CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-29200 04.05.2026 9.9
CVE-2026-7719 Totolink WA300 POST Request cstecgi.cgi loginauth buffer overflow 04.05.2026 9.3
CVE-2026-42364 GeoVision LPC2011/LPC2211 Web Interface / DdnsSetting.cgi OS command injection vulnerability 04.05.2026 9.9
CVE-2026-42368 GeoVision LPC2011/LPC2211 Web Interface privilege escalation vulnerability 04.05.2026 9.9
CVE-2026-42369 GeoVision GV-VMS V20 WebCam Server stack overflow vulnerability 04.05.2026 10
CVE-2026-42370 GeoVision GV-VMS V20 WebCam Server Login stack overflow vulnerability 04.05.2026 9
CVE-2026-7161 GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability 04.05.2026 9.3
CVE-2026-7372 GeoVision GV-VMS V20 WebCam Server Login stack overflow vulnerability 04.05.2026 9
CVE-2026-4882 User Registration Advanced Fields <= 1.6.20 - Unauthenticated Arbitrary File Upload 02.05.2026 9.8
CVE-2026-7458 User Verification by PickPlugins <= 2.0.46 - Unauthenticated Authentication Bypass via OTP Verification REST API Endpoint 02.05.2026 9.8
CVE-2026-37539 01.05.2026 9.8
CVE-2026-37541 01.05.2026 10
CVE-2026-37531 01.05.2026 9.8
CVE-2026-43011 net/x25: Fix potential double free of skb 03.05.2026 9.8
CVE-2026-43037 ip6_tunnel: clear skb2->cb[] in ip4ip6_err() 03.05.2026 9.8
CVE-2026-43038 ipv6: icmp: clear skb2->cb[] in ip6_err_gen_icmpv6_unreach() 03.05.2026 9.8
CVE-2026-43039 net: ti: icssg-prueth: fix missing data copy and wrong recycle in ZC RX dispatch 03.05.2026 9.8
CVE-2026-31705 ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment 03.05.2026 9.8
CVE-2026-31718 ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger 03.05.2026 9.8
CVE-2026-42778 Apache MINA: CWE-502 Deserialization of Untrusted Data (take 2) 02.05.2026 9.8
CVE-2026-42779 Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2) 02.05.2026 9.8
CVE-2026-7567 Temporary Login <= 1.0.0 - Authentication Bypass to Account Takeover 01.05.2026 9.8
CVE-2026-42996 01.05.2026 10
CVE-2026-7546 Totolink NR1800X lighttpd find_host_ip stack-based overflow 01.05.2026 9.3
CVE-2026-7538 Totolink A8000RU CGI cstecgi.cgi vulnerability os command injection 01.05.2026 9.3
CVE-2022-50993 Weaver E-office < 10.0_20221201 Unauthenticated Arbitrary File Read via XmlRpcServlet 30.04.2026 9.3
CVE-2025-71284 Synway SMG Gateway Management Software OS Command Injection via radius_address 30.04.2026 9.3
CVE-2026-4670 Improper Authentication vulnerability in Progress MOVEit Automation 01.05.2026 9.8
CVE-2018-25316 Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change 30.04.2026 9.3
CVE-2018-25317 Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change 30.04.2026 9.3
CVE-2018-25318 Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change 30.04.2026 9.3
CVE-2026-30893 Wazuh cluster sync path traversal in decompress_files() enables arbitrary file write and code execution from authenticated cluster peer 29.04.2026 9
CVE-2026-26015 Unauthenticated RCE in DocsGPT MCP STDIO Configuration 30.04.2026 10
CVE-2026-41940 WebPros cPanel and WHM Authentication Bypass via Login Flow 01.05.2026 9.3
CVE-2026-5166 Path Traversal in TUBITAK BILGEM's Pardus Software Center 29.04.2026 9.6
CVE-2026-3325 SQL injection in MegaCMS by CRM Sistemas de Fidelización 29.04.2026 10
CVE-2026-41446 WattBox 800 & 820 Series < 2.10.0.0 RCE via Diagnostic Endpoints 29.04.2026 9.2
CVE-2026-24178 29.04.2026 9.8
CVE-2026-3893 Carlson Software VASCO-B GNSS Receiver Missing Authentication for Critical Function 29.04.2026 9.4
CVE-2026-41386 OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes 29.04.2026 9.1
CVE-2026-27760 OpenCATS PHP Code Injection via installer AJAX endpoint 28.04.2026 9.2
CVE-2026-5779 Multiple vulnerabilities in MphRx's Minerva 28.04.2026 9.4
CVE-2026-7241 Totolink A8000RU CGI cstecgi.cgi setWiFiBasicCfg os command injection 29.04.2026 9.3
