CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-5319 SQLi in Digita Technologies' Efficiency Management System 03.02.2026 9.8
CVE-2026-1432 SQL injection (SQLi) on the Buroweb platform 03.02.2026 9.3
CVE-2026-24465 03.02.2026 9.3
CVE-2026-24936 An improper input validation vulnerability was found in ADM while joining a AD Domain. 03.02.2026 9.5
CVE-2025-66480 Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction 03.02.2026 9.8
CVE-2026-22778 vLLM leaks a heap address when PIL throws an error 03.02.2026 9.8
CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin 03.02.2026 10
CVE-2026-24471 Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary ('Confused Deputy') 03.02.2026 9.3
CVE-2026-25134 Group-Office Argument Injection in MaintenanceController::actionZipLanguage 02.02.2026 9.4
CVE-2026-25137 NixOs Odoo database and filestore publicly accessible with default odoo configuration 02.02.2026 9.1
CVE-2026-25142 SandboxJS Prototype Pollution -> Sandbox Escape -> RCE 02.02.2026 10
CVE-2022-50981 Multiple Innomic VibroLine VLX HD 5.0 and avibia AVLX weak password requirements 02.02.2026 9.8
CVE-2024-2356 Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui 02.02.2026 9.6
CVE-2024-5386 Account Hijacking via Password Reset Token Leak in lunary-ai/lunary 02.02.2026 9.6
CVE-2024-5986 Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3 02.02.2026 9.1
CVE-2026-25200 03.02.2026 9.8
CVE-2026-25202 03.02.2026 9.8
CVE-2026-25069 SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion 02.02.2026 9.3
CVE-2020-37027 Sickbeard 0.1 - Remote Command Injection 30.01.2026 9.3
CVE-2020-37052 AirControl 1.4.2 - PreAuth Remote Code Execution 02.02.2026 9.3
CVE-2026-1723 TOTOLINK X6000R Unauthenticated Command Injection Vulnerability 30.01.2026 9.2
CVE-2025-24293 02.02.2026 9.2
CVE-2026-25130 Cybersecurity AI vulnerable to command Injection through argument injection in find_file Agent tool 02.02.2026 9.7
CVE-2026-25141 Orval has a code injection via unsanitized x-enum-descriptions uing JS comments 02.02.2026 9.3
CVE-2025-7964 Zigbee Router Denial of Service 30.01.2026 9.2
CVE-2025-26385 Metasys product command injection vulnerability could allow remote SQL execution 30.01.2026 9.5
CVE-2026-1699 02.02.2026 10
CVE-2026-0963 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller 02.02.2026 9.9
CVE-2026-24728 Interinfo DreamMaker - Missing Authentication for Critical Function 30.01.2026 9.3
CVE-2026-24729 Interinfo DreamMaker - Unrestricted Upload of File with Dangerous Type 30.01.2026 10
CVE-2026-1281 30.01.2026 9.8
CVE-2026-1340 30.01.2026 9.8
CVE-2026-25047 deepHas vulnerable to Prototype Pollution via constructor.prototype 02.02.2026 9.4
CVE-2026-22806 vCluster Platform's Access Keys Allows Access Beyond Scope 29.01.2026 9.1
CVE-2026-1453 Missing Authentication for Critical Function in KiloView Encoder Series 29.01.2026 9.3
CVE-2026-1610 Tenda AX12 Pro V2 Telnet Service hard-coded credentials 29.01.2026 9.2
CVE-2020-37012 Tea LaTex 1.0 - Remote Code Execution 29.01.2026 9.3
CVE-2026-24897 Authenticated Remote Code Execution via Arbitrary File Upload 29.01.2026 10
CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write 28.01.2026 9.4
CVE-2026-1056 Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal 28.01.2026 9.8
CVE-2025-40551 SolarWinds Web Help Desk Deserialization of Untrusted Data Remote Code Execution Vulnerability 02.02.2026 9.8
CVE-2025-40552 SolarWinds Web Help Desk Authentication Bypass Vulnerability 02.02.2026 9.8
CVE-2025-40553 SolarWinds Web Help Desk Deserialization of Untrusted Data Remote Code Execution Vulnerability 29.01.2026 9.8
CVE-2025-40554 SolarWinds Web Help Desk Authentication Bypass Vulnerability 29.01.2026 9.8
CVE-2026-24838 DotNetNuke.Core Vulnerable to Stored XSS via Module Title 28.01.2026 9.1
