross-Site Scripting	19.03.2026	5.4
CVE-2025-36051	IBM QRadar SIEM Information Disclosure	19.03.2026	6.2
CVE-2026-1276	IBM QRadar SIEM Cross-Site Scripting	19.03.2026	5.4
CVE-2026-22176	OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation	19.03.2026
CVE-2026-27566	OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run	19.03.2026
CVE-2026-27670	OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition	19.03.2026
CVE-2026-28449	OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression	19.03.2026
CVE-2026-28460	OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run	19.03.2026
CVE-2026-28461	OpenClaw < 2026.3.1 - Unbounded Memory Growth in Zalo Webhook via Query String Key Churn	19.03.2026
CVE-2026-29607	OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence	19.03.2026
CVE-2026-29608	OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting	19.03.2026
CVE-2026-31989	OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect	19.03.2026
CVE-2026-31990	OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination	19.03.2026
CVE-2026-31991	OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist	19.03.2026
CVE-2026-31992	OpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -S	19.03.2026
CVE-2026-31993	OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains	19.03.2026
CVE-2026-31994	OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation	19.03.2026
CVE-2026-31995	OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension	19.03.2026
CVE-2026-31996	OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags	19.03.2026
CVE-2026-31997	OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals	19.03.2026
CVE-2026-31998	OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds	19.03.2026
CVE-2026-31999	OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback	19.03.2026
CVE-2026-32000	OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution	19.03.2026
CVE-2026-32743	PX4 Autopilot: Stack-based Buffer Overflow via Oversized Path Input in MAVLink Log Request Handling	19.03.2026	6.5
CVE-2026-32255	Kan is Vulnerable to Unauthenticated SSRF via Attachment Download Endpoint	18.03.2026	8.6
CVE-2026-32737	Romeo's invalid NetworkPolicy enables a malicious actor to pivot into another namespace	18.03.2026
CVE-2026-32805	Romeo is vulnerable to Archive Slip due to missing checks in sanitization	19.03.2026
CVE-2026-3181		18.03.2026
CVE-2025-15031	Path Traversal Vulnerability in mlflow/mlflow	19.03.2026
CVE-2026-32730	ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware	18.03.2026	8.1
CVE-2026-32731	ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction	18.03.2026	10
CVE-2026-32735	Unpacking Arbitrary Mustache Template Files via `maven-dependency-plugin`	19.03.2026
CVE-2026-32736	Hytale Modding Wiki has Insecure Direct Object Reference / GDPR PII Exposure	18.03.2026	4.3
CVE-2026-32944	Parse Server crash via deeply nested query condition operators	18.03.2026
CVE-2026-33042	Parse Server affected by empty authData bypassing credential requirement on signup	18.03.2026
CVE-2026-33163	Parse Server leaks protected fields via LiveQuery afterEvent trigger	19.03.2026
CVE-2026-32728	Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries	19.03.2026
CVE-2026-32742	Parse Server session creation endpoint allows overwriting server-generated session fields	18.03.2026	4.3
CVE-2026-32770	Parse Server: LiveQuery subscription with invalid regular expression crashes server	19.03.2026	5.9
CVE-2026-32878	Parse Server vulnerable to schema poisoning via prototype pollution in deep copy	18.03.2026
CVE-2026-32886	Parse Server's Cloud function dispatch crashes server via prototype chain traversal	18.03.2026
CVE-2026-32943	Parse Server has a password reset token single-use bypass via concurrent requests	19.03.2026
CVE-2026-4407	Out-of-bounds array write in Xpdf 4.06 due to missing validation	19.03.2026
CVE-2026-32722	Memray-generated HTML reports vulnerable to Stored XSS via unescaped command-line metadata	18.03.2026	3.6
CVE-2026-32723	SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)	19.03.2026
CVE-2026-32698	OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution	19.03.2026	9.1
CVE-2026-32703	OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy	18.03.2026	9.1
CVE-2026-32700	Devise has a confirmable "change email" race condition that permits user to confirm email they have no access to	18.03.2026
CVE-2026-25745	OpenEMR's Message Update Ignores Patient id	18.03.2026	6.5
CVE-2026-25873	OmniGen2-RL Reward Server Unsafe Deserialization RCE	19.03.2026
CVE-2026-31972	samtools mpileup has use-after-free leading to an invalid read	19.03.2026
CVE-2026-31973	NULL pointer dereference in samtools cram-size	18.03.2026
CVE-2026-32321	ClipBucket v5 has time-based Blind SQL Injection in ajax.php that leads to Data Exfiltration	18.03.2026	8.8
CVE-2026-32636	ImageMagick has a heap-buffer-overflow in NewXMLTree which could result in crash	19.03.2026	5.3
CVE-2026-32638	StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens	19.03.2026	2.7
CVE-2026-0866		18.03.2026
CVE-2026-31969	HTSlib CRAM decoder has a heap buffer overflow	18.03.2026
CVE-2026-31970	HTSlib BGZF index file reader has a heap buffer overflow	18.03.2026
CVE-2026-31971	HTSlib CRAM decoder vulnerable to buffer overflow	18.03.2026
CVE-2026-4396		18.03.2026
CVE-2026-31968	HTSlib CRAM decoder vulnerable to buffer overflow	18.03.2026
CVE-2026-31966	HTSlib CRAM reader has out-of-bounds read due to improper validation of input	18.03.2026
CVE-2026-31967	HTSlib CRAM reader has out-of-bounds read due to improper validation of input	18.03.2026
CVE-2025-58112		19.03.2026
CVE-2026-31965	HTSlib CRAM reader has out-of-bounds reads due to improper validation of input	19.03.2026
CVE-2026-31963	HTSlib CRAM reader has heap buffer overflow due to improper validation of input	18.03.2026
CVE-2026-31964	HTSlib CRAM decoder has a NULL Pointer Dereference	18.03.2026