CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-3008 Vulnerability in Notepad++ 27.04.2026 10
CVE-2026-42363 GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability 26.04.2026 9.3
CVE-2026-7037 Totolink A8000RU CGI cstecgi.cgi setVpnPassCfg os command injection 26.04.2026 9.3
CVE-2026-6951 25.04.2026 9.2
CVE-2026-41248 Official Clerk JavaScript SDKs: Middleware-based route protection bypass 24.04.2026 9.1
CVE-2026-41478 Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) 24.04.2026 10
CVE-2026-41428 Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints 24.04.2026 9.1
CVE-2026-41327 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in Upsert Condition Field 24.04.2026 9.1
CVE-2026-41492 Unauthenticated Admin Token Disclosure Leading to Authentication Bypass via /debug/vars in Dgraph 24.04.2026 9.8
CVE-2026-41328 Dgraph: Pre-Auth Full Database Exfiltration via DQL Injection in NQuad Lang Field 24.04.2026 9.1
CVE-2026-6911 Authentication Bypass via Missing JWT Signature Verification in AWS Ops Wheel 24.04.2026 9.3
CVE-2026-39920 BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE 24.04.2026 9.3
CVE-2026-25660 Authentication bypass for certain API calls 24.04.2026 9.3
CVE-2026-21515 Azure IoT Central Elevation of Privilege Vulnerability 24.04.2026 9.9
CVE-2026-1950 No checking of the length of the buffer with the file name in AS320T 24.04.2026 9.8
CVE-2026-1951 No checking of the length of the buffer with the directory name in AS320T 24.04.2026 9.8
CVE-2026-1952 Denial of service via the undocumented subfunction in AS320T 24.04.2026 9.8
CVE-2026-1949 Incorrect calculation of buffer size on the stack in AS320T 24.04.2026 9.8
CVE-2026-25775 SenseLive X3050 Missing authentication for critical function 24.04.2026 9.3
CVE-2026-27843 SenseLive X3050 Missing authentication for critical function 24.04.2026 9.2
CVE-2026-35503 SenseLive X3050 Use of Hard-coded Credentials 24.04.2026 9.3
CVE-2026-39462 SenseLive X3050 Insufficiently Protected Credentials 24.04.2026 9.3
CVE-2026-40620 SenseLive X3050 Missing authentication for critical function 24.04.2026 9.3
CVE-2026-40630 SenseLive X3050 Authentication bypass using an alternate path or channel 24.04.2026 9.3
CVE-2026-24303 Microsoft Partner Center Elevation of Privilege Vulnerability 25.04.2026 9.6
CVE-2026-32210 Microsoft Dynamics 365 (online) Spoofing Vulnerability 25.04.2026 9.3
CVE-2026-33102 Microsoft 365 Copilot Elevation of Privilege Vulnerability 25.04.2026 9.3
CVE-2026-33819 Microsoft Bing Remote Code Execution Vulnerability 25.04.2026 10
CVE-2026-35431 Microsoft Entra ID Entitlement Management Spoofing Vulnerability 25.04.2026 10
CVE-2026-26210 KTransformers Unsafe Deserialization RCE via balance_serve 24.04.2026 9.3
CVE-2026-41274 Flowise: Cypher Injection in GraphCypherQAChain 24.04.2026 9.3
CVE-2026-6942 radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass 24.04.2026 9.3
CVE-2026-25874 LeRobot Unsafe Deserialization Remote Code Execution via gRPC 24.04.2026 9.3
CVE-2026-41264 Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability 24.04.2026 9.2
CVE-2026-41265 Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability 23.04.2026 9.2
CVE-2026-41137 Flowise: Code Injection in CSVAgent leads to Authenticated RCE 23.04.2026 9.4
CVE-2026-6074 Path traversal: '.../...//' in Intrado 911 Emergency Gateway (EGW) 23.04.2026 9.3
CVE-2025-62373 Pipecat vulnerable to Remote Code Execution by Pickle Deserialization via LivekitFrameSerializer 23.04.2026 9.8