CVE-2026-24841 Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint 28.01.2026 9.9
CVE-2026-23830 SandboxJS has Sandbox Escape via Unprotected AsyncFunction Constructor 28.01.2026 10

Latest Updates

CVE Title Updated Score
CVE-2026-23794 Apache Syncope: Reflected XSS on Enduser Login 03.02.2026
CVE-2026-23795 Apache Syncope: Console XXE on Keymaster parameters 03.02.2026
CVE-2019-25261 AnyDesk 5.4.0 - Unquoted Service Path 03.02.2026
CVE-2020-37098 Disk Sorter Enterprise 12.4.16 - Unquoted Service Path 03.02.2026
CVE-2020-37099 Disk Savvy Enterprise 12.3.18 - 'disksvs.exe' Unquoted Service Path 03.02.2026
CVE-2020-37100 Sync Breeze Enterprise 12.4.18 - Unquoted Service Path 03.02.2026
CVE-2020-37101 VPN unlimited 6.1 - Unquoted Service Path 03.02.2026
CVE-2020-37102 Adaware Web Companion 4.9.2159 - 'WCAssistantService' Unquoted Service Path 03.02.2026
CVE-2025-65017 Decidim's private data exports can lead to data leaks 03.02.2026
CVE-2026-1814 Rapid7 Nexpose Insecure Java Keystore Password Generation 03.02.2026
CVE-2025-13473 Username enumeration through timing difference in mod_wsgi authentication handler 03.02.2026
CVE-2025-14550 Potential denial-of-service vulnerability via repeated headers when using ASGI 03.02.2026
CVE-2025-5319 SQLi in Digita Technologies' Efficiency Management System 03.02.2026 9.8
CVE-2026-1207 Potential SQL injection via raster lookups on PostGIS 03.02.2026
CVE-2026-1285 Potential denial-of-service vulnerability in django.utils.text.Truncator HTML methods 03.02.2026
CVE-2026-1287 Potential SQL injection in column aliases via control characters 03.02.2026
CVE-2026-1312 Potential SQL injection via QuerySet.order_by and FilteredRelation 03.02.2026
CVE-2026-24938 WordPress Better Search plugin <= 4.2.1 - Cross Site Scripting (XSS) vulnerability 03.02.2026
CVE-2026-24939 WordPress Modula Image Gallery plugin <= 2.13.6 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24940 WordPress Travelfic Toolkit plugin <= 1.3.3 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24942 WordPress WpEvently plugin <= 5.1.1 - Cross Site Request Forgery (CSRF) vulnerability 03.02.2026
CVE-2026-24945 WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24947 WordPress LA-Studio Element Kit for Elementor plugin < 1.5.6.3 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24951 WordPress myCred plugin <= 2.9.7.3 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24952 WordPress Seriously Simple Podcasting plugin <= 3.14.1 - Cross Site Scripting (XSS) vulnerability 03.02.2026
CVE-2026-24954 WordPress WpEvently plugin <= 5.0.8 - Deserialization of untrusted data vulnerability 03.02.2026
CVE-2026-24957 WordPress Strong Testimonials plugin <= 3.2.20 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24958 WordPress JetElements For Elementor plugin <= 2.7.12.2 - Cross Site Scripting (XSS) vulnerability 03.02.2026
CVE-2026-24961 WordPress Grand Blog theme < 3.1.5 - Server Side Request Forgery (SSRF) vulnerability 03.02.2026
CVE-2026-24962 WordPress Sigmize plugin <= 0.0.9 - Cross Site Request Forgery (CSRF) vulnerability 03.02.2026
CVE-2026-24965 WordPress Contest Gallery plugin <= 28.1.1 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24966 WordPress Copyscape Premium plugin <= 1.4.1 - Cross Site Request Forgery (CSRF) vulnerability 03.02.2026
CVE-2026-24967 WordPress Amelia plugin <= 1.2.38 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24982 WordPress Spectra plugin <= 2.19.17 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24984 WordPress Visual Link Preview plugin <= 2.2.9 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24985 WordPress WP Forms Signature Contract Add-On plugin <= 1.8.2 - Broken Access Control to Notice Dismissal vulnerability 03.02.2026
