CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-22240 Plaintext Passwords Vulnerability in BLUVOYIX 14.01.2026 10
CVE-2026-22236 Improper Authentication Vulnerability in BLUVOYIX 14.01.2026 10
CVE-2026-22237 Exposed Internal API Documentation Vulnerability in BLUVOYIX 14.01.2026 10
CVE-2026-22238 Administrator Account Creation Vulnerability in BLUVOYIX 14.01.2026 10
CVE-2026-22239 Email Sending Vulnerability in BLUVOYIX 14.01.2026 10
CVE-2026-23550 WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability 14.01.2026 10
CVE-2025-14301 Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal 14.01.2026 9.8
CVE-2025-14502 News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion 14.01.2026 9.8
CVE-2026-22686 Sandbox Escape via Host Error Prototype Chain in enclave-vm 14.01.2026 10
CVE-2022-50893 VIAVIWEB Wallpaper Admin 1.0 - Code Execution via Image Upload 14.01.2026 9.3
CVE-2020-36911 Covenant 0.5 - Remote Code Execution (RCE) 14.01.2026 9.3
CVE-2022-50912 ImpressCMS 1.4.4 - Unrestricted File Upload 14.01.2026 9.3
CVE-2022-50919 Tdarr 2.00.15 - Command Injection 14.01.2026 9.3
CVE-2023-54329 Inbit Messenger 4.9.0 - Unauthenticated Remote Command Execution (RCE) 14.01.2026 9.3
CVE-2023-54330 Inbit Messenger 4.9.0 - Unauthenticated Remote SEH Overflow 14.01.2026 9.3
CVE-2023-54335 eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) 14.01.2026 9.3
CVE-2023-54339 Webgrind 1.1 - Remote Command Execution (RCE) via dataFile Parameter 14.01.2026 9.3
CVE-2026-23478 Cal.com has an Authentication Bypass via Unvalidated Email in Custom JWT Callback 14.01.2026 10
CVE-2025-68271 Unauthenticated Remote Code Execution in openc3-api 13.01.2026 10
CVE-2025-47855 14.01.2026 9.3
CVE-2025-64155 14.01.2026 9.4
CVE-2025-12548 Github.com/che-incubator/che-code: eclipse che — unauthenticated rce and secret exfiltration via tcp/3333 13.01.2026 9
CVE-2026-22755 Remote code injection via upload_map.cgi in Legacy Vivotek Devices 13.01.2026 9.3
CVE-2025-11250 Authentication Bypass 13.01.2026 9.1
CVE-2025-40805 13.01.2026 10
CVE-2026-0491 Code Injection vulnerability in SAP Landscape Transformation 14.01.2026 9.1
CVE-2026-0498 Code Injection vulnerability in SAP S/4HANA (Private Cloud and On-Premise) 14.01.2026 9.1
CVE-2026-0500 Remote code execution in SAP Wily Introscope Enterprise Manager (WorkStation) 13.01.2026 9.6
CVE-2026-0501 SQL Injection Vulnerability in SAP S/4HANA Private Cloud and On-Premise (Financials � General Ledger) 14.01.2026 9.9
CVE-2026-22813 Malicious website can execute commands on the local system through XSS in the OpenCode web UI 13.01.2026 9.4
CVE-2026-22799 emlog Arbitrary File Upload Vulnerability 13.01.2026 9.3
CVE-2026-22794 Account Takeover Vulnerability in Appsmith 13.01.2026 9.7
CVE-2025-12420 Unauthenticated Privilege Escalation in ServiceNow AI Platform 14.01.2026 9.3
CVE-2026-22785 orval MCP client is vulnerable to a code injection attack. 12.01.2026 9.3
CVE-2026-22781 TinyWeb CGI Command Injection 12.01.2026 10
CVE-2026-22783 Iris Allows Arbitrary File Deletion via Mass Assignment in Datastore File Management 12.01.2026 9.6
CVE-2026-22252 LibreChat MCP Stdio Remote Command Execution 12.01.2026 9.1