CVE-2026-23751 Kofax Capture 6.0.0.0 Unauthenticated File Read/Write & SMB Coercion via .NET Remoting 25.04.2026 9.3
CVE-2026-40470 Hackage package and doc upload stored XSS vulnerability 23.04.2026 9.9
CVE-2026-40471 Hackage CSRF vulnerability 23.04.2026 9.6
CVE-2026-40472 Hackage package metadata stored XSS vulnerability 23.04.2026 9.9
CVE-2026-41460 SocialEngine <= 7.8.0 SQL Injection via activity/index/get-memberall 23.04.2026 9.3
CVE-2026-39440 WordPress FunnelFormsPro plugin <= 3.8.1 - Remote Code Execution (RCE) vulnerability 23.04.2026 9.9
CVE-2026-6885 BorG Technology Corporation|Borg SPM 2007 - Arbitrary File Upload 23.04.2026 9.3
CVE-2026-6886 BorG Technology Corporation|Borg SPM 2007 - Authentication Bypass 23.04.2026 9.3
CVE-2026-6887 BorG Technology Corporation|Borg SPM 2007 - SQL Injection 23.04.2026 9.3
CVE-2026-41228 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution 23.04.2026 10
CVE-2026-41229 Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API) 23.04.2026 9.1
CVE-2026-3844 Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote 23.04.2026 9.8
CVE-2026-41196 Luanti has a mod security sandbox escape 23.04.2026 9
CVE-2026-41197 Brillig: Heap corruption in foreign call results with nested tuple arrays 25.04.2026 9.3
CVE-2026-41679 Paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass 23.04.2026 10
CVE-2026-41176 Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution 25.04.2026 9.2
CVE-2026-41179 RClone: Unauthenticated operations/fsinfo allows attacker-controlled backend instantiation and local command execution 25.04.2026 9.2
CVE-2026-41167 Jellystat has SQL Injection that leads to to Remote Code Execution 23.04.2026 9.1
CVE-2026-33656 EspoCRM vulnerable to authenticated RCE via Formula with path traversal in attachment `sourceId`, exploitable by admin user 23.04.2026 9.1
CVE-2026-33471 nimiq-block has skip block quorum bypass via out-of-range BitSet indices & u16 truncation 23.04.2026 9.6
CVE-2026-34415 Xerte Online Toolkits File Upload RCE via elfinder Connector 24.04.2026 9.3
CVE-2026-41468 Beghelli Sicuro24 SicuroWeb AngularJS Sandbox Escape via Template Injection 22.04.2026 9.3
CVE-2018-25270 ThinkPHP 5.0.23 Remote Code Execution via invokefunction 22.04.2026 9.3
CVE-2018-25272 ELBA5 5.8.0 Remote Code Execution via Database Access 22.04.2026 9.3
CVE-2026-4119 Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php 22.04.2026 9.1
CVE-2026-6235 Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests 23.04.2026 9.8
CVE-2026-40575 OAuth2 Proxy has an Authentication Bypass via X-Forwarded-Uri Header Spoofing 22.04.2026 9.1
CVE-2026-41064 AVideo has an incomplete fix for CVE-2026-33502 (Command Injection) 22.04.2026 9.3
CVE-2026-40946 Oxia: OIDC token audience validation bypass via SkipClientIDCheck 22.04.2026 9.2
CVE-2026-40933 Flowise: Authenticated RCE Via MCP Adapters 22.04.2026 10
CVE-2026-33518 Incorrect privilege assignment in Portal for ArcGIS 23.04.2026 9.8
CVE-2026-33519 Incorrect privilege assignment in Portal for ArcGIS 23.04.2026 9.8
CVE-2026-34275 22.04.2026 9.8
CVE-2026-34279 22.04.2026 9.1
CVE-2026-34285 22.04.2026 9.1
CVE-2026-34286 22.04.2026 9.1
CVE-2026-34287 23.04.2026 9.1
CVE-2026-40906 Electric: SQL Injection via ORDER BY Parameter in Shape API 22.04.2026 10
CVE-2026-40911 WWBN AVideo YPTSocket WebSocket Broadcast Relay Leads to Unauthenticated Cross-User JavaScript Execution via Client-Side eval() Sinks 22.04.2026 10
