CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-11242 SSRF in Teknolist Computer's Okulistik 10.02.2026 9.8
CVE-2026-2095 Flowring|Agentflow - Authentication Bypass 10.02.2026 9.3
CVE-2026-2096 Flowring|Agentflow - Missing Authenticaton 10.02.2026 9.3
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) 10.02.2026 9.9
CVE-2026-0509 Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 10.02.2026 9.6
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting 09.02.2026 10
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration 09.02.2026 9.5
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API 09.02.2026 9.5
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration 09.02.2026 9.5
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write 09.02.2026 9.3
CVE-2026-25812 PlaciPy is Missing CSRF Protection on State-Changing Endpoints 09.02.2026 9.3
CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters 09.02.2026 9.3
CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims 09.02.2026 9.3
CVE-2026-25881 @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) 09.02.2026 9.1
CVE-2026-25885 PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats 09.02.2026 10
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE 09.02.2026 9.1
CVE-2025-66630 Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure 09.02.2026 9.2
CVE-2025-6830 SQLi in Xpoda Türkiye Information Technology's Xpoda Studio 09.02.2026 9.8
CVE-2026-25848 10.02.2026 9.1
CVE-2026-22903 Stack Overflow via SESSIONID Cookie in lighttpd 09.02.2026 9.8
CVE-2026-22904 Stack Overflow via Oversized Cookie Fields in lighttpd 09.02.2026 9.8
CVE-2026-22906 Hardcoded Key Allows Credential Disclosure 09.02.2026 9.8
CVE-2026-2234 HGiga|C&Cm@il - Missing Authentication 09.02.2026 9.3
CVE-2026-1868 Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway 09.02.2026 9.9
CVE-2026-1615 09.02.2026 9.2
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 09.02.2026 9.8
CVE-2026-25858 macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure 07.02.2026 9.3
CVE-2020-37135 AMSS++ 4.7 - Backdoor Admin Account 06.02.2026 9.3
CVE-2026-25803 3DP-MANAGER Uses Hard-coded Credentials 09.02.2026 9.8
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution 09.02.2026 9.4
CVE-2026-1731 Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) 10.02.2026 9.9
CVE-2026-1727 Information Disclosure via Bucket Squatting in Google Cloud Agentspace. 09.02.2026 9.1
CVE-2026-25544 Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters 09.02.2026 9.8
CVE-2026-25592 Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK 09.02.2026 10
CVE-2026-25632 EPyT-Flow has unsafe JSON deserialization (__type__) 06.02.2026 10
CVE-2026-25520 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25586 SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution 06.02.2026 10
CVE-2026-25587 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25641 SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses 06.02.2026 10
CVE-2026-1709 Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication 09.02.2026 9.4
CVE-2026-25643 Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape 06.02.2026 9.1
CVE-2026-25751 FUXA Unauthenticated Exposure of Plaintext Database Credentials 09.02.2026 9.1
CVE-2026-25752 FUXA Unauthenticated Remote Arbitrary Device Tag Write 09.02.2026 9.3
CVE-2026-25753 PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) 09.02.2026 9.3
CVE-2025-69212 OpenSTAManager has an OS Command Injection in P7M File Processing 09.02.2026 9.4
CVE-2025-64111 Gogs's update .git/config file allows remote command execution 07.02.2026 9.3
CVE-2026-2017 IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow 06.02.2026 9.3
CVE-2026-1499 WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action 06.02.2026 9.8
