CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-29191 ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint 07.03.2026 9.3
CVE-2026-25070 XikeStor SKS8310-8X PingTestSet Command Injection 07.03.2026 9.3
CVE-2026-29789 Vito: Cross-project privilege escalation in workflow site-creation actions allows unauthorized server modification 06.03.2026 10
CVE-2026-30847 Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens 06.03.2026 9.3
CVE-2026-30843 Wekan has Cross-Board IDOR in Custom Fields Update Endpoints 06.03.2026 9.3
CVE-2026-30844 Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading 06.03.2026 9.3
CVE-2026-28514 Rocket.Chat: Users can login with any password via the EE ddp-streamer-service 06.03.2026 9.3
CVE-2026-26288 Everon api.everon.io Missing Authentication for Critical Function 06.03.2026 9.3
CVE-2026-26051 Mobiliti e-mobi.hu Missing Authentication for Critical Function 06.03.2026 9.3
CVE-2026-2330 CVE-2026-2330 06.03.2026 9.4
CVE-2026-2331 CVE-2026-2331 06.03.2026 9.8
CVE-2026-29183 SiYuan: Unauthenticated reflected SVG XSS in `/api/icon/getDynamicIcon` (`type=8`) enables arbitrary JavaScript execution 06.03.2026 9.3
CVE-2026-29058 AVideo: Unauthenticated OS Command Injection via base64Url in objects/getImage.php 06.03.2026 9.8
CVE-2026-28794 oRPC: Prototype Pollution in `@orpc/client` via `StandardRPCJsonSerializer` Deserialization 06.03.2026 9.3
CVE-2026-28508 Idno: Unauthenticated SSRF via URL Unfurl Endpoint 06.03.2026 9.2
CVE-2026-28680 Ghostfolio: Full-Read SSRF in Manual Asset Import 06.03.2026 9.3
CVE-2026-28785 Ghostfolio: Time-Based Blind SQL Injection in Manual Asset Import 06.03.2026 9.3
CVE-2025-59542 Chamilo: Account Takeover via Stored XSS in Course Learning Paths 06.03.2026 9.1
CVE-2025-59543 Chamilo: Account Takeover via Stored XSS in Course Description 06.03.2026 9.1
CVE-2026-28497 TinyWeb: Integer Overflow in `_Val` (HTTP Request Smuggling) 06.03.2026 9.3
CVE-2026-28501 WWBN AVideo: Unauthenticated SQL Injection via JSON Request Bypass in objects/videos.json.php 06.03.2026 9.8
CVE-2026-28502 WWBN AVideo: Authenticated Remote Code Execution via Unsafe Plugin ZIP Extraction 06.03.2026 9.3
CVE-2026-29046 TinyWeb: HTTP Header Control Character Injection into CGI Environment 06.03.2026 9.2
CVE-2026-22552 ePower epower.ie Missing Authentication for Critical Function 05.03.2026 9.3
CVE-2026-21536 Microsoft Devices Pricing Program Remote Code Execution Vulnerability 06.03.2026 9.8
CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement 06.03.2026 9.2
CVE-2026-28446 OpenClaw < 2026.2.1 - Inbound Allowlist Policy Bypass in voice-call Extension via Empty Caller ID and Suffix Matching 06.03.2026 9.2
CVE-2026-28466 OpenClaw < 2026.2.14 - Remote Code Execution via Node Invoke Approval Bypass 06.03.2026 9.4
CVE-2026-28470 OpenClaw < 2026.2.2 - Exec Allowlist Bypass via Command Substitution in Double Quotes 05.03.2026 9.2
CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake 06.03.2026 9.2
CVE-2026-28474 OpenClaw Nextcloud Talk < 2026.2.6 - Allowlist Bypass via actor.name Display Name Spoofing 05.03.2026 9.3
CVE-2026-21622 Password Reset Tokens Do Not Expire 05.03.2026 9.5
CVE-2025-55208 Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files 06.03.2026 9.1
CVE-2026-29188 File Browser: TUS Delete Endpoint Bypasses Delete Permission Check 06.03.2026 9.1
CVE-2026-0848 Arbitrary Code Execution in NLTK StanfordSegmenter via Untrusted JAR Loading 06.03.2026 10
CVE-2026-28353 Trivy Vulnerability Scanner: Unauthorized AI Agent Execution Code Included in OpenVSX Extension Release 06.03.2026 10
CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification 06.03.2026 9.3
CVE-2026-24457 06.03.2026 9.1
CVE-2026-27944 Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure 06.03.2026 9.8
CVE-2026-30789 RustDesk Client Generates Auth Proof Without Client-Side Nonce, Enabling Replay Attacks 05.03.2026 9.3
CVE-2026-30790 RustDesk Server Controls All Handshake Entropy (Salt/Challenge), Enabling Offline Brute-Force 05.03.2026 9.3
CVE-2026-30797 RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server 05.03.2026 9.3
