CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 08.02.2026 9.8
CVE-2026-25858 macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure 07.02.2026 9.3
CVE-2020-37135 AMSS++ 4.7 - Backdoor Admin Account 06.02.2026 9.3
CVE-2026-25803 3DP-MANAGER Uses Hard-coded Credentials 06.02.2026 9.8
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution 06.02.2026 9.4
CVE-2026-1731 Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) 06.02.2026 9.9
CVE-2026-1727 Information Disclosure via Bucket Squatting in Google Cloud Agentspace. 06.02.2026 9.1
CVE-2026-25544 Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters 06.02.2026 9.8
CVE-2026-25592 Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK 06.02.2026 10
CVE-2026-25632 EPyT-Flow has unsafe JSON deserialization (__type__) 06.02.2026 10
CVE-2026-25520 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25586 SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution 06.02.2026 10
CVE-2026-25587 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25641 SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses 06.02.2026 10
CVE-2026-1709 Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication 06.02.2026 9.4
CVE-2026-25643 Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape 06.02.2026 9.1
CVE-2026-25751 FUXA Unauthenticated Exposure of Plaintext Database Credentials 06.02.2026 9.1
CVE-2026-25752 FUXA Unauthenticated Remote Arbitrary Device Tag Write 06.02.2026 9.3
CVE-2026-25753 PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) 06.02.2026 9.3
CVE-2025-69212 OpenSTAManager has an OS Command Injection in P7M File Processing 06.02.2026 9.4
CVE-2025-64111 Gogs's update .git/config file allows remote command execution 07.02.2026 9.3
CVE-2026-2017 IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow 06.02.2026 9.3
CVE-2026-1499 WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action 06.02.2026 9.8
CVE-2026-21643 07.02.2026 9.1
CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla 06.02.2026 9.2
CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability 07.02.2026 9.8
CVE-2020-37123 Pinger 1.0 - Remote Code Execution 06.02.2026 9.3
CVE-2020-37125 Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution 05.02.2026 9.3
CVE-2025-62615 AutoGPT has SSRF vulnerability in ReadRSSFeedBlock 05.02.2026 9.3
CVE-2025-62616 AutoGPT has SSRF vulnerability in SendDiscordFileBlock 05.02.2026 9.3
CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints 05.02.2026 9.2
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE 05.02.2026 9.1
CVE-2026-25547 Uncontrolled Resource Consumption in @isaacs/brace-expansion 05.02.2026 9.2
CVE-2026-25526 JinJava Bypass through ForTag leads to Arbitrary Java Execution 05.02.2026 9.8
CVE-2026-25521 Locutus is vulnerable to Prototype Pollution 05.02.2026 9.4
CVE-2025-13375 IBM Common Cryptographic Architecture Arbitrary Command Execution 06.02.2026 9.8
CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler 05.02.2026 9.4
CVE-2026-25481 Langroid has WAF Bypass Leading to RCE in TableChatAgent 04.02.2026 9.4
CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication 06.02.2026 9.8
CVE-2026-25160 Alist has Insecure TLS Config 05.02.2026 9.1
CVE-2025-64712 Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write 04.02.2026 9.8
CVE-2026-21893 n8n Vulnerable to Command Injection in Community Package Installation 04.02.2026 9.4
CVE-2026-25049 n8n Has an Expression Escape Vulnerability Leading to RCE 05.02.2026 9.4
CVE-2026-25052 n8n Improper File Access Controls Allow Arbitrary File Read by Authenticated Users 05.02.2026 9.4
CVE-2026-25053 n8n is Vulnerable to OS Command Injection in Git Node 05.02.2026 9.4
CVE-2026-25056 n8n Arbitrary File Write leading to RCE in n8n Merge Node 05.02.2026 9.4
CVE-2026-25115 n8n is vulnerable to Python sandbox escape 05.02.2026 9.4
CVE-2025-5329 SQLi in Martcode Software's Delta Course Automation 04.02.2026 9.8
CVE-2025-59818 Authenticated Remote Code Execution via the file name of an uploaded file 04.02.2026 10
