| CVE-2026-26366 |
JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials |
15.02.2026 |
9.3 |
| CVE-2026-26369 |
JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup |
15.02.2026 |
9.3 |
| CVE-2025-32058 |
Stack Overflow in processing requests over INC interface on RH850 side of Infotainment ECU |
15.02.2026 |
9.3 |
| CVE-2026-1490 |
Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation |
15.02.2026 |
9.8 |
| CVE-2025-8572 |
Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration |
14.02.2026 |
9.8 |
| CVE-2026-1306 |
midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action |
14.02.2026 |
9.8 |
| CVE-2026-26273 |
Known affected by Account Takeover via Password Reset Token Leakage |
13.02.2026 |
9.8 |
| CVE-2026-26333 |
Calero VeraSMART < 2022 R1 .NET Remoting Arbitrary File Read Leading to ViewState RCE |
13.02.2026 |
10 |
| CVE-2026-26335 |
Calero VeraSMART < 2022 R1 Static IIS Machine Keys Enable ViewState RCE |
13.02.2026 |
9.3 |
| CVE-2026-26190 |
Milvus Allows Unauthenticated Access to Restful API on Metrics Port (9091) Leads to Critical System Compromise |
13.02.2026 |
9.8 |
| CVE-2026-26221 |
Hyland OnBase Timer Services Unauthenticated .NET Remoting RCE |
13.02.2026 |
10 |
| CVE-2019-25322 |
Heatmiser Netmonitor 3.03 - Hardcoded Credentials |
13.02.2026 |
9.3 |
| CVE-2026-26068 |
emp3r0r Agent-Controlled Metadata to Operator RCE (tmux Command Injection) |
13.02.2026 |
9.3 |
| CVE-2026-1358 |
Airleader Master Unrestricted Upload of File with Dangerous Type |
13.02.2026 |
9.8 |
| CVE-2026-26069 |
Scraparr Readarr Integration exposes sensitive values as metric labels. |
13.02.2026 |
9.1 |
| CVE-2026-26011 |
Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution |
13.02.2026 |
9.3 |
| CVE-2026-26020 |
AutoGPT Affected by Remote Code Execution via Dynamic Module Import in Block Loading (__import__) |
12.02.2026 |
9.4 |
| CVE-2026-25227 |
authentik affected by Remote Code Execution via Context Key Injection in PropertyMapping Test Endpoint |
12.02.2026 |
9.1 |
| CVE-2026-24044 |
ESS Community Helm Chart has a weak server key generation method |
12.02.2026 |
9.2 |
| CVE-2026-26218 |
newbee-mall Default Seeded Administrator Credentials Allow Account Takeover |
12.02.2026 |
9.3 |
| CVE-2026-26219 |
newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking |
12.02.2026 |
9.3 |
| CVE-2026-26216 |
Crawl4AI < 0.8.0 Docker API Unauthenticated Remote Code Execution via Hooks Parameter |
12.02.2026 |
10 |
| CVE-2026-26217 |
Crawl4AI < 0.8.0 Docker API Local File Inclusion via file URL Handling |
12.02.2026 |
9.2 |
| CVE-2026-26214 |
Xiaomi Galaxy FDS Android SDK <= 3.0.8 TLS Hostname Verification Disabled Enables MITM |
12.02.2026 |
9.1 |
| CVE-2025-14014 |
Insecure File Upload in NTN Informatics' Smart Panel |
12.02.2026 |
9.8 |
| CVE-2025-10969 |
SQLi in Farktor Software's E-Commerce Package |
12.02.2026 |
9.8 |
| CVE-2026-1729 |
AdForest <= 6.0.12 - Authentication Bypass |
12.02.2026 |
9.8 |
| CVE-2026-26215 |
manga-image-translator Shared API Unsafe Deserialization RCE |
12.02.2026 |
9.3 |
| CVE-2026-26021 |
Prototype pollution in set-in |
12.02.2026 |
9.4 |
| CVE-2020-37186 |
Chevereto 3.13.4 Core - Remote Code Execution |
12.02.2026 |
9.3 |
| CVE-2026-24789 |
ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function |
11.02.2026 |
9.3 |
| CVE-2026-25084 |