CVE-2026-30792 RustDesk Client Blindly Merges Unauthenticated Strategy Payloads, Bypassing Local Security Settings 06.03.2026 9.1
CVE-2026-30793 RustDesk Flutter URI Handler Sets Permanent Password Without Privilege Check or User Confirmation 05.03.2026 9.3
CVE-2026-30794 RustDesk HTTP Client Silently Accepts Invalid TLS Certificates After Handshake Failure 05.03.2026 9.1
CVE-2026-2599 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv' 05.03.2026 9.8
CVE-2026-21628 Extension - astroidframe.work - Unauthenticated Remote Code Execution in Astroid Framework 2.0.0 - 3.3.10 for Joomla 05.03.2026 10
CVE-2026-28536 05.03.2026 9.6
CVE-2026-2743 SEPPmail User Web Interface Arbitrary File Write to RCE 05.03.2026 10
CVE-2026-1678 dns: memory‑safety issue in the DNS name parser 05.03.2026 9.4
CVE-2026-29127 Incorrect Permission Assignment(777) on `monitor` Users Home Directory Containing SUID Root Binaries in IDC SFX2100 05.03.2026 9.2
CVE-2026-2835 HTTP Request Smuggling via HTTP/1.0 and Transfer-Encoding Misparsing 06.03.2026 9.3
CVE-2026-2833 HTTP Request Smuggling via Premature Upgrade 06.03.2026 9.3
CVE-2026-29000 pac4j-jwt JwtAuthenticator Authentication Bypass 07.03.2026 10
CVE-2026-20079 05.03.2026 10
CVE-2026-20131 05.03.2026 10
CVE-2026-28783 Craft has a Twig Function Blocklist Bypass 06.03.2026 9.4
CVE-2026-28697 Craft Affected by Authenticated RCE via "craft.app.fs.write()" in Twig Templates 06.03.2026 9.4
CVE-2026-27441 PDF Password CMDi 04.03.2026 9.5
CVE-2026-27442 zip_attachments Path Traversal 04.03.2026 9.3
CVE-2026-27446 Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation 05.03.2026 9.3
CVE-2026-29120 Insecure, Hardcoded Root Password Stored in Anaconda Configuration File On IDC SFX2100 Satellite Receiver 05.03.2026 9.2
CVE-2026-28777 Hardcoded and Insecure Credentials for "User" Local Account with SSH Access On IDC SFX2100 Satellite Receiver 05.03.2026 9.2
CVE-2026-28773 Authenticated OS Command Injection via Ping Utility Leading to RCE as Root 05.03.2026 9.3
CVE-2026-28774 Authenticated OS Command Injection via Traceroute Utility leads to Root RCE 05.03.2026 9.3
CVE-2026-28775 Unauthenticated RCE via SNMP Default Writable Community String 05.03.2026 10
CVE-2026-27971 Qwik affected by unauthenticated RCE via server$ Deserialization 04.03.2026 9.2
CVE-2026-28289 FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution 05.03.2026 10
CVE-2026-26279 Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection 04.03.2026 9.1
CVE-2026-26266 AliasVault affected by Cross-Site Scripting (XSS) via Email HTML Rendering 04.03.2026 9.3
CVE-2026-24898 OpenEMR has an Unauthenticated MedEx Token Disclosure 04.03.2026 10
CVE-2026-25146 OpenEMR's payments gateway_api_key secret rendered into client JS code 04.03.2026 9.6
CVE-2026-27012 Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php 04.03.2026 9.8
CVE-2026-3485 D-Link DIR-868L SSDP Service sub_1BF84 os command injection 03.03.2026 9.3
CVE-2026-3437 Improper Restriction of Operations within the Bounds of a Memory Buffer in Portwell Engineering Toolkits 03.03.2026 9.3
CVE-2026-22891 03.03.2026 9.8
CVE-2026-22886 03.03.2026 9.8
CVE-2026-1492 User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration 03.03.2026 9.8
CVE-2026-2628 All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass 03.03.2026 9.8
CVE-2025-50187 Chamilo: Evaluation of untrusted user input leads to Remote Code Execution 02.03.2026 9.8
CVE-2026-23600 03.03.2026 10
CVE-2025-12462 Blind SQL Injection in DobryCMS 02.03.2026 9.3
CVE-2025-14532 Remote Code Execution via Unrestricted File Upload in DobryCMS 02.03.2026 9.3
CVE-2026-3431 Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion 02.03.2026 9.8
CVE-2026-3432 Sim Studio AI - Unauthenticated OAuth Token Theft 02.03.2026 9.3
CVE-2025-30035 Lack of API authentication allowing session generation for any user 02.03.2026 9
CVE-2025-30042 Session generation possible with certificate number only 02.03.2026 9
CVE-2025-30044 RCE on uhcapache user permissions 02.03.2026 9.4
CVE-2026-2584 SQL Injection in Ciser System SL firmware 02.03.2026 9.3
CVE-2026-2999 Changing|IDExpert Windows Logon Agent - Remote Code Execution 02.03.2026 9.3
