CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2019-25614 Free Float FTP 1.0 STOR Command Remote Buffer Overflow 22.03.2026 9.3
CVE-2019-25568 Memu Play 6.0.7 Privilege Escalation via Insecure File Permissions 21.03.2026 9.3
CVE-2026-24060 Automated Logic WebCTRL Premium Server Cleartext Transmission of Sensitive Information 20.03.2026 9.1
CVE-2026-29796 IGL-Technologies eParking.fi Missing Authentication for Critical Function 20.03.2026 9.3
CVE-2026-25192 CTEK Chargeportal Missing Authentication for Critical Function 20.03.2026 9.3
CVE-2026-33186 gRPC-Go has an authorization bypass via missing leading slash in :path 20.03.2026 9.1
CVE-2026-3584 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process 20.03.2026 9.8
CVE-2026-22898 QVR Pro 20.03.2026 9.3
CVE-2026-22172 OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections 20.03.2026 9.4
CVE-2026-33134 WeGIA has Authenticated Time-Based Blind SQL Injection in `restaurar_produto.php` via `id_produto` parameter 20.03.2026 9.3
CVE-2026-33135 WeGIA has Reflected Cross-Site Scripting (XSS) in `novo_memorandoo.php` via `sccs` parameter 20.03.2026 9.3
CVE-2026-33136 WeGIA has Reflected Cross-Site Scripting (XSS) in `listar_memorandos_ativos.php` via `sccd` parameter 20.03.2026 9.3
CVE-2026-33075 FastGPT has Arbitrary Code Execution in GitHub Actions via pull_request_target in fastgpt-preview-image.yml 20.03.2026 9.4
CVE-2026-33057 Mesop Affected by Unauthenticated Remote Code Execution via Test Suite Route /exec-py 20.03.2026 9.8
CVE-2026-33054 Mesop: Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion 20.03.2026 10
CVE-2026-4478 Yi Technology YI Home Camera HTTP Firmware Update ipc signature verification 20.03.2026 9.2
CVE-2026-33017 Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint 21.03.2026 9.3
CVE-2026-33024 AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator 20.03.2026 9.3
CVE-2026-32938 SiYuan has an Arbitrary File Read in its Desktop Publish Service 20.03.2026 9.9
CVE-2026-32940 SiYuan has a SanitizeSVG bypass via data:text/xml in getDynamicIcon (incomplete fix for CVE-2026-29183) 20.03.2026 9.3
CVE-2026-4038 Aimogen Pro <= 2.7.5 - Unauthenticated Privilege Escalation via Arbitrary Function Call 20.03.2026 9.8
CVE-2026-21992 20.03.2026 9.8
CVE-2026-32890 Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config 20.03.2026 9.7
CVE-2026-32891 Anchorr Privilege Escalation: Jellyseerr User → Anchorr Admin via Stored XSS 20.03.2026 9.1
CVE-2026-32817 Admidio is Missing Authorization and CSRF Protection on Document and Folder Deletion 20.03.2026 9.1
CVE-2026-32767 SiYuan: Authorization Bypass Allows Arbitrary SQL Execution via Search API 20.03.2026 9.8
CVE-2026-32985 Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution 20.03.2026 9.3
CVE-2026-32760 File Browser Self Registration Grants Any User Admin Access When Default Permissions Include Admin 19.03.2026 10
CVE-2026-22732 Under Some Conditions Spring Security HTTP Headers Are not Written 21.03.2026 9.1
CVE-2026-29103 SuiteCRM Vulnerable to Remote Code Execution via Module Loader Package Scanner Bypass 20.03.2026 9.1
CVE-2026-32038 OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter 20.03.2026 9.3
CVE-2026-30872 OpenWrt Project has a Stack-based Buffer Overflow vulnerability via IPv6 reverse DNS lookup 20.03.2026 9.5