CVE-2026-1633 Synectix LAN 232 TRIO Missing Authentication for Critical Function 04.02.2026 10
CVE-2026-1632 RISS SRL MOMA Seismic Station Missing Authentication for Critical Function 04.02.2026 9.3
CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution 04.02.2026 9.3
CVE-2020-37092 Netis E1+ 1.2.32533 - Backdoor Account (root) 04.02.2026 9.3
CVE-2026-1341 Missing Authentication for Critical Function in Avation Light Engine Pro 04.02.2026 9.3
CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City 04.02.2026 9.3
CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor 04.02.2026 10
CVE-2025-65078 Untrusted search path vulnerability in Embedded Solutions Framework 06.02.2026 9.3
CVE-2026-1803 Ziroom ZHOME A0101 Dropbear SSH Service default credentials 03.02.2026 9.2
CVE-2025-10878 04.02.2026 10
CVE-2026-25237 PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails 04.02.2026 9.2
CVE-2026-25238 PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation 04.02.2026 9.2
CVE-2026-25241 PEAR is Vulnerable to SQL Injection in /get/<package>/<version> Endpoint 04.02.2026 9.3
CVE-2025-70841 04.02.2026 10
CVE-2026-1568 Rapid7 InsightVM Signature Validation Vulnerability 04.02.2026 9.6
CVE-2025-5319 SQLi in Emit Informatics' DIGITA Efficiency Management System 04.02.2026 9.8
CVE-2026-1432 SQL injection (SQLi) on the Buroweb platform 03.02.2026 9.3
CVE-2026-24465 03.02.2026 9.3
CVE-2026-24936 An improper input validation vulnerability was found in ADM while joining a AD Domain. 04.02.2026 9.5
CVE-2025-66480 Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction 03.02.2026 9.8
CVE-2026-22778 vLLM leaks a heap address when PIL throws an error 03.02.2026 9.8
CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin 03.02.2026 10
CVE-2026-24471 Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary ('Confused Deputy') 03.02.2026 9.3
CVE-2026-25134 Group-Office Argument Injection in MaintenanceController::actionZipLanguage 04.02.2026 9.4
CVE-2026-25137 NixOs Odoo database and filestore publicly accessible with default odoo configuration 04.02.2026 9.1
CVE-2026-25142 SandboxJS Prototype Pollution -> Sandbox Escape -> RCE 04.02.2026 10
CVE-2022-50981 Multiple Innomic VibroLine VLX HD 5.0 and avibia AVLX weak password requirements 02.02.2026 9.8
CVE-2024-2356 Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui 02.02.2026 9.6
CVE-2024-5386 Account Hijacking via Password Reset Token Leak in lunary-ai/lunary 02.02.2026 9.6
CVE-2024-5986 Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3 02.02.2026 9.1
CVE-2026-25200 03.02.2026 9.8
CVE-2026-25202 03.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2026-2159 SourceCodester Simple Responsive Tourism Website Registration Master.php cross site scripting 08.02.2026
CVE-2026-2160 SourceCodester Simple Responsive Tourism Website Master.php cross site scripting 08.02.2026
CVE-2026-2157 D-Link DIR-823X set_static_route_table sub_4175CC os command injection 08.02.2026
CVE-2026-2158 code-projects Student Web Portal check_user.php sql injection 08.02.2026
CVE-2026-2156 code-projects Online Student Management System Announcement Management index.php cross site scripting 08.02.2026
CVE-2026-2155 D-Link DIR-823X Configuration set_dmz sub_4208A0 os command injection 08.02.2026
CVE-2026-2154 SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System Patient Registration registration.php cross site scripting 08.02.2026
CVE-2026-2153 mwielgoszewski doorman views.py is_safe_url redirect 08.02.2026
CVE-2026-2152 D-Link DIR-615 Web Configuration adv_routing.php os command injection 08.02.2026
CVE-2026-2151 D-Link DIR-615 DMZ Host Feature adv_firewall.php os command injection 08.02.2026
CVE-2026-2150 SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System checkin.php cross site scripting 08.02.2026
CVE-2026-2149 SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System appointments.php cross site scripting 08.02.2026
