CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-26221 Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE 13.02.2026 10
CVE-2019-25322 Heatmiser Netmonitor 3.03 - Hardcoded Credentials 12.02.2026 9.3
CVE-2026-26068 emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection) 12.02.2026 9.3
CVE-2026-1358 Airleader Master Unrestricted Upload of File with Dangerous Type 12.02.2026 9.8
CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels. 12.02.2026 9.1
CVE-2026-26011 Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution 12.02.2026 9.3
CVE-2026-26020 AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__) 12.02.2026 9.4
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint 12.02.2026 9.1
CVE-2026-24044 ESS Community Helm Chart has a weak server key generation method 12.02.2026 9.2
CVE-2026-26218 newbee-mall Default Seeded Administrator Credentials Allow Account Takeover 12.02.2026 9.3
CVE-2026-26219 newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking 12.02.2026 9.3
CVE-2026-26216 Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter 12.02.2026 10
CVE-2026-26217 Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling 12.02.2026 9.2
CVE-2026-26214 Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM 12.02.2026 9.1
CVE-2025-14014 Insecure File Upload in NTN Informatics' Smart Panel 12.02.2026 9.8
CVE-2025-10969 SQLi in Farktor Software's E-Commerce Package 12.02.2026 9.8
CVE-2026-1729 AdForest <= 6.0.12 - Authentication Bypass 12.02.2026 9.8
CVE-2026-26215 manga-image-translator Shared API Unsafe Deserialization RCE 12.02.2026 9.3
CVE-2026-26021 Prototype pollution in set-in 12.02.2026 9.4
CVE-2020-37186 Chevereto 3.13.4 Core - Remote Code Execution 12.02.2026 9.3
CVE-2026-24789 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2026-25084 ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function 11.02.2026 9.3
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform 12.02.2026 9.8
CVE-2026-2248 Unauthenticated Remote Root Shell Access via Web Console in METIS WIC 12.02.2026 9.8
CVE-2026-2249 Unauthenticated Remote Command Execution via Web Console in METIS DFS 12.02.2026 9.8
CVE-2025-8668 Reflected XSS in E-Kalite Software Hardware Engineering's Turboard 11.02.2026 9.4
CVE-2025-66277 QTS, QuTS hero 12.02.2026 9.2
CVE-2025-8025 Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP 11.02.2026 9.8
CVE-2026-1357 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 11.02.2026 9.8
CVE-2026-26009 Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution 10.02.2026 10
CVE-2026-21531 Azure SDK for Python Remote Code Execution Vulnerability 12.02.2026 9.8
CVE-2026-25993 EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys 10.02.2026 9.3
CVE-2026-25728 ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition 11.02.2026 9.3
CVE-2025-11242 SSRF in Teknolist Computer's Okulistik 10.02.2026 9.8
CVE-2026-2095 Flowring|Agentflow - Authentication Bypass 10.02.2026 9.3
CVE-2026-2096 Flowring|Agentflow - Missing Authenticaton 10.02.2026 9.3
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) 11.02.2026 9.9
CVE-2026-0509 Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 10.02.2026 9.6
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting 11.02.2026 10
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration 11.02.2026 9.5
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API 11.02.2026 9.5
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration 11.02.2026 9.5
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write 11.02.2026 9.3
CVE-2026-25812 PlaciPy is Missing CSRF Protection on State-Changing Endpoints 10.02.2026 9.3
CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters 10.02.2026 9.3
CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims 10.02.2026 9.3
CVE-2026-25881 @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) 10.02.2026 9.1
CVE-2026-25885 PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats 10.02.2026 10
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE 10.02.2026 9.1
CVE-2025-66630 Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure 10.02.2026 9.2
CVE-2025-6830 SQLi in Xpoda Türkiye Information Technology's Password Module 11.02.2026 9.8
CVE-2026-25848 10.02.2026 9.1
CVE-2026-22903 Stack Overflow via SESSIONID Cookie in lighttpd 09.02.2026 9.8
CVE-2026-22904 Stack Overflow via Oversized Cookie Fields in lighttpd 09.02.2026 9.8
CVE-2026-22906 Hardcoded Key Allows Credential Disclosure 09.02.2026 9.8
CVE-2026-2234 HGiga|C&Cm@il - Missing Authentication 09.02.2026 9.3
CVE-2026-1868 Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway 09.02.2026 9.9
CVE-2026-1615 09.02.2026 9.2
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 09.02.2026 9.8
CVE-2026-25858 macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure 10.02.2026 9.3
CVE-2020-37135 AMSS++ 4.7 - Backdoor Admin Account 10.02.2026 9.3
CVE-2026-25803 3DP-MANAGER Uses Hard-coded Credentials 09.02.2026 9.8
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution 09.02.2026 9.4
CVE-2026-1731 Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) 13.02.2026 9.9
CVE-2026-1727 Information Disclosure via Bucket Squatting in Google Cloud Agentspace. 09.02.2026 9.1
CVE-2026-25544 Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters 09.02.2026 9.8
CVE-2026-25592 Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK 09.02.2026 10
CVE-2026-25632 EPyT-Flow has unsafe JSON deserialization (__type__) 06.02.2026 10
CVE-2026-25520 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25586 SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution 06.02.2026 10
CVE-2026-25587 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25641 SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses 06.02.2026 10
CVE-2026-1709 Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication 09.02.2026 9.4
CVE-2026-25643 Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape 06.02.2026 9.1
CVE-2026-25751 FUXA Unauthenticated Exposure of Plaintext Database Credentials 09.02.2026 9.1
CVE-2026-25752 FUXA Unauthenticated Remote Arbitrary Device Tag Write 09.02.2026 9.3
CVE-2026-25753 PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) 09.02.2026 9.3
CVE-2025-69212 OpenSTAManager has an OS Command Injection in P7M File Processing 09.02.2026 9.4
CVE-2025-64111 Gogs's update .git/config file allows remote command execution 07.02.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2025-70094 13.02.2026
CVE-2026-26221 Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE 13.02.2026
CVE-2026-1578 HP App – Potential Cross-Site Scripting 13.02.2026
CVE-2026-25531 Kanboard TaskCreationController::duplicateProjects() endpoint does not validate user permissions for target projects 13.02.2026 4.3
CVE-2026-23111 netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() 13.02.2026
CVE-2026-23112 nvmet-tcp: add bounds checks in nvmet_tcp_build_pdu_iovec 13.02.2026
CVE-2025-14349 Business Logic Error in Universal Software's FlexCity/Kiosk 13.02.2026 8.8
CVE-2026-1618 Admin Account Takeover in Universal Sotware's FlexCity/Kiosk 13.02.2026 8.8
CVE-2026-1619 IDOR in Universal Sotware's FlexCity/Kiosk 13.02.2026 8.3
CVE-2026-2443 Libsoup: out-of-bounds read in libsoup handle_partial_get() leading to heap information disclosure 13.02.2026
CVE-2025-33042 Apache Avro Java SDK: Code injection on Java generated code 13.02.2026
