CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-9388 Totolink A8000RU Web Management cstecgi.cgi setScheduleCfg os command injection 24.05.2026 9.3
CVE-2026-9386 Totolink A8000RU Web Management cstecgi.cgi setLanguageCfg os command injection 24.05.2026 9.3
CVE-2026-9387 Totolink A8000RU Web Management cstecgi.cgi setUpgradeFW os command injection 24.05.2026 9.3
CVE-2026-9384 Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection 24.05.2026 9.3
CVE-2026-9385 Totolink A8000RU Web Management cstecgi.cgi setTracerouteCfg os command injection 24.05.2026 9.3
CVE-2018-25350 userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php 23.05.2026 9.3
CVE-2018-25357 Dolibarr ERP CRM 7.0.3 Remote Code Evaluation via install/step1.php 23.05.2026 9.3
CVE-2026-23652 Microsoft Power Pages Remote Code Execution Vulnerability 22.05.2026 10
CVE-2026-33843 Microsoft Azure Active Directory B2C Elevation of Privilege Vulnerability 22.05.2026 9.1
CVE-2026-40411 Azure Virtual Network Gateway Remote Code Execution Vulnerability 22.05.2026 9.9
CVE-2026-40412 Azure Orbital Spatio Remote Code Execution Vulnerability 22.05.2026 10
CVE-2026-41090 Microsoft Copilot Tampering Vulnerability 22.05.2026 9.3
CVE-2026-41104 Microsoft Planetary Computer Pro Information Disclosure Vulnerability 22.05.2026 10
CVE-2026-42901 Microsoft Entra ID Elevation of Privilege Vulnerability 23.05.2026 10
CVE-2026-47280 Azure Resource Manager Elevation of Privilege Vulnerability 22.05.2026 10
CVE-2026-48700 22.05.2026 9.3
CVE-2026-32253 Sunshine: Authentication bypass via improper client certificate validation 22.05.2026 9.8
CVE-2026-33712 TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls 22.05.2026 10
CVE-2026-9256 NGINX ngx_http_rewrite_module vulnerability 23.05.2026 9.2
CVE-2026-8670 Insecure session handling on metrics web server 22.05.2026 9.6
CVE-2026-9277 shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op` 23.05.2026 9.2
CVE-2026-9054 Invalid IP packets cause a kernel panic 22.05.2026 9.2
CVE-2026-33000 23.05.2026 9.1
CVE-2026-34908 23.05.2026 10
CVE-2026-34909 22.05.2026 10
CVE-2026-34910 23.05.2026 10
CVE-2026-6960 BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field 22.05.2026 9.8
CVE-2026-8134 Concrete CMS 9.5.0 and below is vulnerable to Authenticated RCE via Composer customTemplate Path Traversal leading to PHP File Inclusion 22.05.2026 9.4
CVE-2026-48241 Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php 21.05.2026 9.2
CVE-2026-48242 Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php 23.05.2026 9.2
CVE-2026-39531 WordPress WP Directory Kit plugin <= 1.5.0 - SQL Injection vulnerability 21.05.2026 9.3
CVE-2025-71210 21.05.2026 9.8
CVE-2025-71211 21.05.2026 9.8
CVE-2026-5118 Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role' 21.05.2026 9.8
CVE-2026-5433 Improper Sanitization in CNM Web Interface 21.05.2026 9.1
CVE-2026-44050 Heap buffer overflow in CNID daemon comm_rcv() 22.05.2026 9.9
CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler 21.05.2026 9.8
CVE-2026-48172 22.05.2026 10
CVE-2026-9152 Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction 21.05.2026 10
CVE-2026-8631 HP Linux Imaging and Printing Software – Potential Escalation of Privilege and Arbitrary Code Execution 21.05.2026 9.3
CVE-2026-39405 Frappe has Path Transversal via SCORM 21.05.2026 9.4
CVE-2026-9139 Taiko AG1000-01A Rev 7.3/8 Hard-coded Credentials via login.zhtml 21.05.2026 9.3
CVE-2026-9141 Taiko AG1000-01A Rev 7.3/8 Authentication Bypass via Web Interface 21.05.2026 9.3
CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash 21.05.2026 9.3
CVE-2026-33137 XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} 21.05.2026 9.3
CVE-2026-45444 WordPress Gift Cards For WooCommerce Pro plugin <= 4.2.6 - Arbitrary File Upload vulnerability 21.05.2026 10