CVE-2026-7242 Totolink A8000RU CGI cstecgi.cgi setOpenVpnClientCfg os command injection 28.04.2026 9.3
CVE-2026-7243 Totolink A8000RU CGI cstecgi.cgi setRadvdCfg os command injection 28.04.2026 9.3
CVE-2026-7244 Totolink A8000RU CGI cstecgi.cgi setWiFiEasyGuestCfg os command injection 28.04.2026 9.3
CVE-2026-7248 D-Link DI-8100 CGI Endpoint tgfile.htm tgfile_htm buffer overflow 29.04.2026 9.3
CVE-2026-7240 Totolink A8000RU CGI cstecgi.cgi setVpnAccountCfg os command injection 29.04.2026 9.3
CVE-2026-32644 Milesight Cameras Use of Hard-coded Cryptographic Key 28.04.2026 9.2
CVE-2026-7202 Totolink A8000RU CGI cstecgi.cgi setWiFiWpsStart os command injection 29.04.2026 9.3
CVE-2026-7203 Totolink A8000RU CGI cstecgi.cgi setUrlFilterRules os command injection 29.04.2026 9.3
CVE-2026-7204 Totolink A8000RU CGI cstecgi.cgi setPptpServerCfg os command injection 28.04.2026 9.3
CVE-2026-40976 29.04.2026 9.1
CVE-2026-7156 Totolink A8000RU CGI cstecgi.cgi CsteSystem os command injection 28.04.2026 9.3
CVE-2026-7154 Totolink A8000RU CGI cstecgi.cgi setAdvancedInfoShow os command injection 28.04.2026 9.3
CVE-2026-7155 Totolink A8000RU CGI cstecgi.cgi setLoginPasswordCfg os command injection 28.04.2026 9.3
CVE-2026-7152 Totolink A8000RU CGI cstecgi.cgi setTelnetCfg os command injection 28.04.2026 9.3
CVE-2026-7153 Totolink A8000RU CGI cstecgi.cgi setMiniuiHomeInfoShow os command injection 28.04.2026 9.3
CVE-2026-7139 Totolink A8000RU CGI cstecgi.cgi setWiFiAclRules os command injection 29.04.2026 9.3
CVE-2026-7140 Totolink A8000RU CGI cstecgi.cgi CsteSystem os command injection 27.04.2026 9.3
CVE-2026-7136 Totolink A8000RU CGI cstecgi.cgi setDmzCfg os command injection 27.04.2026 9.3
CVE-2026-7137 Totolink A8000RU CGI cstecgi.cgi setStorageCfg os command injection 27.04.2026 9.3
CVE-2026-7138 Totolink A8000RU CGI cstecgi.cgi setNtpCfg os command injection 27.04.2026 9.3
CVE-2026-41462 ProjeQtor < 12.4.4 Unauthenticated SQL Injection via Login 27.04.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2026-7741 CodeAstro Online Classroom studentlogin sql injection 04.05.2026
CVE-2026-7742 CodeAstro Online Classroom facultylogin sql injection 04.05.2026
CVE-2026-7743 CodeAstro Online Classroom studentdetails sql injection 04.05.2026
CVE-2026-7744 CodeAstro Online Classroom addnewstudent sql injection 04.05.2026
CVE-2026-20447 04.05.2026
CVE-2026-20448 04.05.2026
CVE-2026-20449 04.05.2026
CVE-2026-20450 04.05.2026
CVE-2026-20451 04.05.2026
CVE-2026-29199 04.05.2026
CVE-2026-29200 04.05.2026
CVE-2026-43859 04.05.2026 3.7
CVE-2026-43860 04.05.2026 3.7
CVE-2026-43861 04.05.2026 3.7
CVE-2026-43862 04.05.2026 3.7
CVE-2026-43863 04.05.2026 3.7
CVE-2026-43864 04.05.2026 2.5
CVE-2026-5335 Magic Export & Import < 1.2.0 - Unauthenticated PII Disclosure 04.05.2026
CVE-2026-7736 osrg GoBGP mrt.go parseRibEntry integer underflow 04.05.2026
CVE-2026-7737 osrg GoBGP BMP Parser bmp.go BMPStatisticsReport.ParseBody out-of-bounds 04.05.2026
CVE-2026-7738 puchunjie doc-tools-mcp MCP mcp-server.ts open_document path traversal 04.05.2026
CVE-2026-7739 justdan96 tsMuxer hevc.cpp setFPS denial of service 04.05.2026
CVE-2026-7740 justdan96 tsMuxer vvc.cpp setFPS denial of service 04.05.2026
CVE-2026-7731 code-projects BloodBank Managing System get_state.php sql injection 04.05.2026
CVE-2026-7732 code-projects BloodBank Managing System request_blood.php unrestricted upload 04.05.2026
CVE-2026-7733 funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload 04.05.2026
CVE-2026-7734 osrg GoBGP SRv6 L3 Service prefix_sid.go SRv6L3ServiceAttribute.DecodeFromBytes denial of service 04.05.2026
CVE-2026-7735 osrg GoBGP AIGP Attribute bgp.go PathAttributeAigp.DecodeFromBytes buffer overflow 04.05.2026
CVE-2026-7725 PrefectHQ prefect GitRepository Pull storage.py argument injection 04.05.2026