CVE-2026-21643 10.02.2026 9.1
CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla 06.02.2026 9.2
CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability 07.02.2026 9.8
CVE-2020-37123 Pinger 1.0 - Remote Code Execution 06.02.2026 9.3
CVE-2020-37125 Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution 05.02.2026 9.3
CVE-2025-62615 AutoGPT has SSRF vulnerability in ReadRSSFeedBlock 05.02.2026 9.3
CVE-2025-62616 AutoGPT has SSRF vulnerability in SendDiscordFileBlock 05.02.2026 9.3
CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints 05.02.2026 9.2
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE 05.02.2026 9.1
CVE-2026-25547 Uncontrolled Resource Consumption in @isaacs/brace-expansion 05.02.2026 9.2
CVE-2026-25526 JinJava Bypass through ForTag leads to Arbitrary Java Execution 05.02.2026 9.8
CVE-2026-25521 Locutus is vulnerable to Prototype Pollution 05.02.2026 9.4
CVE-2025-13375 IBM Common Cryptographic Architecture Arbitrary Command Execution 06.02.2026 9.8
CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler 05.02.2026 9.4
CVE-2026-25481 Langroid has WAF Bypass Leading to RCE in TableChatAgent 04.02.2026 9.4
CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication 06.02.2026 9.8
CVE-2026-25160 Alist has Insecure TLS Config 05.02.2026 9.1
CVE-2025-64712 Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write 04.02.2026 9.8
CVE-2026-21893 n8n Vulnerable to Command Injection in Community Package Installation 04.02.2026 9.4
CVE-2026-25049 n8n Has an Expression Escape Vulnerability Leading to RCE 05.02.2026 9.4
CVE-2026-25052 n8n Improper File Access Controls Allow Arbitrary File Read by Authenticated Users 05.02.2026 9.4
CVE-2026-25053 n8n is Vulnerable to OS Command Injection in Git Node 05.02.2026 9.4
CVE-2026-25056 n8n Arbitrary File Write leading to RCE in n8n Merge Node 05.02.2026 9.4
CVE-2026-25115 n8n is vulnerable to Python sandbox escape 05.02.2026 9.4
CVE-2025-5329 SQLi in Martcode Software's Delta Course Automation 04.02.2026 9.8
CVE-2025-59818 Authenticated Remote Code Execution via the file name of an uploaded file 04.02.2026 10
CVE-2026-1633 Synectix LAN 232 TRIO Missing Authentication for Critical Function 04.02.2026 10
CVE-2026-1632 RISS SRL MOMA Seismic Station Missing Authentication for Critical Function 04.02.2026 9.3
CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution 04.02.2026 9.3
CVE-2020-37092 Netis E1+ 1.2.32533 - Backdoor Account (root) 04.02.2026 9.3
CVE-2026-1341 Missing Authentication for Critical Function in Avation Light Engine Pro 04.02.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2025-11004 Reflected XSS vulnerability in Simplicity Device Manager tool 10.02.2026
CVE-2025-15572 wasm3 NewCodePage memory leak 10.02.2026
CVE-2026-1602 10.02.2026 6.5
CVE-2026-1603 10.02.2026 8.6
CVE-2025-15571 ckolivas lrzip stream.c ucompthread null pointer dereference 10.02.2026
CVE-2025-7347 IDOR in Dinibh Puzzle's Dinibh Patrol Tracking System 10.02.2026 8.8
CVE-2025-7636 SQLi in Ergosis Security Systems' ZEUS PDKS 10.02.2026 8.8
CVE-2025-6967 Authentication Bypass in Sarman Soft's CMS 10.02.2026 8.7
CVE-2025-15570 ckolivas lrzip stream.c lzma_decompress_buf use after free 10.02.2026
CVE-2025-11537 Keycloak-server: sensitive headers shown in the http access logs 10.02.2026
CVE-2025-15569 Artifex MuPDF win_main.c get_system_dpi uncontrolled search path 10.02.2026
CVE-2024-52334 10.02.2026 5.3
CVE-2025-40587 10.02.2026 7.6
CVE-2026-22923 10.02.2026 7.8
CVE-2026-23715 10.02.2026 7.8
CVE-2026-23716 10.02.2026 7.8
CVE-2026-23717 10.02.2026 7.8
CVE-2026-23718 10.02.2026 7.8
CVE-2026-23719 10.02.2026 7.8
CVE-2026-23720 10.02.2026 7.8
CVE-2026-25655 10.02.2026 7.8
CVE-2026-25656 10.02.2026 7.8