CVE-2026-9082 Drupal core - Highly critical - SQL injection - SA-CORE-2026-004 23.05.2026 9.8
CVE-2026-9102 Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write 20.05.2026 9.4
CVE-2026-9129 Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read 20.05.2026 9.4
CVE-2026-20223 Cisco Secure Workload Unauthorized API Access Vulnerability 21.05.2026 10
CVE-2026-8598 Unauthenticated Export Service in ZKTeco CCTV Cameras 20.05.2026 9.1
CVE-2026-8467 Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground 22.05.2026 9.5
CVE-2026-22314 20.05.2026 9
CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation 20.05.2026 9.1
CVE-2026-9059 NextGEN Gallery - SQL Injection 20.05.2026 9.3
CVE-2026-9065 Surecart - SQL Injection 20.05.2026 9.3
CVE-2026-24207 20.05.2026 9.8
CVE-2026-7637 Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie 20.05.2026 9.8
CVE-2026-6555 ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files' 20.05.2026 9.8
CVE-2026-7284 Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register 20.05.2026 9.8
CVE-2026-34234 CtrlPanel: Unauthenticated RCE using installer script 20.05.2026 10
CVE-2026-33642 Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check 19.05.2026 9.9
CVE-2026-47357 19.05.2026 9.3
CVE-2026-47358 19.05.2026 9.3
CVE-2026-2586 20.05.2026 9.1
CVE-2026-2587 20.05.2026 9.6
CVE-2026-44159 Tyler Identity Local (TID-L) default administrative credentials 19.05.2026 9.3
CVE-2026-8711 NGINX JavaScript vulnerability 21.05.2026 9.2
CVE-2026-42097 Authentication Bypass in Sparx Pro Cloud Server 19.05.2026 9.3
CVE-2026-43633 HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal 19.05.2026 9.5
CVE-2026-4883 Piotnet Forms <= 2.1.40 - Unauthenticated Arbitrary File Upload via Form File Upload 19.05.2026 9.8
CVE-2026-43493 crypto: pcrypt - Fix handling of MAY_BACKLOG requests 20.05.2026 9.8
CVE-2026-2611 Improper Origin Validation in mlflow/mlflow 19.05.2026 9.6
CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector) 19.05.2026 9.2
CVE-2026-4885 Piotnet Addons for Elementor Pro <= 7.1.70 - Unauthenticated Arbitrary File Upload via Form File Upload 19.05.2026 9.8
CVE-2026-27130 Dokploy has Command Injection in its Service Operations 19.05.2026 9.9
CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service 19.05.2026 9.8
CVE-2026-8838 Remote Code Execution via eval() Injection in amazon-redshift-python-driver 19.05.2026 9.3
CVE-2026-8836 lwIP snmpv3 USM snmp_msg.c snmp_parse_inbound_frame stack-based overflow 23.05.2026 9.3
CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability 22.05.2026 10
CVE-2026-45829 19.05.2026 10
CVE-2026-41947 Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints 18.05.2026 9.1
CVE-2026-41948 Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access 18.05.2026 9.2
CVE-2026-4320 Authorization Bypass in ICMS Content Management by Creartia Internet Consulting 18.05.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2026-9388 Totolink A8000RU Web Management cstecgi.cgi setScheduleCfg os command injection 24.05.2026
CVE-2026-9389 Tenda F456 L7Im frmL7ImForm buffer overflow 24.05.2026
CVE-2026-9386 Totolink A8000RU Web Management cstecgi.cgi setLanguageCfg os command injection 24.05.2026
CVE-2026-9387 Totolink A8000RU Web Management cstecgi.cgi setUpgradeFW os command injection 24.05.2026
CVE-2026-4372 Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers 24.05.2026
CVE-2026-9383 itsourcecode Electronic Judging System login.php sql injection 24.05.2026
CVE-2026-9384 Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection 24.05.2026
CVE-2026-9385 Totolink A8000RU Web Management cstecgi.cgi setTracerouteCfg os command injection 24.05.2026
CVE-2026-9382 Edimax BR-6675nD POST Request formPPTPSetup buffer overflow 24.05.2026