CVE-2025-41006 Multiple vulnerabilities in Imaster products Open configuration options 12.01.2026 9.3
CVE-2025-52694 Execution of arbitrary SQL commands 12.01.2026 10
CVE-2026-22688 WeKnora has Command Injection in MCP stdio test 12.01.2026 10
CVE-2025-65091 XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService 12.01.2026 10
CVE-2025-61686 React Router has Path Traversal in File Session Storage 10.01.2026 9.1
CVE-2026-22600 OpenProject is Vulnerable to Arbitrary File Read via ImageMagick SVG Coder 13.01.2026 9.1
CVE-2025-15501 Sangfor Operation and Maintenance Management System getCmd WriterHandle.getCmd os command injection 12.01.2026 9.3
CVE-2025-15500 Sangfor Operation and Maintenance Management System HTTP POST Request getHis os command injection 09.01.2026 9.3
CVE-2020-36875 AccessAlly < 3.3.2 Unauthenticated Arbitrary PHP Code Execution 09.01.2026 9.3
CVE-2025-69425 Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded Tokens RCE 09.01.2026 10
CVE-2025-69426 Ruckus vRIoT IoT Controller < 3.0.0.0 Hardcoded SSH Credentials RCE 09.01.2026 10
CVE-2025-66050 No password set for administrative account in Vivotek IP7137 cameras 09.01.2026 9.3
CVE-2025-7072 Hardcoded credentials in KAON CG3000T/CG3000CT routers 09.01.2026 9.3
CVE-2025-64093 Unauthenticated Remote Code Execution via the device hostname 09.01.2026 10
CVE-2025-64090 Authenticated Remote Code Execution in device hostname 09.01.2026 10
CVE-2025-14741 Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element 09.01.2026 9.1
CVE-2025-70974 09.01.2026 10
CVE-2025-14736 Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field 09.01.2026 9.8
CVE-2026-22234 OPEXUS eCasePortal unauthenticated IDOR 08.01.2026 9.3
CVE-2025-59468 09.01.2026 9
CVE-2025-59469 09.01.2026 9
CVE-2025-59470 09.01.2026 9

Latest Updates

CVE Title Updated Score
CVE-2025-14457 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.2 - Missing Authorization to Unauthenticated File Deletion 15.01.2026 3.7
CVE-2025-14448 WP-Members Membership Plugin <= 3.5.4.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Multiple Checkbox and Multiple Select User Profile Fields 15.01.2026 5.4
CVE-2026-23574 15.01.2026
CVE-2026-23575 15.01.2026
CVE-2026-23576 15.01.2026
CVE-2026-23577 15.01.2026
CVE-2026-23578 15.01.2026
CVE-2026-23579 15.01.2026
CVE-2026-23580 15.01.2026
CVE-2026-23581 15.01.2026
CVE-2026-23582 15.01.2026
CVE-2025-12166 Simply Schedule Appointments <= 1.6.9.9 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters 14.01.2026 7.5
CVE-2025-12533 14.01.2026
CVE-2025-14058 14.01.2026
CVE-2026-0600 Nexus Repository 3 - Server-Side Request Forgery in Proxy Repository Configuration 14.01.2026
CVE-2025-13154 14.01.2026
CVE-2025-13453 14.01.2026
CVE-2025-13454 14.01.2026
CVE-2025-13455 14.01.2026
CVE-2026-0421 14.01.2026
CVE-2026-0601 Nexus Repository 3 - Cross-Site Scripting 14.01.2026
CVE-2026-0861 Integer overflow in memalign leads to heap corruption 14.01.2026
CVE-2026-23512 SumatraPDF has an Untrusted Search Path in sumatrapdf/src/AppTools.cpp 14.01.2026 8.6
CVE-2026-0959 Out-of-bounds Write in Wireshark 14.01.2026 5.3
CVE-2026-0960 Loop with Unreachable Exit Condition ('Infinite Loop') in Wireshark 14.01.2026 4.7
CVE-2026-0961 Out-of-bounds Write in Wireshark 14.01.2026 5.5