CVE-2026-7727 Shandong Hoteam Software PDM Product Data Management System DataService GetQueryMachineGridOnePageData sql injection 04.05.2026
CVE-2026-7728 ryanjoachim mcp-rtfm MCP update_doc path traversal 04.05.2026
CVE-2026-7729 pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery 04.05.2026
CVE-2026-7730 privsim mcp-test-runner MCP index.ts child_process.spawn os command injection 04.05.2026
CVE-2026-7721 Totolink WA300 cstecgi.cgi NTPSyncWithHost command injection 04.05.2026
CVE-2026-7722 PrefectHQ prefect Health Check API health endswith improper authentication 04.05.2026
CVE-2026-7723 PrefectHQ prefect WebSocket Endpoint in missing authentication 04.05.2026
CVE-2026-7724 PrefectHQ prefect Webhook/Notification validate_restricted_url toctou 04.05.2026
CVE-2026-7718 Totolink WA300 POST Request cstecgi.cgi setWebWlanIdx command injection 04.05.2026
CVE-2026-7719 Totolink WA300 POST Request cstecgi.cgi loginauth buffer overflow 04.05.2026
CVE-2026-7720 Totolink WA300 POST Request cstecgi.cgi setLanguageCfg command injection 04.05.2026
CVE-2026-42364 GeoVision LPC2011/LPC2211 Web Interface / DdnsSetting.cgi OS command injection vulnerability 04.05.2026 9.9
CVE-2026-42365 GeoVision LPC2011/LPC2211 Web Interface guessable session cookie vulnerability 04.05.2026 8.6
CVE-2026-42366 GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities 04.05.2026 7.4
CVE-2026-42367 GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi privilege escalation vulnerability via leak of Administrator credentials 04.05.2026 6.5
CVE-2026-42368 GeoVision LPC2011/LPC2211 Web Interface privilege escalation vulnerability 04.05.2026 9.9
CVE-2026-42369 GeoVision GV-VMS V20 WebCam Server stack overflow vulnerability 04.05.2026 10
CVE-2026-42370 GeoVision GV-VMS V20 WebCam Server Login stack overflow vulnerability 04.05.2026 9
CVE-2026-7161 GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability 04.05.2026 9.3
CVE-2026-7371 GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities 04.05.2026 7.4
CVE-2026-7372 GeoVision GV-VMS V20 WebCam Server Login stack overflow vulnerability 04.05.2026 9
CVE-2026-7714 crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication 04.05.2026
CVE-2026-7715 ravenwits mcp-server-arangodb MCP tools.ts arango_backup path traversal 04.05.2026
CVE-2026-7716 code-projects Gym Management System In PHP/Windows NT index.php sql injection 04.05.2026
CVE-2026-7717 Totolink WA300 POST Request cstecgi.cgi UploadCustomModule buffer overflow 04.05.2026
CVE-2026-6948 Unbounded Memory Allocation in VQLResponse Result-Set Writer 03.05.2026 4.9
CVE-2026-7713 crocodilestick Calibre-Web-Automated Kobo auth-token Route kobo_auth.py generate_auth_token improper authorization 04.05.2026
CVE-2026-7711 MindsDB Engine proc_wrapper.py exec unrestricted upload 03.05.2026
CVE-2026-7712 MindsDB Pickle pickle.loads deserialization 03.05.2026
CVE-2026-7710 YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication 03.05.2026
CVE-2026-7709 janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization 03.05.2026
CVE-2026-7708 Open5GS UDR subscription.c ogs_dbi_subscription_data denial of service 03.05.2026
CVE-2026-7707 Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_context denial of service 03.05.2026
CVE-2026-7705 JD Cloud JDCOS Service jdcap set_iptv_info command injection 03.05.2026
CVE-2026-7706 Open5GS AMF gmm-handler.c gmm_handle_service_request denial of service 03.05.2026
CVE-2026-7704 AV Stumpfl Pixera Two Media Server Service Port 1338 path traversal 03.05.2026
CVE-2026-7703 AV Stumpfl Pixera Two Media Server Websocket API code injection 03.05.2026
CVE-2026-7702 toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization 03.05.2026
CVE-2026-7701 Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference 03.05.2026