CVE-2026-24986 WordPress Simple Membership WP user Import plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability 03.02.2026
CVE-2026-24988 WordPress The Events Calendar Shortcode & Block plugin <= 3.1.1 - Cross Site Scripting (XSS) vulnerability 03.02.2026
CVE-2026-24990 WordPress WP Docs plugin <= 2.2.8 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24991 WordPress Extensions For CF7 plugin <= 3.4.0 - Insecure Direct Object References (IDOR) vulnerability 03.02.2026
CVE-2026-24992 WordPress Advanced WooCommerce Product Sales Reporting plugin <= 4.1.2 - Sensitive Data Exposure vulnerability 03.02.2026
CVE-2026-24994 WordPress Sunshine Photo Cart plugin <= 3.5.7.2 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24995 WordPress Latest Post Shortcode plugin <= 14.2.0 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24996 WordPress WPElemento Importer plugin <= 0.6.4 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24997 WordPress Wired Impact Volunteer Management plugin <= 2.8 - Broken Access Control vulnerability 03.02.2026
CVE-2026-24998 WordPress Hustle plugin <= 7.8.9.2 - Sensitive Data Exposure vulnerability 03.02.2026
CVE-2026-25010 WordPress Share This Image plugin <= 2.09 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25011 WordPress WP Custom Admin Interface plugin <= 7.41 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25012 WordPress WP Bannerize Pro plugin <= 1.11.0 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25014 WordPress Enter Addons plugin <= 2.3.2 - Cross Site Request Forgery (CSRF) vulnerability 03.02.2026
CVE-2026-25015 WordPress UsersWP plugin <= 1.2.53 - Cross Site Request Forgery (CSRF) vulnerability 03.02.2026
CVE-2026-25016 WordPress Nelio Popups plugin <= 1.3.5 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25019 WordPress Atarim plugin <= 4.3.1 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25020 WordPress WP Sync for Notion plugin <= 1.7.0 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25021 WordPress Mizan Demo Importer plugin <= 0.1.3 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25022 WordPress KiviCare plugin <= 3.6.16 - SQL Injection vulnerability 03.02.2026
CVE-2026-25023 WordPress Run Contests, Raffles, and Giveaways with ContestsWP plugin <= 2.0.7 - Sensitive Data Exposure vulnerability 03.02.2026
CVE-2026-25024 WordPress ThirstyAffiliates plugin <= 3.11.9 - Cross Site Request Forgery (CSRF) vulnerability 03.02.2026
CVE-2026-25027 WordPress Unicamp theme <= 2.7.1 - Local File Inclusion vulnerability 03.02.2026
CVE-2026-25028 WordPress ElementInvader Addons for Elementor plugin <= 1.4.1 - Broken Access Control vulnerability 03.02.2026
CVE-2026-25036 WordPress Passster plugin <= 4.2.25 - Broken Access Control vulnerability 03.02.2026
CVE-2025-7760 Reflected XSS in Ofisimo's Association Web Package Flora 03.02.2026 7.6
CVE-2025-6397 XSS in Ankara Hosting's web site 03.02.2026 8.6
CVE-2026-1664 Insecure Direct Object Reference (IDOR) via Header-Based Email Routing 03.02.2026
CVE-2025-11598 Exposure of Confidential Information in mObywatel application 03.02.2026
CVE-2026-1432 SQL injection (SQLi) on the Buroweb platform 03.02.2026
CVE-2025-67848 Moodle: moodle: authentication bypass via lti provider allows suspended users to gain unauthorized access. 03.02.2026
CVE-2025-67849 Moodle: moodle: cross-site scripting (xss) via improper sanitization of ai prompt responses 03.02.2026
CVE-2025-67850 Moodle: moodle: cross-site scripting vulnerability via inadequate input filtering in formula editor 03.02.2026
CVE-2025-67851 Moodle: moodle: formula injection allows arbitrary formula execution via unescaped data export 03.02.2026
CVE-2025-67852 Moodle: moodle: open redirect vulnerability in oauth login flow allows redirection to malicious sites. 03.02.2026