CVE-2026-0962 Out-of-bounds Write in Wireshark 14.01.2026 5.3
CVE-2026-22036 Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion 14.01.2026 3.7
CVE-2025-11224 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab 15.01.2026 7.7
CVE-2025-14556 XSS in Drupal 7 Flag Module 14.01.2026
CVE-2025-14557 XSS in Drupal 7 Facebook Pixel Module 14.01.2026
CVE-2025-33206 15.01.2026 7.8
CVE-2025-71164 Typesetter CMS Reflected XSS via Editing.php 14.01.2026
CVE-2025-71165 Typesetter CMS Reflected XSS via Status.php 14.01.2026
CVE-2025-71166 Typesetter CMS Reflected XSS via Move Message Handling 14.01.2026
CVE-2026-23492 Pimcore has a Blind SQL Injection in Admin Search Find API due to an incomplete fix for CVE-2023-30848 14.01.2026 8.8
CVE-2026-23497 Frappe LMS has a Stored XSS via Unsanitized Image Filename in Course and Jobs Pages 14.01.2026
CVE-2026-23498 Shopware Improper Control of Generation of Code in Twig rendered views 14.01.2026 7.2
CVE-2026-23477 Rocket.Chat Unauthorized Access to OAuth App Details 14.01.2026 7.7
CVE-2026-22819 Outray has a Race Condition in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts 14.01.2026 5.9
CVE-2026-22855 FreeRDP has a heap-buffer-overflow in smartcard_unpack_set_attrib_call 14.01.2026
CVE-2026-22856 FreeRDP has a heap-use-after-free in create_irp_thread 14.01.2026
CVE-2026-22857 FreeRDP has a heap-use-after-free in irp_thread_func 14.01.2026
CVE-2026-22858 FreeRDP has a global-buffer-overflow in crypto_base64_decode 14.01.2026
CVE-2026-22859 FreeRDP has a heap-buffer-overflow in urb_select_configuration 14.01.2026
CVE-2026-22851 FreeRDP RDPGFX ResetGraphics race leads to use-after-free in SDL client (sdl->primary) 14.01.2026
CVE-2026-22852 FreeRDP has a heap-buffer-overflow in audin_process_formats 14.01.2026
CVE-2026-22853 FreeRDP has a heap-buffer-overflow in ndr_read_uint8Array 14.01.2026
CVE-2026-22854 FreeRDP has a heap-buffer-overflow in drive_process_irp_read 14.01.2026
CVE-2025-63644 14.01.2026
CVE-2025-70747 14.01.2026
CVE-2025-65397 14.01.2026
CVE-2025-71021 14.01.2026
CVE-2025-65396 14.01.2026
CVE-2025-67833 14.01.2026
CVE-2025-67834 14.01.2026
CVE-2025-67835 14.01.2026
CVE-2026-22779 BlackSheep ClientSession is vulnerable to CRLF injection 14.01.2026
CVE-2026-22787 html2pdf.js has a cross-site scripting vulnerability 14.01.2026
CVE-2026-21889 Weblate leaks information via screenshots 14.01.2026
CVE-2026-22694 AliasVault is Missing Origin Validation in Android Passkey Credential Provider 14.01.2026 6.1
CVE-2026-22708 Cursor has a Terminal Tool Allowlist Bypass via Environment Variables 14.01.2026
CVE-2025-37181 Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface 14.01.2026 7.2
CVE-2025-37182 Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface 14.01.2026 7.2
CVE-2025-37183 Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface 14.01.2026 7.2
CVE-2025-37184 Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention 14.01.2026 6.5
CVE-2025-37185 Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface 14.01.2026 5.5
CVE-2025-70968 14.01.2026
CVE-2025-67399 14.01.2026
CVE-2025-14242 Vsftpd: vsftpd: denial of service via integer overflow in ls command parameter parsing 14.01.2026