CVE-2026-40884 goshs: Empty-username SFTP password authentication bypass in goshs 22.04.2026 9.8
CVE-2026-40903 Goshs - ArtiPACKED Vulnerability – GitHub Actions Credential Persistence 22.04.2026 9.1
CVE-2026-40372 ASP.NET Core Elevation of Privilege Vulnerability 24.04.2026 9.1
CVE-2026-40872 mailcow: dockerized vulnerable to stored XSS in autodiscover logs email address field 22.04.2026 9.3
CVE-2026-40887 @vendure/core has a SQL Injection vulnerability 22.04.2026 9.1
CVE-2026-41193 FreeScout has Zip Slip path traversal in module installation that allows arbitrary file write leading to RCE 21.04.2026 9.1
CVE-2026-21571 23.04.2026 9.4
CVE-2026-40050 CrowdStrike LogScale Unauthenticated Path Traversal 21.04.2026 9.8
CVE-2026-40569 FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration 21.04.2026 9
CVE-2026-40576 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in excel-mcp-server 21.04.2026 9.4
CVE-2026-5652 Authorization Bypass Through User-Controlled Key in Crafty Controller 21.04.2026 9
CVE-2019-25714 Seeyon Office Anywhere (OA) A8 Unauthenticated Arbitrary File Write via htmlofficeservlet 21.04.2026 9.3
CVE-2025-41029 SQL injection in Zeon Academy Pro by Zeon Global Tech 21.04.2026 9.3
CVE-2026-5965 NewSoft|NewSoftOA - OS Command Injection 21.04.2026 9.3
CVE-2026-41329 OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation 21.04.2026 9
CVE-2026-32604 Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths 23.04.2026 10
CVE-2026-32613 Spinnaker vulnerable to RCE via expression parsing due to unrestricted context handling 23.04.2026 10
CVE-2026-32311 Command Injection and Docker container escape allows root on host machine 21.04.2026 9.3
CVE-2026-6257 Vvveb CMS v1.0.8 Remote Code Execution via Media Management 21.04.2026 9.2
CVE-2026-24467 OpenAEV's Improper Password Reset Token Management Leads to Unauthenticated Account Takeover and Platform Compromise 20.04.2026 9.1

Latest Updates

CVE Title Updated Score
CVE-2026-22077 Sensitive Information Disclosure Vulnerability Caused by Trusted Domain Bypass in OPPO Wallet 27.04.2026
CVE-2026-7095 code-projects Employee Management System edit.php cross site scripting 27.04.2026
CVE-2026-7096 Tenda HG3 formgponConf os command injection 27.04.2026
CVE-2026-7097 Tenda F456 httpd webExcptypemanFilter fromwebExcptypemanFilter buffer overflow 27.04.2026
CVE-2026-3008 Vulnerability in Notepad++ 27.04.2026
CVE-2026-42371 27.04.2026 5.1
CVE-2026-7091 code-projects Invoice System in Laravel User Management user improper authorization 27.04.2026
CVE-2026-7092 code-projects Invoice System in Laravel Profile profile improper authorization 27.04.2026
CVE-2026-7093 code-projects Invoice System in Laravel Invoice Endpoint invoice improper authorization 27.04.2026
CVE-2026-7094 ShadowCloneLabs GlutamateMCPServers puppeteer_navigate index.ts server-side request forgery 27.04.2026
CVE-2026-7086 HBAI-Ltd Toonflow-app Storyboard Export replaceUrl.ts updateStoryboardUrl path traversal 27.04.2026
CVE-2026-7087 SourceCodester Pharmacy Sales and Inventory System ajax.php sql injection 27.04.2026
CVE-2026-7088 SourceCodester Pharmacy Sales and Inventory System ajax.php sql injection 27.04.2026
CVE-2026-7089 code-projects Home Service System Appointment Booking booking.php cross site scripting 27.04.2026
CVE-2026-7090 code-projects Chat System send_message.php cross site scripting 27.04.2026
CVE-2026-3867 27.04.2026
CVE-2026-3868 27.04.2026
CVE-2026-7081 Tenda F456 httpd GstDhcpSetSer fromGstDhcpSetSer buffer overflow 27.04.2026
