CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-2017 IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow 06.02.2026 9.3
CVE-2026-1499 WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action 06.02.2026 9.8
CVE-2026-21643 06.02.2026 9.1
CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla 06.02.2026 9.2
CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability 06.02.2026 9.8
CVE-2020-37123 Pinger 1.0 - Remote Code Execution 05.02.2026 9.3
CVE-2020-37125 Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution 05.02.2026 9.3
CVE-2025-62615 AutoGPT has SSRF vulnerability in ReadRSSFeedBlock 05.02.2026 9.3
CVE-2025-62616 AutoGPT has SSRF vulnerability in SendDiscordFileBlock 05.02.2026 9.3
CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints 05.02.2026 9.2
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE 05.02.2026 9.1
CVE-2026-25547 Uncontrolled Resource Consumption in @isaacs/brace-expansion 05.02.2026 9.2
CVE-2026-25526 JinJava Bypass through ForTag leads to Arbitrary Java Execution 05.02.2026 9.8
CVE-2026-25521 Locutus is vulnerable to Prototype Pollution 05.02.2026 9.4
CVE-2025-13375 IBM Common Cryptographic Architecture Arbitrary Command Execution 04.02.2026 9.8
CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler 05.02.2026 9.4
CVE-2026-25481 Langroid has WAF Bypass Leading to RCE in TableChatAgent 04.02.2026 9.4
CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication 04.02.2026 9.8
CVE-2026-25160 Alist has Insecure TLS Config 05.02.2026 9.1
CVE-2025-64712 Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write 04.02.2026 9.8
CVE-2026-21893 n8n Vulnerable to Command Injection in Community Package Installation 04.02.2026 9.4
CVE-2026-25049 n8n Has an Expression Escape Vulnerability Leading to RCE 05.02.2026 9.4
CVE-2026-25052 n8n Improper File Access Controls Allow Arbitrary File Read by Authenticated Users 05.02.2026 9.4
CVE-2026-25053 n8n is Vulnerable to OS Command Injection in Git Node 05.02.2026 9.4
CVE-2026-25056 n8n Arbitrary File Write leading to RCE in n8n Merge Node 05.02.2026 9.4
CVE-2026-25115 n8n is vulnerable to Python sandbox escape 05.02.2026 9.4
CVE-2025-5329 SQLi in Martcode Software's Delta Course Automation 04.02.2026 9.8
CVE-2025-59818 Authenticated Remote Code Execution via the file name of an uploaded file 04.02.2026 10
CVE-2026-1633 Synectix LAN 232 TRIO Missing Authentication for Critical Function 04.02.2026 10
CVE-2026-1632 RISS SRL MOMA Seismic Station Missing Authentication for Critical Function 04.02.2026 9.3
CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution 04.02.2026 9.3
CVE-2020-37092 Netis E1+ 1.2.32533 - Backdoor Account (root) 04.02.2026 9.3
CVE-2026-1341 Missing Authentication for Critical Function in Avation Light Engine Pro 04.02.2026 9.3
CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City 04.02.2026 9.3
CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor 04.02.2026 10
CVE-2025-65078 Untrusted search path vulnerability in Embedded Solutions Framework 06.02.2026 9.3
CVE-2026-1803 Ziroom ZHOME A0101 Dropbear SSH Service default credentials 03.02.2026 9.2
CVE-2025-10878 04.02.2026 10
CVE-2026-25237 PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails 04.02.2026 9.2
CVE-2026-25238 PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation 04.02.2026 9.2
CVE-2026-25241 PEAR is Vulnerable to SQL Injection in /get/<package>/<version> Endpoint 04.02.2026 9.3
CVE-2025-70841 04.02.2026 10
CVE-2026-1568 Rapid7 InsightVM Signature Validation Vulnerability 04.02.2026 9.6
CVE-2025-5319 SQLi in Emit Informatics' DIGITA Efficiency Management System 04.02.2026 9.8
CVE-2026-1432 SQL injection (SQLi) on the Buroweb platform 03.02.2026 9.3
CVE-2026-24465 03.02.2026 9.3
CVE-2026-24936 An improper input validation vulnerability was found in ADM while joining a AD Domain. 04.02.2026 9.5