ZLAN Information Technology ZLAN5143D Missing Authentication for Critical Function |
11.02.2026 |
9.3 |
| CVE-2025-12059 |
Improper Access Control in Logo Software's Logo j-Platform |
12.02.2026 |
9.8 |
| CVE-2026-2248 |
Unauthenticated Remote Root Shell Access via Web Console in METIS WIC |
12.02.2026 |
9.8 |
| CVE-2026-2249 |
Unauthenticated Remote Command Execution via Web Console in METIS DFS |
12.02.2026 |
9.8 |
| CVE-2025-8668 |
Reflected XSS in E-Kalite Software Hardware Engineering's Turboard |
11.02.2026 |
9.4 |
| CVE-2025-66277 |
QTS, QuTS hero |
12.02.2026 |
9.2 |
| CVE-2025-8025 |
Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP |
11.02.2026 |
9.8 |
| CVE-2026-1357 |
Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload |
11.02.2026 |
9.8 |
| CVE-2026-26009 |
Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution |
10.02.2026 |
10 |
| CVE-2026-21531 |
Azure SDK for Python Remote Code Execution Vulnerability |
13.02.2026 |
9.8 |
| CVE-2026-25993 |
EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys |
10.02.2026 |
9.3 |
| CVE-2026-25728 |
ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition |
11.02.2026 |
9.3 |
| CVE-2025-11242 |
SSRF in Teknolist Computer's Okulistik |
10.02.2026 |
9.8 |
| CVE-2026-2095 |
Flowring|Agentflow - Authentication Bypass |
10.02.2026 |
9.3 |
| CVE-2026-2096 |
Flowring|Agentflow - Missing Authenticaton |
10.02.2026 |
9.3 |
| CVE-2026-0488 |
Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) |
11.02.2026 |
9.9 |
| CVE-2026-0509 |
Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform |
10.02.2026 |
9.6 |
| CVE-2026-25893 |
FUXA Unauthenticated Remote Code Execution via Admin JWT Minting |
11.02.2026 |
10 |
| CVE-2026-25894 |
FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration |
11.02.2026 |
9.5 |
| CVE-2026-25895 |
FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API |
11.02.2026 |
9.5 |
| CVE-2026-25938 |
FUXA Unauthenticated Remote Code Execution in Node-RED Integration |
11.02.2026 |
9.5 |
| CVE-2026-25939 |
FUXA Unauthenticated Remote Arbitrary Scheduler Write |
11.02.2026 |
9.3 |
| CVE-2026-25812 |
PlaciPy is Missing CSRF Protection on State-Changing Endpoints |
10.02.2026 |
9.3 |
| CVE-2026-25814 |
NoSQL Injection Risk via Unsanitized Query Parameters |
10.02.2026 |
9.3 |
| CVE-2026-25875 |
PlaciPy Admin Privilege Escalation via Trusted JWT Claims |
10.02.2026 |
9.3 |
| CVE-2026-25881 |
@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) |
10.02.2026 |
9.1 |
| CVE-2026-25885 |
PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats |
10.02.2026 |
10 |
| CVE-2026-25057 |
Zip Slip in MarkUs config upload allowing RCE |
10.02.2026 |
9.1 |
| CVE-2025-66630 |
Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure |
10.02.2026 |
9.2 |
| CVE-2025-6830 |
SQLi in Xpoda Türkiye Information Technology's Password Module |
11.02.2026 |
9.8 |
| CVE-2026-25848 |
|
10.02.2026 |
9.1 |
| CVE-2026-22903 |
Stack Overflow via SESSIONID Cookie in lighttpd |
09.02.2026 |
9.8 |
| CVE-2026-22904 |
Stack Overflow via Oversized Cookie Fields in lighttpd |
09.02.2026 |
9.8 |
| CVE-2026-22906 |
Hardcoded Key Allows Credential Disclosure |
09.02.2026 |
9.8 |
| CVE-2026-2234 |
HGiga|C&Cm@il - Missing Authentication |
09.02.2026 |
9.3 |
| CVE-2026-1868 |
Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway |
09.02.2026 |
9.9 |
| CVE-2026-1615 |
|
09.02.2026 |
9.2 |