CVE-2026-3000 Changing|IDExpert Windows Logon Agent - Remote Code Execution 02.03.2026 9.3
CVE-2026-3422 e-Excellence|U-Office Force - Insecure Deserialization 02.03.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2026-29778 pyLoad: Arbitrary File Write via Path Traversal in edit_package() 07.03.2026 7.1
CVE-2026-29784 Ghost: Incomplete CSRF protections around OTC use 07.03.2026 7.5
CVE-2026-29786 node-tar: Hardlink Path Traversal via Drive-Relative Linkpath 07.03.2026
CVE-2026-29787 mcp-memory-service: System Information Disclosure via Health Endpoint 07.03.2026 5.3
CVE-2026-30834 PinchTab: SSRF with Full Response Exfiltration via Download Handler 07.03.2026 7.5
CVE-2026-3665 xlnt-community xlnt XLSX File xlsx_consumer.cpp read_office_document null pointer dereference 07.03.2026
CVE-2026-3667 Freedom Factory dGEN1 org.ethosmobile.ethoslauncher FakeAppService improper authorization 07.03.2026
CVE-2026-29190 Karapace: Path Traversal in Backup Reader 07.03.2026 4.1
CVE-2026-29771 Netmaker: Denial of Service via Server Shutdown Endpoint 07.03.2026
CVE-2026-29779 UptimeFlare: Montior config / Credentials in `workerConfig` exposed in client-side JavaScript bundle 07.03.2026 7.5
CVE-2026-29780 eml_parser: Path Traversal in Official Example Script Leading to Arbitrary File Write 07.03.2026 5.5
CVE-2026-29781 Sliver: Authenticated Nil-Pointer Dereference in Handlers 07.03.2026
CVE-2026-29067 ZITADEL: Account Takeover Due to Improper Instance Validation in V2 Login 07.03.2026 8.1
CVE-2026-29186 @backstage/plugin-techdocs-node: TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution 07.03.2026 7.7
CVE-2026-29191 ZITADEL: 1-Click Account Takeover via XSS in /saml-post Endpoint 07.03.2026 9.3
CVE-2026-29192 ZITADEL: Stored XSS via Default URI Redirect Leads to Account Takeover 07.03.2026 7.7
CVE-2026-29193 ZITADEL: Bypassing Zitadel Login Behavior and Security Policy in Login V2 07.03.2026 8.2
CVE-2026-29184 @backstage/plugin-scaffolder-backend: Potential Session Token Exfiltration via Log Redaction Bypass 07.03.2026 2
CVE-2026-29185 @backstage/integration: Potential reading of SCM URLs using built in token 07.03.2026 2.7
CVE-2026-3663 xlnt-community xlnt XLSX File compound_document.cpp xsgetn out-of-bounds 07.03.2026
CVE-2026-3664 xlnt-community xlnt Encrypted XLSX File compound_document.cpp read_directory out-of-bounds 07.03.2026
CVE-2026-3661 Wavlink WL-NU516U1 adm.cgi ota_new_upgrade command injection 07.03.2026
CVE-2026-3662 Wavlink WL-NU516U1 adm.cgi usb_p910 command injection 07.03.2026
CVE-2026-24281 Apache ZooKeeper: Reverse-DNS fallback enables hostname verification bypass in ZooKeeper ZKTrustManager 07.03.2026
CVE-2026-24308 Apache ZooKeeper: Sensitive information disclosure in client configuration handling 07.03.2026
CVE-2026-2219 07.03.2026
CVE-2025-14675 Meta Box <= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion 07.03.2026 7.2
CVE-2026-1071 Carta Online <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 07.03.2026 4.4
CVE-2026-1073 Purchase Button For Affiliate Link <= 1.0.2 - Cross-Site Request Forgery to Settings Update 07.03.2026 4.3
CVE-2026-1074 WP App Bar <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter 07.03.2026 7.2
CVE-2026-1085 True Ranker <= 2.2.9 - Cross-Site Request Forgery to Unauthorized True Ranker Disconnection 07.03.2026 4.3
CVE-2026-1086 Font Pairing Preview For Landing Pages <= 1.3 - Cross-Site Request Forgery to Settings Update 07.03.2026 4.3
CVE-2026-1087 The Guardian News Feed <= 1.2 - Cross-Site Request Forgery to Settings Update 07.03.2026 4.3
CVE-2026-1569 Wueen <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode 07.03.2026 6.4
CVE-2026-1574 MyQtip – easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 07.03.2026 6.4
CVE-2026-1805 DA Media GigList <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute 07.03.2026 6.4
CVE-2026-1820 Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute 07.03.2026 6.4
CVE-2026-1823 Consensus Embed <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute 07.03.2026 6.4
CVE-2026-1824 Infomaniak Connect for OpenID <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 07.03.2026 6.4