CVE-2025-66480 Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction 03.02.2026 9.8
CVE-2026-22778 vLLM leaks a heap address when PIL throws an error 03.02.2026 9.8
CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin 03.02.2026 10
CVE-2026-24471 Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary ('Confused Deputy') 03.02.2026 9.3
CVE-2026-25134 Group-Office Argument Injection in MaintenanceController::actionZipLanguage 04.02.2026 9.4
CVE-2026-25137 NixOs Odoo database and filestore publicly accessible with default odoo configuration 04.02.2026 9.1
CVE-2026-25142 SandboxJS Prototype Pollution -> Sandbox Escape -> RCE 04.02.2026 10
CVE-2022-50981 Multiple Innomic VibroLine VLX HD 5.0 and avibia AVLX weak password requirements 02.02.2026 9.8
CVE-2024-2356 Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui 02.02.2026 9.6
CVE-2024-5386 Account Hijacking via Password Reset Token Leak in lunary-ai/lunary 02.02.2026 9.6
CVE-2024-5986 Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3 02.02.2026 9.1
CVE-2026-25200 03.02.2026 9.8
CVE-2026-25202 03.02.2026 9.8
CVE-2026-25069 SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion 02.02.2026 9.3
CVE-2020-37027 Sickbeard 0.1 - Remote Command Injection 03.02.2026 9.3
CVE-2020-37052 AirControl 1.4.2 - PreAuth Remote Code Execution 02.02.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2025-13523 Cross-Site Scripting (XSS) via Unescaped Display Names in Mattermost Confluence Plugin OAuth2 Flow 06.02.2026 7.7
CVE-2026-2057 SourceCodester Medical Center Portal Management System login.php sql injection 06.02.2026
CVE-2026-2056 D-Link DIR-605L/DIR-619L DHCP Connection Status wan_connection_status.asp information disclosure 06.02.2026
CVE-2025-13818 Local privilege escalation in ESET Management Agent for Windows 06.02.2026
CVE-2026-1337 Insufficient escaping of unicode characters in query log 06.02.2026
CVE-2026-2055 D-Link DIR-605L/DIR-619L DHCP Client Information information disclosure 06.02.2026
CVE-2026-2054 D-Link DIR-605L/DIR-619L Wifi Setting information disclosure 06.02.2026
CVE-2026-2018 itsourcecode School Management System controller.php sql injection 06.02.2026
CVE-2026-1293 Yoast SEO <= 26.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'yoast-schema' Block Attribute 06.02.2026 6.4
CVE-2026-2017 IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow 06.02.2026
CVE-2026-2016 happyfish100 libfastcommon base64.c base64_decode stack-based overflow 06.02.2026
CVE-2026-2015 Portabilis i-Educar Final Status Import FinalStatusImportService.php improper authorization 06.02.2026
CVE-2026-2014 itsourcecode Student Management System index.php sql injection 06.02.2026
CVE-2026-2013 itsourcecode Student Management System index.php sql injection 06.02.2026
CVE-2026-24920 06.02.2026 6.2
CVE-2026-24924 06.02.2026 6.1
CVE-2026-24927 06.02.2026 5.5
CVE-2026-24928 06.02.2026 5.8
CVE-2026-24916 06.02.2026 5.9
CVE-2026-24917 06.02.2026 6.5
CVE-2026-24919 06.02.2026 6
CVE-2026-24931 06.02.2026 5.9
CVE-2026-2012 itsourcecode Student Management System index.php sql injection 06.02.2026
CVE-2026-1252 Events Listing Widget <= 1.3.4 - Authenticated (Author+) Stored Cross-Site Scripting via Event URL Field 06.02.2026 6.4
CVE-2026-1499 WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action 06.02.2026 9.8
CVE-2026-1785 Code Snippets <= 3.9.4 - Cross-Site Request Forgery to Cloud Snippet Download/Update Actions 06.02.2026 4.3
CVE-2026-24914 06.02.2026 4
CVE-2026-24915 06.02.2026 6.2
CVE-2026-24918 06.02.2026 6.8
CVE-2026-24921 06.02.2026 4.8
CVE-2026-24922 06.02.2026 6.9
CVE-2026-24923 06.02.2026 6.3
CVE-2026-24929 06.02.2026 5.9
CVE-2026-24930 06.02.2026 8.4
CVE-2026-2011 itsourcecode Student Management System controller.php sql injection 06.02.2026