CVE-2026-20796 Time-of-check time-of-use vulnerability in common teams API 13.02.2026 3.1
CVE-2026-22892 Insufficient Authorization in Mattermost Jira Plugin Allows Unauthorized Access to Post Attachments 13.02.2026 4.3
CVE-2026-0872 Improper Certificate Validation vulnerability in Thales SafeNet Agent for Windows Logon 13.02.2026
CVE-2025-15520 RegistrationMagic <= 6.0.7.2 - Subscriber+ Sensitive Data Disclosure 13.02.2026
CVE-2025-48021 13.02.2026
CVE-2025-48022 13.02.2026
CVE-2025-48023 13.02.2026
CVE-2025-1924 13.02.2026
CVE-2025-48019 13.02.2026
CVE-2025-48020 13.02.2026
CVE-2026-25108 13.02.2026
CVE-2026-26249 13.02.2026
CVE-2026-26250 13.02.2026
CVE-2026-26251 13.02.2026
CVE-2026-26252 13.02.2026
CVE-2026-26253 13.02.2026
CVE-2026-26254 13.02.2026
CVE-2026-26255 13.02.2026
CVE-2026-26256 13.02.2026
CVE-2026-26257 13.02.2026
CVE-2026-1721 Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site 13.02.2026
CVE-2025-9292 Permissive Web Security Policy Allows Cross-Origin Access Control Bypass on Omada Cloud Controllers 13.02.2026
CVE-2025-9293 Insufficient Certificate Validation in Multiple Mobile Applications Allows Man in the Middle Interception 13.02.2026
CVE-2024-21961 13.02.2026
CVE-2025-40905 WWW::OAuth 1.000 and earlier for Perl uses insecure rand() function for cryptographic functions 12.02.2026
CVE-2019-25318 AVS Audio Converter 9.1.2.600 - Stack Overflow 12.02.2026
CVE-2019-25319 Domain Quester Pro 6.02 - Stack Overflow (SEH) 12.02.2026
CVE-2019-25320 elearning-script 1.0 - Authentication Bypass 12.02.2026
CVE-2019-25321 FTP Navigator 8.03 - Stack Overflow (SEH) 12.02.2026
CVE-2019-25322 Heatmiser Netmonitor 3.03 - Hardcoded Credentials 12.02.2026
CVE-2019-25323 Heatmiser Netmonitor 3.03 - HTML Injection 12.02.2026
CVE-2019-25324 RICOH Web Image Monitor 1.09 - HTML Injection 13.02.2026
CVE-2019-25325 Thrive Smart Home 1.1 - 'Smart Home' Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 13.02.2026
CVE-2019-25327 Prime95 Version 29.8 build 6 - Buffer Overflow (SEH) 13.02.2026
CVE-2019-25328 XnConvert 1.82 - Denial of Service 13.02.2026
CVE-2019-25329 FTP Navigator 8.03 - 'Custom Command' Denial of Service (SEH) 12.02.2026
CVE-2019-25330 SurfOffline Professional 2.2.0.103 - 'Project Name' Denial of Service (SEH) 12.02.2026
CVE-2019-25331 AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow 12.02.2026
CVE-2019-25332 FTP Commander Pro 8.03 - Local Stack Overflow 12.02.2026
CVE-2019-25333 Bullwark Momentum Series JAWS 1.0 - 'Momentum Series JAWS' Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 12.02.2026
CVE-2019-25334 Product Key Explorer 4.2.0.0 - 'Name' Denial of Service 12.02.2026
CVE-2019-25335 PRO-7070 Hazır Profesyonel Web Sitesi 1.0 - Authentication Bypass 12.02.2026
CVE-2019-25336 SpotAuditor 5.3.2 - 'Base64' Local Buffer Overflow (SEH) 12.02.2026
CVE-2019-25337 OwnCloud 8.1.8 - Username Disclosure 12.02.2026
CVE-2019-25338 Dokuwiki 2018-04-22b - Username Enumeration 12.02.2026
CVE-2019-25339 GHIA CamIP 1.2 for iOS - 'Password' Denial of Service 12.02.2026
CVE-2019-25340 SpotAuditor 5.3.2 - 'Base64' Denial Of Service 12.02.2026
CVE-2019-25341 iNetTools for iOS 8.20 - 'Whois' Denial of Service 12.02.2026
CVE-2019-25342 Centova Cast 3.2.12 - Denial of Service 12.02.2026
CVE-2020-37167 ClamAV ClamBC <= 0.102.0 - 'ClamBC' Executable Regular Expression Error 12.02.2026
CVE-2026-26188 Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations) 13.02.2026
CVE-2025-70092 12.02.2026
CVE-2026-26068 emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection) 12.02.2026
CVE-2026-26185 Directus Affected by User Enumeration via Password Reset Timing Attack 12.02.2026 5.3