CVE-2025-67853 Moodle: moodle: brute-force facilitation due to missing rate limiting in confirmation email service 03.02.2026
CVE-2025-67855 Mooodle: mooodle: information disclosure and script execution via reflected cross-site scripting 03.02.2026
CVE-2025-67856 Moodle: moodle: privilege escalation via incomplete role checks in badge awarding 03.02.2026
CVE-2025-67857 Moodle: moodle: data exposure of user identifiers in urls 03.02.2026
CVE-2025-41065 Stored Cross-Site Scripting (XSS) in LUNA from Luna Imaging 03.02.2026
CVE-2025-59902 HTML injection in NICE Chat 03.02.2026
CVE-2025-8461 Reflected XSS in Seres Software's syWEB 03.02.2026 7.6
CVE-2025-8456 Reflected XSS in Kod8 Software's Kod8 Individual and SME Website 03.02.2026 7.6
CVE-2026-1591 Stored XSS via Attachments Feature in https://pdfonline.foxit.com/ 03.02.2026 6.3
CVE-2026-1592 Stored XSS via Create New Layer Field found in Foxit PDF Editor Cloud 03.02.2026 6.3
CVE-2026-1371 Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action 03.02.2026 5.3
CVE-2026-1375 Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion 03.02.2026 8.1
CVE-2026-1730 OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload 03.02.2026 8.8
CVE-2025-8589 Reflected XSS in AKCE Software's SKSPro 03.02.2026 7.6
CVE-2025-8590 Information Disclosure in AKCE Software's SKSPro 03.02.2026 7.5
CVE-2026-20704 03.02.2026
CVE-2026-22550 03.02.2026
CVE-2026-24449 03.02.2026
CVE-2026-24465 03.02.2026
CVE-2026-0617 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting 03.02.2026 7.2
CVE-2026-1058 Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via Hidden Field 03.02.2026 7.1
CVE-2026-1065 Form Maker by 10Web <= 1.15.35 - Unauthenticated Stored Cross-Site Scripting via SVG file 03.02.2026 7.2
CVE-2026-1210 Happy Addons for Elementor <= 3.20.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_elementor_data' Meta Field 03.02.2026 6.4
CVE-2026-1447 Mail Mint <= 1.19.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 03.02.2026 5.4
CVE-2025-58381 Directory transversal vulnerability in Brocade Fabric OS before 9.2.1c2 and 9.2.2 through 9.2.2a using various shell commands 03.02.2026
CVE-2025-14274 Unlimited Elements for Elementor <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Border Hero Widget 03.02.2026 5.4
CVE-2025-9711 Privilege escalation in Brocade Fabric OS before 9.2.1c3, and 9.2.2 though 9.2.2b 03.02.2026
CVE-2026-0950 Spectra Gutenberg Blocks <= 2.19.17 - Unauthenticated Information Disclosure in Sensitive Data 03.02.2026 5.3
CVE-2026-24694 03.02.2026
CVE-2025-58380 Directory transversal vulnerability in Brocade Fabric OS before 9.2.1 using grep command 03.02.2026
CVE-2026-0383 Information disclosure in Brocade Fabric OS before 9.2.1c2, 9.2.2 through 9.2.2a and 10.0.0 03.02.2026
CVE-2026-0909 WP ULike <= 4.8.3.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Log Deletion via 'id' Parameter 03.02.2026 5.3
CVE-2026-1788 Buffer Overflow in Xquic Server 03.02.2026
CVE-2026-24936 An improper input validation vulnerability was found in ADM while joining a AD Domain. 03.02.2026
CVE-2026-24932 An improper certificate validation vulnerability was found in ADM while updating the DDNS settings. 03.02.2026
CVE-2026-24933 An improper certificate validation vulnerability was found in ADM while sending HTTPS requests to the server. 03.02.2026
CVE-2026-24934 An improper certificate validation vulnerability was found in ADM while querying an external server for the device's WAN IP address. 03.02.2026
CVE-2026-24935 An improper certificate validation vulnerability was found in a third-party NAT traversal module. 03.02.2026
CVE-2025-12774 SQL queries with sensitive information printed in logs with Brocade SANnav before 3.0 03.02.2026