CVE-2026-1825 Show YouTube video <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 07.03.2026 6.4
CVE-2026-2420 LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings 07.03.2026 4.4
CVE-2026-2433 RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage 07.03.2026 6.1
CVE-2025-8899 Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation 07.03.2026 8.8
CVE-2026-27796 Homarr: Unauthenticated Information Disclosure (Integration Metadata Leak) 07.03.2026 5.3
CVE-2026-27797 Homarr: Unauthenticated SSRF in rssFeed.ts 07.03.2026 5.3
CVE-2026-30829 Checkmate: Unauthenticated Access to Unpublished Status Page 07.03.2026 5.3
CVE-2026-30830 Defuddle: XSS via unescaped string interpolation in _findContentBySchemaText image tag 07.03.2026
CVE-2026-30828 Wallos: SSRF via url parameter leading to File Traversal 07.03.2026
CVE-2026-30839 Wallos: SSRF via webhook test endpoint 07.03.2026
CVE-2026-30840 Wallos: Server-Side Request Forgery (SSRF) in Notification Testers 07.03.2026
CVE-2026-30841 Wallos: Reflected XSS via unescaped token and email parameters in passwordreset.php 07.03.2026
CVE-2026-30842 Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars 07.03.2026 4.3
CVE-2026-30823 Flowise: IDOR leading to Account Takeover and Enterprise Feature Bypass via SSO Configuration 07.03.2026
CVE-2026-30824 Flowise: Missing Authentication on NVIDIA NIM Endpoints 07.03.2026
CVE-2026-30825 hoppscotch: IDOR - Any authenticated user can revoke any other user's Personal Access Token 07.03.2026 0
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers) 07.03.2026 7.5
CVE-2026-30820 Flowise Authorization Bypass via Spoofed x-request-from Header 07.03.2026
CVE-2026-30821 Flowise: Arbitrary File Upload via MIME Spoofing 07.03.2026
CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint 07.03.2026
CVE-2026-30247 WeKnora: SSRF via Redirection 07.03.2026 5.9
CVE-2025-14353 ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' Parameter 07.03.2026 7.5
CVE-2026-1650 MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion 07.03.2026 5.3
CVE-2026-1902 Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute 07.03.2026 6.4
CVE-2026-2020 JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute 07.03.2026 7.5
CVE-2026-2429 Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field 07.03.2026 4.9
CVE-2026-2431 CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters 07.03.2026 6.1
CVE-2026-2488 ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion 07.03.2026 4.3
CVE-2026-2494 ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial 07.03.2026 4.3
CVE-2026-2721 MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings 07.03.2026 4.8
CVE-2026-2722 Stock Ticker <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Template 07.03.2026 4.8
CVE-2026-3352 Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting 07.03.2026 7.2
CVE-2026-25070 XikeStor SKS8310-8X PingTestSet Command Injection 07.03.2026
CVE-2026-25071 XikeStor SKS8310-8X switch_config.src Missing Authentication 07.03.2026
CVE-2026-25072 XikeStor SKS8310-8X Predictable Session Identifiers 07.03.2026
CVE-2026-25073 XikeStor SKS8310-8X Stored XSS via System Name 07.03.2026
CVE-2026-1644 WP Frontend Profile <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection 06.03.2026 4.3
CVE-2026-1981 Winston AI <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion 06.03.2026 4.3
CVE-2026-2371 Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load' 06.03.2026 5.3
CVE-2026-3233 06.03.2026
CVE-2026-25679 Incorrect parsing of IPv6 host literals in net/url 06.03.2026
CVE-2026-27137 Incorrect enforcement of email constraints in crypto/x509 06.03.2026
CVE-2026-27138 Panic in name constraint checking for malformed certificates in crypto/x509 06.03.2026
CVE-2026-27139 FileInfo can escape from a Root in os 06.03.2026
CVE-2026-27142 URLs in meta content attribute actions are not escaped in html/template 06.03.2026
CVE-2026-30241 Mercurius: queryDepth limit bypassed for WebSocket subscriptions 06.03.2026
CVE-2026-30242 Plane: SSRF via Incomplete IP Validation in Webhook URL Serializer 06.03.2026 8.5
CVE-2026-30244 Plane: Unauthenticated Workspace Member Information Disclosure 06.03.2026 7.5