CVE-2026-7082 Tenda F456 httpd WrlExtraSet formWrlExtraSet buffer overflow 27.04.2026
CVE-2026-7083 likeadmin-likeshop likeadmin_php dataTable Admin API DataTableLists.php queryResult sql injection 27.04.2026
CVE-2026-7084 HBAI-Ltd Toonflow-app getCodeByLink Endpoint getCodeByLink.ts fetch server-side request forgery 27.04.2026
CVE-2026-7085 HBAI-Ltd Toonflow-app downloadApp Endpoint downloadApp.ts z.url path traversal 27.04.2026
CVE-2026-3006 Race Condition Vulnerability 27.04.2026 7
CVE-2026-7077 itsourcecode Courier Management System edit_parcel.php sql injection 27.04.2026
CVE-2026-7078 Tenda F456 httpd SetIpBind fromSetIpBind buffer overflow 27.04.2026
CVE-2026-7079 Tenda F456 httpd AdvSetWan fromAdvSetWan buffer overflow 27.04.2026
CVE-2026-7080 Tenda F456 httpd PPTPUserSetting fromPPTPUserSetting buffer overflow 27.04.2026
CVE-2026-7106 Highland Software Custom Role Manager <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation 27.04.2026 8.8
CVE-2026-7074 itsourcecode Construction Management System execute1.php sql injection 27.04.2026
CVE-2026-7075 itsourcecode Construction Management System locations.php sql injection 27.04.2026
CVE-2026-7076 itsourcecode Courier Management System edit_branch.php sql injection 27.04.2026
CVE-2026-7070 code-projects Inventory Management System Login sql injection 27.04.2026
CVE-2026-7071 CodeAstro Online Job Portal user-cvs file information disclosure 27.04.2026
CVE-2026-7072 CodePanda Source canteen_management_system login.php sql injection 27.04.2026
CVE-2026-7073 itsourcecode Construction Management System execute.php sql injection 27.04.2026
CVE-2026-33277 27.04.2026
CVE-2026-33566 27.04.2026
CVE-2026-42363 GeoVision GV-IP Device Utility Device Authentication insufficient encryption vulnerability 26.04.2026 9.3
CVE-2026-7069 D-Link DIR-825 miniupnpd upnpsoap.c AddPortMapping buffer overflow 27.04.2026
CVE-2026-7068 D-Link DIR-825 nmbd sserver.c NMBD_process buffer overflow 26.04.2026
CVE-2026-7067 D-Link DIR-822 udhcpd DHCP Service dhcpd.c system command injection 26.04.2026
CVE-2026-7065 BidingCC BuildingAI Remote Upload API file-storage.service.ts uploadRemoteFile server-side request forgery 26.04.2026
CVE-2026-7066 choieastsea simple-openstack-mcp server.py exec_openstack os command injection 26.04.2026
CVE-2026-7064 AgentDeskAI browser-tools-mcp browser-connector.ts os command injection 26.04.2026
CVE-2026-7063 code-projects Employee Management System Endpoint eprocess.php sql injection 26.04.2026
CVE-2026-7062 Intina47 context-sync Git Integration git-integration.ts os command injection 26.04.2026
CVE-2026-7061 Toowiredd chatgpt-mcp-server MCP/HTTP docker.service.ts os command injection 26.04.2026
CVE-2026-7060 liyupi yu-picture MyBatis-Plus PictureServiceImpl.java PageRequest sql injection 26.04.2026
CVE-2026-7059 666ghj MiroFish Query Parameter simulation.py get_simulation_posts path traversal 26.04.2026
CVE-2026-7058 666ghj MiroFish Inter-Process Communication simulation_ipc.py SimulationIPCClient.send_command command injection 26.04.2026
CVE-2026-7057 Tenda F456 httpd setcfm buffer overflow 26.04.2026
CVE-2026-7056 Tenda F456 httpd SafeUrlFilter fromSafeUrlFilter buffer overflow 26.04.2026
CVE-2026-7055 Tenda F456 httpd VirtualSer fromVirtualSer buffer overflow 26.04.2026
CVE-2026-7054 Tenda F456 httpd PPTPDClient fromPptpUserAdd buffer overflow 26.04.2026
CVE-2026-7053 Tenda F456 httpd L7Prot frmL7ProtForm buffer overflow 26.04.2026