CVE-2026-30871 OpenWrt Project has Stack-based Buffer Overflow in DNS PTR Query 20.03.2026 9.5
CVE-2026-32754 FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!}) 20.03.2026 9.3
CVE-2026-32194 Microsoft Bing Images Remote Code Execution Vulnerability 21.03.2026 9.8
CVE-2026-32169 Azure Cloud Shell Elevation of Privilege Vulnerability 21.03.2026 10
CVE-2026-32191 Microsoft Bing Images Remote Code Execution Vulnerability 21.03.2026 9.8
CVE-2026-30924 qui CORS Misconfiguration: Arbitrary Origins Trusted 20.03.2026 9
CVE-2026-4428 CRL Distribution Point Scope Check Logic Error in AWS-LC 19.03.2026 9.1
CVE-2026-30836 Step CA: Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18) 19.03.2026 10
CVE-2026-32238 OpenEMR has Remote Code Execution in backup functionality 20.03.2026 9.1
CVE-2026-32865 OPEXUS eComplaint and eCase insecure password reset 19.03.2026 9.2
CVE-2026-22557 19.03.2026 10
CVE-2026-27065 WordPress BuilderPress plugin <= 2.0.1 - Local File Inclusion vulnerability 19.03.2026 9.8
CVE-2026-27067 WordPress Mobile App Editor plugin <= 1.3.1 - Arbitrary File Upload vulnerability 19.03.2026 9.1
CVE-2025-60233 WordPress Zuut theme <= 1.4.2 - PHP Object Injection vulnerability 19.03.2026 9.8
CVE-2025-60237 WordPress Finag theme <= 1.5.0 - PHP Object Injection vulnerability 19.03.2026 9.8
CVE-2026-27413 WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability 19.03.2026 9.3
CVE-2026-27540 WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability 19.03.2026 9
CVE-2026-27542 WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vulnerability 19.03.2026 9.8
CVE-2026-32731 ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction 19.03.2026 10
CVE-2026-32698 OpenProject has a SQL Injection via Custom Field Name that can be chained to Remote Code Execution 19.03.2026 9.1
CVE-2026-32703 OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy 19.03.2026 9.1
CVE-2026-25873 OmniGen2-RL Reward Server Unsafe Deserialization RCE 19.03.2026 9.3
CVE-2026-32633 Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist` 18.03.2026 9.1
CVE-2026-2991 KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token 18.03.2026 9.8
CVE-2026-25449 WordPress Traveler theme < 3.2.8.1 - PHP Object Injection vulnerability 18.03.2026 9.8
CVE-2026-30884 mdjnelson/moodle-mod_customcert Vulnerable to Authorization Bypass Through User-Controlled Key 18.03.2026 9.6
CVE-2026-31938 jsPDF has HTML Injection in New Window paths 18.03.2026 9.6
CVE-2026-21994 18.03.2026 9.8
CVE-2026-32841 Edimax GS-5008PL <= 1.00.54 Global Authentication State Across All Clients 18.03.2026 9.2
CVE-2026-25769 Wazuh Cluster vulnerable to Remote Code Execution via Insecure Deserialization 18.03.2026 9.1
CVE-2026-25770 Wazuh has Privilege Escalation to Root via Cluster Protocol File Write 18.03.2026 9.1
CVE-2026-25534 Spinnaker clouddriver and orca URL validation bypass via underscores in hostnames 17.03.2026 9.1
CVE-2026-32292 GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting 17.03.2026 9.3
CVE-2026-32295 JetKVM insufficient login rate limiting 17.03.2026 9.3
CVE-2026-32297 Angeet ES3 KVM unauthenticated arbitrary file write 17.03.2026 9.3
CVE-2026-3564 ScreenConnect Instance Level Cryptographic Material Exposure 18.03.2026 9
CVE-2026-4312 DrangSoft|GCB/FCB Audit Software - Missing Authentication 17.03.2026 9.3
CVE-2026-28430 Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php 17.03.2026 9.3