CVE-2026-9380 Edimax BR-6675nD POST Request formL2TPSetup buffer overflow 24.05.2026
CVE-2026-9381 Edimax BR-6675nD POST Request formPPPoESetup buffer overflow 24.05.2026
CVE-2026-9379 Edimax BR-6675nD POST Request formWpsStart command injection 24.05.2026
CVE-2026-9377 SourceCodester SUP Online Shopping productedit.php cross site scripting 24.05.2026
CVE-2026-9378 Edimax BR-6675nD POST Request formHwSet command injection 24.05.2026
CVE-2026-9374 yangzongzhuan RuoYi-Vue Common Upload Endpoint upload FileUploadUtils.upload unrestricted upload 24.05.2026
CVE-2026-9376 JPress UCenter Article Submission Endpoint doWriteSave improper authorization 24.05.2026
CVE-2026-9372 ItzCrazyKns Vane Model Provider API route.ts server-side request forgery 24.05.2026
CVE-2026-9373 JeecgBoot OpenAPI Endpoint call improper authentication 24.05.2026
CVE-2026-9370 ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt 24.05.2026
CVE-2026-9371 ItzCrazyKns Vane API route.ts missing authentication 24.05.2026
CVE-2026-9366 NousResearch hermes-agent prompt_builder.py _scan_context_content injection 24.05.2026
CVE-2026-9367 NousResearch hermes-agent terminal_tool approval.py detect_dangerous_command os command injection 24.05.2026
CVE-2026-9368 NousResearch hermes-agent Environment Variable code_execution_tool.py execute_code sandbox 24.05.2026
CVE-2026-9369 NousResearch hermes-agent CLI web-dashboard web_server.py _discover_dashboard_plugins comparison 24.05.2026
CVE-2026-9364 projectworlds Online Art Gallery Shop adminHome.php sql injection 24.05.2026
CVE-2026-9365 Ettercap GG Dissector ec_gg.c FUNC_DECODER heap-based overflow 24.05.2026
CVE-2026-9360 Edimax EW-7438RPn POST Request formwlencrypt24g buffer overflow 24.05.2026
CVE-2026-9361 Edimax EW-7438RPn POST Request formAccep formAccept command injection 24.05.2026
CVE-2026-9362 Edimax EW-7438RPn Setting formConnectionSetting command injection 24.05.2026
CVE-2026-9363 Edimax EW-7438RPn POST Request formEZCHNwlanSetu formEZCHNwlanSetup command injection 24.05.2026
CVE-2026-9356 SourceCodester Hospitals Patient Records Management System manage_history.php sql injection 24.05.2026
CVE-2026-9357 vBulletin Login cross site scripting 24.05.2026
CVE-2026-9358 postcss AST Serialization container.js toString recursion 24.05.2026
CVE-2026-9359 Edimax EW-7438RPn POST Request formHwSet command injection 24.05.2026
CVE-2026-3515 Argument Injection in prefecthq/prefect 24.05.2026
CVE-2026-9352 NousResearch hermes-agent Messaging Gateway local.py _make_run_env information disclosure 24.05.2026
CVE-2026-9353 NousResearch hermes-agent Skills Guard Multi-Word Prompt skills_guard.py injection 24.05.2026
CVE-2026-9354 NousResearch hermes-agent Slack Agent/Mattermost Agent escape output 24.05.2026
CVE-2026-9355 SourceCodester Hospitals Patient Records Management System Master.php save_patient_history sql injection 24.05.2026
CVE-2026-48829 24.05.2026 7.5
CVE-2026-9348 Edimax EW-7438RPn webs mp stack-based overflow 24.05.2026
CVE-2026-9349 calcom cal.diy Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps information disclosure 24.05.2026
CVE-2026-9350 NousResearch hermes-agent Batch Runner approval.py check_all_command_guards authorization 24.05.2026
CVE-2026-9351 NousResearch hermes-agent read_file Tool file_tools.py _is_blocked_device path traversal 24.05.2026
CVE-2026-9347 Edimax EW-7438RPn webs formWizSurvey os command injection 24.05.2026
CVE-2026-9345 Edimax EW-7438RPn webs formWizSurvey buffer overflow 24.05.2026
CVE-2026-9346 Edimax EW-7438RPn webs formWirelessTbl buffer overflow 24.05.2026
CVE-2026-9344 Edimax EW-7438RPn webs formWpsStart stack-based overflow 24.05.2026
CVE-2026-9343 Edimax EW-7438RPn webs formWpsStart os command injection 23.05.2026
CVE-2026-9342 SourceCodester Hospitals Patient Records Management System view_history.php sql injection 23.05.2026