CVE-2026-21643 06.02.2026 9.1
CVE-2026-24925 06.02.2026 7.3
CVE-2026-24926 06.02.2026 8.4
CVE-2026-2010 Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization 06.02.2026
CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla 06.02.2026
CVE-2026-1279 Employee Directory <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_title' Shortcode Attribute 06.02.2026 6.4
CVE-2026-2009 SourceCodester Gas Agency Management System createUser.php access control 06.02.2026
CVE-2026-2008 abhiphile fermat-mcp eqn_chart.py eqn_chart code injection 06.02.2026
CVE-2025-10753 OAuth Single Sign On – SSO (OAuth Client) <= 6.26.14 - Missing Authorization 06.02.2026 5.3
CVE-2026-1401 Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via CSV Import 06.02.2026 6.4
CVE-2026-1808 Orange Confort+ accessibility toolbar for WordPress <= 0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 06.02.2026 6.4
CVE-2026-1888 Docus <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 06.02.2026 6.4
CVE-2026-1909 WaveSurfer-WP <= 2.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute 06.02.2026 6.4
CVE-2026-2000 DCN DCME-320 Web Management Backend bridge_cfg.php apply_config command injection 06.02.2026
CVE-2026-0521 Reflected Cross-Site Scripting in PDF Export Error Message 06.02.2026
CVE-2026-1998 micropython runtime.c mp_import_all memory corruption 06.02.2026
CVE-2026-0598 Ansible-lightspeed: broken object level authorization leading to cross-user ai conversation context injection in ansible lightspeed api 06.02.2026
CVE-2026-1991 libuvc UVC Descriptor device.c uvc_scan_streaming null pointer dereference 06.02.2026
CVE-2026-1990 oatpp Type.hpp ObjectWrapper null pointer dereference 06.02.2026
CVE-2026-1978 kalyan02 NanoCMS User Information pagesdata.txt direct request 06.02.2026
CVE-2026-1979 mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free 06.02.2026
CVE-2025-15566 ingress-nginx auth-proxy-set-headers nginx configuration injection 06.02.2026 8.8
CVE-2026-1977 isaacwasserman mcp-vegalite-server visualize_data eval code injection 06.02.2026
CVE-2026-25692 06.02.2026
CVE-2026-25693 06.02.2026
CVE-2026-25694 06.02.2026
CVE-2026-25695 06.02.2026
CVE-2026-25696 06.02.2026
CVE-2026-25697 06.02.2026
CVE-2026-25698 06.02.2026
CVE-2026-1228 Timeline Block <= 1.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Private Timeline Exposure via Shortcode Attribute 06.02.2026 4.3
CVE-2026-1975 Free5GC pfcp_reports.go identityTriggerType null pointer dereference 06.02.2026
CVE-2026-1976 Free5GC SMF SessionDeletionResponse null pointer dereference 06.02.2026
CVE-2026-1973 Free5GC SMF establishPfcpSession null pointer dereference 06.02.2026
CVE-2026-1974 Free5GC SMF datapath.go ResolveNodeIdToIp denial of service 06.02.2026
CVE-2026-1972 Edimax BR-6208AC auth_check_userpass2 default credentials 06.02.2026
CVE-2026-1971 Edimax BR-6288ACL wiz_WISP24gmanual.asp wiz_WISP24gmanual cross site scripting 06.02.2026
CVE-2026-23623 Collabora Online vulnerable to Authorization Bypass 05.02.2026 5.3
CVE-2025-68157 webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects 05.02.2026 3.7
CVE-2025-68458 webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior 05.02.2026 3.7
CVE-2025-32393 AutoGPT has a DoS vulnerability in ReadRSSFeedBlock 05.02.2026
CVE-2026-0391 Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability 05.02.2026 6.5
CVE-2026-21532 Azure Function Information Disclosure Vulnerability 05.02.2026 8.2
CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability 06.02.2026 9.8
CVE-2026-24302 Azure Arc Elevation of Privilege Vulnerability 06.02.2026 8.6
CVE-2026-1970 Edimax BR-6258n formStaDrvSetup redirect 05.02.2026
CVE-2026-1964 WeKan REST Endpoint boards.js BoardTitleRESTBleed access control 05.02.2026