CVE-2026-2148 Tenda AC21 Web Management DownloadFlash information disclosure 08.02.2026
CVE-2026-2147 Tenda AC21 Web Management DownloadLog information disclosure 08.02.2026
CVE-2026-2146 guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload 08.02.2026
CVE-2026-2145 cym1102 nginxWebUI Web Management check cross site scripting 08.02.2026
CVE-2026-2143 D-Link DIR-823X DDNS Service set_ddns os command injection 08.02.2026
CVE-2026-2142 D-Link DIR-823X set_qos sub_420688 os command injection 08.02.2026
CVE-2026-2141 WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization 08.02.2026
CVE-2026-2140 Tenda TX9 setMacFilterCfg sub_4223E0 buffer overflow 08.02.2026
CVE-2026-2139 Tenda TX9 fast_setting_wifi_set sub_432580 buffer overflow 08.02.2026
CVE-2026-2138 Tenda TX9 SetStaticRouteCfg sub_42D03C buffer overflow 08.02.2026
CVE-2026-2137 Tenda TX3 SetIpMacBind buffer overflow 08.02.2026
CVE-2026-2136 projectworlds Online Food Ordering System view-ticket.php sql injection 08.02.2026
CVE-2026-2134 PHPGurukul Hospital Management System manage-doctors.php sql injection 08.02.2026
CVE-2026-2135 UTT HiPER 810 formPdbUpConfig sub_43F020 command injection 08.02.2026
CVE-2026-2132 code-projects Online Music Site AdminUpdateCategory.php sql injection 08.02.2026
CVE-2026-2133 code-projects Online Music Site AdminUpdateCategory.php unrestricted upload 08.02.2026
CVE-2026-2130 BurtTheCoder mcp-maigret search_username index.ts command injection 08.02.2026
CVE-2026-2131 XixianLiang HarmonyOS-mcp-server input_text os command injection 08.02.2026
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 08.02.2026 9.8
CVE-2025-15100 JAY Login & Register <= 2.6.03 - Authenticated (Subscriber+) Privilege Escalation via jay_panel_ajax_update_profile 08.02.2026 8.8
CVE-2026-2129 D-Link DIR-823X set_ac_status os command injection 08.02.2026
CVE-2026-2205 WeKan Meteor Publication cards.js CardPubSubBleed information disclosure 08.02.2026
CVE-2026-2206 WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control 08.02.2026
CVE-2026-2207 WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure 08.02.2026
CVE-2026-2208 WeKan Rules rules.js RulesBleed authorization 08.02.2026
CVE-2026-2209 WeKan Custom Translation translationBody.js setCreateTranslation improper authorization 08.02.2026
CVE-2026-2120 D-Link DIR-823X Configuration Parameter set_server_settings os command injection 08.02.2026
CVE-2026-2122 Xiaopi Panel WAF Firewall demo.php sql injection 08.02.2026
CVE-2026-2118 UTT HiPER 810 rehttpd formReleaseConnect sub_4407D4 command injection 08.02.2026
CVE-2026-2117 itsourcecode Society Management System edit_activity.php sql injection 07.02.2026
CVE-2026-2116 itsourcecode Society Management System edit_expenses.php sql injection 07.02.2026
CVE-2026-2115 itsourcecode Society Management System delete_expenses.php sql injection 07.02.2026
CVE-2026-25859 WeKan < 8.20 Migration Functionality Insufficient Permission Checks 07.02.2026
CVE-2026-2114 itsourcecode Society Management System edit_admin.php sql injection 07.02.2026
CVE-2026-25560 WeKan < 8.19 LDAP Authentication Filter Injection 07.02.2026
CVE-2026-25561 WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass 07.02.2026
CVE-2026-25562 WeKan < 8.19 Attachments Publication Information Disclosure 07.02.2026
CVE-2026-25563 WeKan < 8.19 Checklist Creation Cross-Board IDOR 07.02.2026
CVE-2026-25564 WeKan < 8.19 Checklist Deletion IDOR via Missing Relationship Validation 07.02.2026
CVE-2026-25565 WeKan < 8.19 Read-only Board Roles Can Update Cards 07.02.2026
CVE-2026-25566 WeKan < 8.19 Cross-board Card Move Without Destination Authorization 07.02.2026
CVE-2026-25567 WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId 07.02.2026
CVE-2026-25568 WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass 07.02.2026
CVE-2026-25857 Tenda G300-F Command Injection via formSetWanDiag 07.02.2026
CVE-2026-25858 macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure 07.02.2026
CVE-2025-15564 Mapnik value.cpp operator divide by zero 07.02.2026