CVE-2025-58379 Password Exposure in Brocade Fabric OS 03.02.2026
CVE-2025-58382 Privilege escalation in Brocade Fabric before 9.2.1c2 and 9.2.2 through 9.2.2a 03.02.2026
CVE-2025-58383 Privilege escalation via bind command in Brocade Fabric OS 03.02.2026
CVE-2025-67481 mw.message(…).parse() doesn't output safe HTML, but it's being used as if it does 03.02.2026
CVE-2025-67482 Lua segfault in unpack() 03.02.2026
CVE-2025-67483 Theoretical i18n XSS in mediawiki.page.preview.js when a page has multiple protection levels 03.02.2026
CVE-2025-67484 Action API xslt option allows JavaScript execution by administrators who are not interface administrators 03.02.2026
CVE-2025-61651 i18n XSS through Special:CheckUser CheckUser helper 03.02.2026
CVE-2025-61652 Action API discussiontoolspageinfo does not check for authorizeRead for the page 03.02.2026
CVE-2025-61653 Extension:TextExtracts does not check for authorizeRead when returning extracts 03.02.2026
CVE-2025-61654 UserInfoCard: Do permission checking when getting counts of global and local edits, new articles and thanks 03.02.2026
CVE-2025-61655 Stored XSS through system messages in VisualEditor 03.02.2026
CVE-2025-61656 XSS when pasting into VE 03.02.2026
CVE-2025-61657 03.02.2026
CVE-2025-61658 Special:GlobalContributions shows edits on wikis the viewer doesn't have access to 03.02.2026
CVE-2025-67475 Stored XSS through edit summaries in MW Core 03.02.2026
CVE-2025-67476 Importing leaks IP address of importer via EventStreams 03.02.2026
CVE-2025-67477 Stored XSS through a system message in Special:ApiSandbox 03.02.2026
CVE-2025-67478 Wrong E-Mail address composition for usernames with a comma and Umlauts in it like "Döe, Jähn" 03.02.2026
CVE-2025-67479 Magic word replacement in legacy parser allows using reserved data attributes through wikitext 03.02.2026
CVE-2025-67480 list=allrevisions can be used to bypass Extension:Lockdown 03.02.2026
CVE-2025-11173 Reauth for enabling 2FA can be bypassed by submitting a form 03.02.2026
CVE-2025-11261 Stored i18n XSS exposed by security patch for T402077 03.02.2026
CVE-2025-12773 Plain password is generated in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a 03.02.2026
CVE-2025-15556 Notepad++ < 8.8.9 WinGUp Updater Lacks Update Integrity Verification 03.02.2026
CVE-2025-61645 CodexTablePager has i18n XSS 03.02.2026
CVE-2025-61646 Watchlist group mode reveals authors of edits with hidden authorship 03.02.2026
CVE-2025-61648 Stored XSS through system messages in CheckUser 03.02.2026
CVE-2025-61649 UserInfoCard: Check that performing user has permission to view log entries for number of past blocks 03.02.2026
CVE-2025-61650 UserInfoCard is vulnerable to message key stored XSS 03.02.2026
CVE-2025-61644 i18n XSS through Special:Watchlist 02.02.2026
CVE-2025-61647 UserInfoCard: Don't allow access to information about users who are suppressed if you don't have suppressor rights 03.02.2026
CVE-2025-61637 Stored XSS through system messages in MW Core 02.02.2026
CVE-2025-61638 Sanitizer::validateAttributes data-XSS 02.02.2026
CVE-2025-61639 Suppressed blocked IP is visible in Special:BlockList, RC, and other places 02.02.2026
CVE-2025-61634 HTML rest endpoint needs PoolCounter and proper parser cache check 02.02.2026
CVE-2025-61640 Stored XSS through system messages in Special:RecentChangesLinked (MW Core) 02.02.2026
CVE-2025-61641 API list=allpages with maxsize is making really slow queries 02.02.2026
CVE-2025-61642 Stored XSS through system messages provided to CodexHtmlForms 02.02.2026
CVE-2025-61643 EventStreams publishes suppressed recent change entries that are suppressed from their creation 02.02.2026
CVE-2025-61635 Add rate limiting to ApiFancyCaptchaReload 02.02.2026
CVE-2025-61636 Codex Special:Block vulnerable to message key XSS 02.02.2026