CVE-2026-27962 Authlib JWS JWK Header Injection: Signature Verification Bypass 18.03.2026 9.1
CVE-2026-4254 Tenda AC8 HTTP Endpoint SysToolChangePwd doSystemCmd stack-based overflow 16.03.2026 9.3
CVE-2026-23489 Fields GLPI plugin vulnerable to RCE in dropdown generation 16.03.2026 9.1
CVE-2026-4252 Tenda AC8 IPv6 check_is_ipv6 ip address for authentication 16.03.2026 9.3
CVE-2025-62319 Boolean-Based SQL Injection in Multiple Unica Components 17.03.2026 9.8
CVE-2017-20223 Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference 16.03.2026 9.3
CVE-2017-20224 Telesquare SKT LTE Router SDT-CS3B1 WebDAV Arbitrary File Upload 16.03.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2026-4553 Tenda F453 Parameters Natlimit fromNatlimit stack-based overflow 22.03.2026
CVE-2026-4551 Tenda F453 Parameters SafeClientFilter fromSafeClientFilter memory corruption 22.03.2026
CVE-2026-4552 Tenda F453 Parameters VirtualSer fromVirtualSer memory corruption 22.03.2026
CVE-2026-4549 mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization 22.03.2026
CVE-2026-4550 code-projects Simple Gym Management System func.php sql injection 22.03.2026
CVE-2019-25590 Axessh 4.2 Denial of Service via Log File Name 22.03.2026
CVE-2019-25591 DNSS Domain Name Search Software 2.1.8 Denial of Service 22.03.2026
CVE-2019-25592 PHPRunner 10.1 Denial of Service via Dashboard Name Field 22.03.2026
CVE-2019-25593 jetCast Server 2.0 Denial of Service via Log Directory 22.03.2026
CVE-2019-25594 ASPRunner.NET 10.1 Denial of Service via Table Name Field 22.03.2026
CVE-2019-25595 jetAudio 8.1.7.20702 Basic Denial of Service via URL Handler 22.03.2026
CVE-2019-25596 SpotAuditor 5.2.6 Name Field Denial of Service 22.03.2026
CVE-2019-25597 NSauditor 3.1.2.0 Denial of Service via Community Field 22.03.2026
CVE-2019-25598 HeidiSQL Portable 10.1.0.5464 Denial of Service via Buffer Overflow 22.03.2026
CVE-2019-25599 Backup Key Recovery 2.2.4 Denial of Service via Name Field 22.03.2026
CVE-2019-25600 UltraVNC Viewer 1.2.2.4 Denial of Service via Buffer Overflow 22.03.2026
CVE-2019-25601 UltraVNC Launcher 1.2.2.4 Denial of Service Buffer Overflow 22.03.2026
CVE-2019-25602 GSearch 1.0.1.0 Denial of Service via Search Input 22.03.2026
CVE-2019-25603 TuneClone 2.20 Structured Exception Handler Buffer Overflow 22.03.2026
CVE-2019-25604 DVDXPlayer Pro 5.5 Local Buffer Overflow with SEH 22.03.2026
CVE-2019-25605 EquityPandit 1.0 Insecure Logging Information Disclosure 22.03.2026
CVE-2019-25606 Fast AVI MPEG Joiner 1.2.0812 Buffer Overflow Denial of Service 22.03.2026
CVE-2019-25607 Axessh 4.2 Local Stack-based Buffer Overflow via Log File Name 22.03.2026
CVE-2019-25608 Iperius Backup 6.1.0 Privilege Escalation via Backup Job 22.03.2026
CVE-2019-25609 JetAudio jetCast Server 2.0 Local SEH Buffer Overflow 22.03.2026
CVE-2019-25610 NetNumber Titan Master 7.9.1 Path Traversal via drp 22.03.2026
CVE-2019-25611 MiniFtp parseconf_load_setting Buffer Overflow via Configuration 22.03.2026
CVE-2019-25612 Admin Express 1.2.5.485 Local SEH Buffer Overflow via Folder Path 22.03.2026
CVE-2019-25613 Easy Chat Server 3.1 Denial of Service via message Parameter 22.03.2026
CVE-2019-25614 Free Float FTP 1.0 STOR Command Remote Buffer Overflow 22.03.2026
CVE-2019-25615 Lavavo CD Ripper 4.20 Local SEH Buffer Overflow 22.03.2026