CVE-2025-14895 PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion 10.02.2026 5.4
CVE-2026-1866 Name Directory <= 1.32.0 - Unauthenticated Stored Cross-Site Scripting via Double HTML-Entity Encoding in Submission Form 10.02.2026 7.2
CVE-2026-1922 The Events Calendar Shortcode & Block <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 10.02.2026 6.4
CVE-2026-23901 Apache Shiro: Brute force attack possible to determine valid user names 10.02.2026
CVE-2026-23906 Apache Druid: Authentication Bypass via LDAP Anonymous Bind 10.02.2026
CVE-2026-24343 Apache HertzBeat: Uncontrolled Resource Consumption via Crafted XPath Expressions 10.02.2026
CVE-2026-2268 Ninja Forms <= 3.14.0 - Unauthenticated Information Disclosure in nf_ajax_submit AJAX Action 10.02.2026 7.5
CVE-2025-11242 SSRF in Teknolist Computer's Okulistik 10.02.2026 9.8
CVE-2026-1722 WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation 10.02.2026 5.3
CVE-2026-2093 Flowring|Docpedia - SQL Injection 10.02.2026
CVE-2026-2094 Flowring|Docpedia - SQL Injection 10.02.2026
CVE-2026-2095 Flowring|Agentflow - Authentication Bypass 10.02.2026
CVE-2026-2096 Flowring|Agentflow - Missing Authenticaton 10.02.2026
CVE-2026-2097 Flowring|Agentflow - Arbitrary File Upload 10.02.2026
CVE-2026-2098 Flowring|AgentFlow - Reflected Cross-site Scripting 10.02.2026
CVE-2026-2099 Flowring|AgentFlow - Stored Cross-Site Scripting 10.02.2026
CVE-2025-12063 10.02.2026 5.7
CVE-2025-11142 10.02.2026 7.1
CVE-2025-11547 10.02.2026 7.8
CVE-2025-12757 10.02.2026 4.6
CVE-2025-13064 10.02.2026 4.5
CVE-2026-0996 Fluent Forms <= 6.1.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting via AI Form Builder Module 10.02.2026 6.4
CVE-2026-25973 10.02.2026
CVE-2026-25974 10.02.2026
CVE-2026-25975 10.02.2026
CVE-2026-25976 10.02.2026
CVE-2026-25977 10.02.2026
CVE-2026-25978 10.02.2026
CVE-2026-25979 10.02.2026
CVE-2026-25980 10.02.2026
CVE-2026-25981 10.02.2026
CVE-2026-0484 Missing Authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA 10.02.2026 6.5
CVE-2026-0485 Denial of service (DOS) vulnerability in SAP BusinessObjects BI Platform 10.02.2026 7.5
CVE-2026-0486 Missing Authorization Check in ABAP based SAP systems 10.02.2026 5
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) 10.02.2026 9.9
CVE-2026-0490 Denial of service (DOS) in SAP BusinessObjects BI Platform 10.02.2026 7.5
CVE-2026-0505 Multiple vulnerabilities in BSP Applications of SAP Document Management System 10.02.2026 6.1
CVE-2026-0508 Open Redirect vulnerability in SAP BusinessObjects Business Intelligence Platform 10.02.2026 7.3
CVE-2026-0509 Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 10.02.2026 9.6
CVE-2026-23681 Missing Authorization check in a function module in SAP Support Tools Plug-In 10.02.2026 4.3
CVE-2026-23684 Race condition vulnerability in SAP Commerce Cloud 10.02.2026 5.9
CVE-2026-23685 Insecure Deserialization vulnerability in SAP NetWeaver (JMS service) 10.02.2026 4.4
CVE-2026-23686 CRLF Injection vulnerability in SAP NetWeaver Application Server Java 10.02.2026 3.4
CVE-2026-23687 XML Signature Wrapping in SAP NetWeaver AS ABAP and ABAP Platform 10.02.2026 8.8
CVE-2026-23688 Missing Authorization check in SAP Fiori App (Manage Service Entry Sheets - Lean Services) 10.02.2026 4.3
CVE-2026-23689 Denial of service (DOS) in SAP Supply Chain Management 10.02.2026 7.7
CVE-2026-24312 Missing authorization check in SAP Business Workflow 10.02.2026 5.2
CVE-2026-24319 Information Disclosure Vulnerability in SAP Business One (B1 Client Memory Dump Files) 10.02.2026 5.8
CVE-2026-24320 Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) 10.02.2026 3.1
CVE-2026-24321 Information Disclosure vulnerability in SAP Commerce Cloud 10.02.2026 5.3