CVE-2026-26224 Intego Log Reporter TOCTOU Local Privilege Escalation 13.02.2026
CVE-2026-26225 Intego Personal Backup Task File Privilege Escalation 12.02.2026
CVE-2025-14282 privilege escalation via unix domain socket forwardings 12.02.2026 5.4
CVE-2025-70845 12.02.2026
CVE-2026-26075 Cross-Site Request Forgery (CSRF) in FastGPT 12.02.2026
CVE-2026-26076 ntpd-rs affected by excessive CPU load from malformed packets 12.02.2026
CVE-2026-1358 Airleader Master Unrestricted Upload of File with Dangerous Type 12.02.2026 9.8
CVE-2026-25828 12.02.2026
CVE-2026-26069 Scraparr Readarr Integration exposes sensitive values as metric labels. 12.02.2026
CVE-2026-26055 Unauthenticated Admission Webhook Endpoints in Yoke ATC 12.02.2026 7.5
CVE-2026-26056 Arbitrary WASM Code Execution via AnnotationOverrideFlight Injection in Yoke ATC 12.02.2026 8.8
CVE-2026-26011 Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution 12.02.2026
CVE-2026-26020 AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__) 12.02.2026
CVE-2026-26000 XWiki Platform affected by click-jacking through CSS injection in comments 12.02.2026
CVE-2026-26005 ClipBucket v5 enables internal network scans via an SSRF vulnerability 12.02.2026 5
CVE-2026-0619 Integer Wraparound DoS in Silicon Labs Matter Implementation 12.02.2026
CVE-2026-25996 Inspektor Gadget uses unsanitized ANSI Escape Sequences In `columns` Output Mode 12.02.2026
CVE-2026-25933 Arduino App Lab has Improper Data Validation in Internal Terminal Interface 12.02.2026 6.9
CVE-2026-25949 Traefik: TCP readTimeout bypass via STARTTLS on Postgres 12.02.2026 7.5
CVE-2026-25767 LavinMQ has incomplete shovel configuration validation 12.02.2026
CVE-2026-25768 LavinMQ is missing vhost access control 12.02.2026
CVE-2025-67432 12.02.2026
CVE-2025-67433 12.02.2026
CVE-2025-70314 12.02.2026
CVE-2026-25227 authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint 12.02.2026 9.1
CVE-2026-25748 authentik has a forward authentication bypass with broken cookie 12.02.2026 8.6
CVE-2026-25922 authentik has a Signature Verification Bypass via SAML Assertion Wrapping 12.02.2026 8.8
CVE-2019-25343 NextVPN 4.10 - Insecure File Permissions 12.02.2026
CVE-2019-25344 MobileGo 8.5.0 - Insecure File Permissions 12.02.2026
CVE-2019-25345 RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path 12.02.2026
CVE-2019-25346 thesystem 1.0 - 'server_name' SQL Injection 12.02.2026
CVE-2019-25347 thesystem App 1.0 - 'username' SQL Injection 12.02.2026
CVE-2019-25348 13.02.2026
CVE-2026-24044 ESS Community Helm Chart has a weak server key generation method 12.02.2026
CVE-2026-24894 FrankenPHP leaks session data between requests in worker mode 12.02.2026
CVE-2026-24895 FrankenPHP affected by Path Confusion via Unicode casing in CGI path splitting allows execution of arbitrary files 12.02.2026
CVE-2026-22821 mreporting affected by a SQLI on date change 12.02.2026 4.9
CVE-2026-26218 newbee-mall Default Seeded Administrator Credentials Allow Account Takeover 12.02.2026
CVE-2026-26219 newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking 12.02.2026
CVE-2026-21434 webtransport-go affected by Memory Exhaustion Attack due to Missing Length Check in WT_CLOSE_SESSION Capsule 12.02.2026 5.3
CVE-2026-21435 webtransport-go CloseWithError can block indefinitely 12.02.2026 5.3
CVE-2026-21438 webtransport-go affected by a Memory Exhaustion Attack due to Missing Cleanup of Streams Map 12.02.2026 5.3
CVE-2023-31323 12.02.2026
CVE-2025-54519 12.02.2026 7.3
CVE-2023-20601 12.02.2026
CVE-2024-36319 13.02.2026
CVE-2025-52533 13.02.2026
CVE-2025-63421 12.02.2026
CVE-2025-69806 12.02.2026
CVE-2025-69807 12.02.2026