CVE-2019-25616 AnMing MP3 CD Burner 2.0 Local Denial of Service 22.03.2026
CVE-2019-25617 Ease Audio Converter 5.30 Denial of Service via Audio Cutter 22.03.2026
CVE-2019-25618 AdminExpress 1.2.5 Denial of Service via System Compare 22.03.2026
CVE-2019-25619 FTP Shell Server 6.83 Buffer Overflow via Account Name 22.03.2026
CVE-2026-4546 Flos Freeware Notepad2 TextShaping.dll uncontrolled search path 22.03.2026
CVE-2026-4547 mickasmt next-saas-stripe-starter Checkout generate-user-stripe.ts generateUserStripe logic error 22.03.2026
CVE-2026-4548 mickasmt next-saas-stripe-starter update-user-role.ts updateUserrole improper authorization 22.03.2026
CVE-2026-4115 PuTTY Ed25519 Signature ecc-ssh.c eddsa_verify signature verification 22.03.2026
CVE-2026-4545 Flos Freeware Notepad2 PROPSYS.dll uncontrolled search path 22.03.2026
CVE-2026-4544 Wavlink WL-WN578W2 POST Request login.cgi cross site scripting 22.03.2026
CVE-2026-4543 Wavlink WL-WN578W2 POST Request firewall.cgi command injection 22.03.2026
CVE-2026-4541 janmojzis tinyssh Ed25519 Signature crypto_sign_ed25519_tinyssh.c signature verification 22.03.2026
CVE-2026-4542 SSCMS layerImage Endpoint LayerImageController.Submit.cs path traversal 22.03.2026
CVE-2026-4540 projectworlds Online Notes Sharing System Parameters login.php sql injection 22.03.2026
CVE-2026-4539 pygments archetype.py AdlLexer redos 22.03.2026
CVE-2026-4534 Tenda FH451 WrlExtraSet formWrlExtraSet stack-based overflow 22.03.2026
CVE-2026-4535 Tenda FH451 WrlclientSet stack-based overflow 22.03.2026
CVE-2026-4536 Acrel Environmental Monitoring Cloud Platform unrestricted upload 22.03.2026
CVE-2026-4537 Cudy TR1200 ipsec.lua action_ipsec_conn command injection 22.03.2026
CVE-2026-4538 PyTorch pt2 Loading deserialization 22.03.2026
CVE-2026-3427 Yoast SEO <= 27.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'jsonText' Block Attribute 22.03.2026 6.4
CVE-2026-4314 The Ultimate WordPress Toolkit – WP Extended <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module 22.03.2026 8.8
CVE-2025-71276 22.03.2026 6.4
CVE-2026-33549 22.03.2026 6.7
CVE-2026-33550 22.03.2026 2
CVE-2026-4533 code-projects Simple Food Ordering System all-tickets.php sql injection 22.03.2026
CVE-2026-4531 Free5GC AMF handler.go HandleRegistrationComplete denial of service 22.03.2026
CVE-2026-4532 code-projects Simple Food Ordering System Database Backup food.sql file access 22.03.2026
CVE-2019-25583 RarmaRadio 2.72.3 Username Field Denial of Service 22.03.2026
CVE-2019-25584 RarmaRadio 2.72.3 Server Field Buffer Overflow Denial of Service 22.03.2026
CVE-2019-25585 Deluge 1.3.15 Denial of Service via Webseeds Field 22.03.2026
CVE-2019-25586 Deluge 1.3.15 Denial of Service via URL Field 22.03.2026
CVE-2019-25587 BulletProof FTP Server 2019.0.0.50 Storage-Path Denial of Service 22.03.2026
CVE-2019-25588 BulletProof FTP Server 2019.0.0.50 Denial of Service via DNS Address 22.03.2026
CVE-2019-25589 ZOC Terminal 7.23.4 Buffer Overflow Denial of Service 22.03.2026
CVE-2026-4530 apconw Aix-DB terminology_retriever.py sql injection 21.03.2026
CVE-2026-4529 D-Link DHP-1320 SOAP redirect_count_down_page stack-based overflow 21.03.2026
CVE-2026-3629 Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields 21.03.2026 8.1
CVE-2026-4528 trueleaf ApiFlow URL Validation http_proxy.service.ts validateUrlSecurity server-side request forgery 21.03.2026