CVE-2026-24322 Missing Authorization check in SAP Solution Tools Plug-In (ST-PI) 10.02.2026 7.7
CVE-2026-24323 Multiple vulnerabilities in BSP Applications of SAP Document Management System 10.02.2026 6.1
CVE-2026-24324 Denial of service (DOS) vulnerability in SAP BusinessObjects Business Intelligence Platform (AdminTools) 10.02.2026 6.5
CVE-2026-24325 Cross Site Scripting (XSS) vulnerability in SAP BusinessObjects Enterprise (Central Management Console) 10.02.2026 4.8
CVE-2026-24326 Missing authorization check in SAP S/4HANA Defense & Security (Disconnected Operations) 10.02.2026 4.3
CVE-2026-24327 Missing Authorization Check in SAP Strategic Enterprise Management (Balanced Scorecard in BSP Application) 10.02.2026 4.3
CVE-2026-24328 Open Redirection vulnerability in Business Server Pages Application (TAF_APPLAUNCHER) 10.02.2026 6.1
CVE-2026-2259 aardappel lobster Parsing parser.h ParseStatements memory corruption 10.02.2026
CVE-2026-2260 D-Link DCS-931L setSysAdmin os command injection 10.02.2026
CVE-2026-2258 aardappel lobster wfc.h WaveFunctionCollapse memory corruption 10.02.2026
CVE-2025-15147 WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment 09.02.2026 4.3
CVE-2026-0845 WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update 09.02.2026 7.2
CVE-2025-15310 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. 09.02.2026 7.8
CVE-2025-15313 Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. 09.02.2026 5.5
CVE-2025-15314 Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. 09.02.2026 5.5
CVE-2025-15318 Tanium addressed an arbitrary file deletion vulnerability in End-User Notifications Endpoint Tools. 09.02.2026 5.1
CVE-2025-15319 Tanium addressed a local privilege escalation vulnerability in Patch Endpoint Tools. 09.02.2026 7.8
CVE-2026-25957 Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request 09.02.2026 6.5
CVE-2026-25958 Cube privilege escalation via a specially crafted request 09.02.2026 7.7
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting 09.02.2026
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration 09.02.2026
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API 09.02.2026
CVE-2026-25951 FUXA has a Path Traversal Sanitization Bypass 09.02.2026
CVE-2026-25931 vscode-spell-checker has a workspace-trust bypass Code Execution 09.02.2026 7.8
CVE-2026-25934 go-git improperly verifies data integrity values for .idx and .pack files 09.02.2026 4.3
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration 09.02.2026
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write 09.02.2026
CVE-2026-25923 Phar Deserialization leading to Arbitrary File Deletion in my little forum 09.02.2026
CVE-2026-25925 PowerDocu Affected by Remote Code Execution via Insecure Deserialization 09.02.2026 7.8
CVE-2025-15315 Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. 09.02.2026 6.7
CVE-2025-15316 Tanium addressed a local privilege escalation vulnerability in Tanium Server. 09.02.2026 6.7
CVE-2025-15317 Tanium addressed an uncontrolled resource consumption vulnerability in Tanium Server. 09.02.2026 6.5
CVE-2026-25807 Unauthenticated Remote Code Execution via P2P Sharing in ZAI-Shell 09.02.2026 8.8
CVE-2026-25808 Hollo DMs get leaked and can be seen on Webfinger Browser 09.02.2026 7.5
CVE-2026-25890 File Browser has a Path-Based Access Control Bypass via Multiple Leading Slashes in URL 09.02.2026 8.1
CVE-2026-25892 Adminer has an Unauthenticated Persistent DoS via Array Injection in ?script=version Endpoint 09.02.2026 7.5
CVE-2026-25918 unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command) 09.02.2026
CVE-2026-25920 SumatraPDF has a heap out-of-bounds read in MOBI HuffDic decompressor 09.02.2026 5.5
CVE-2026-25961 SumatraPDF Update MITM -> Arbitrary Code Execution 09.02.2026 7.5