| CVE-2025-6830 |
SQLi in Xpoda Türkiye Information Technology's Xpoda Studio |
09.02.2026 |
9.8 |
| CVE-2026-25848 |
|
09.02.2026 |
9.1 |
| CVE-2026-22903 |
Stack Overflow via SESSIONID Cookie in lighttpd |
09.02.2026 |
9.8 |
| CVE-2026-22904 |
Stack Overflow via Oversized Cookie Fields in lighttpd |
09.02.2026 |
9.8 |
| CVE-2026-22906 |
Hardcoded Key Allows Credential Disclosure |
09.02.2026 |
9.8 |
| CVE-2026-2234 |
HGiga|C&Cm@il - Missing Authentication |
09.02.2026 |
9.3 |
| CVE-2026-1868 |
Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway |
09.02.2026 |
9.9 |
| CVE-2026-1615 |
|
09.02.2026 |
9.2 |
| CVE-2025-15027 |
JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user |
09.02.2026 |
9.8 |
| CVE-2026-25858 |
macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure |
07.02.2026 |
9.3 |
| CVE-2020-37135 |
AMSS++ 4.7 - Backdoor Admin Account |
06.02.2026 |
9.3 |
| CVE-2026-25803 |
3DP-MANAGER Uses Hard-coded Credentials |
09.02.2026 |
9.8 |
| CVE-2026-25763 |
Command Injection on OpenProject repositories leads to Remote Code Execution |
09.02.2026 |
9.4 |
| CVE-2026-1731 |
Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) |
09.02.2026 |
9.9 |
| CVE-2026-1727 |
Information Disclosure via Bucket Squatting in Google Cloud Agentspace. |
09.02.2026 |
9.1 |
| CVE-2026-25544 |
Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters |
09.02.2026 |
9.8 |
| CVE-2026-25592 |
Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK |
09.02.2026 |
10 |
| CVE-2026-25632 |
EPyT-Flow has unsafe JSON deserialization (__type__) |
06.02.2026 |
10 |
| CVE-2026-25520 |
SandboxJS has a Sandbox Escape |
06.02.2026 |
10 |
| CVE-2026-25586 |
SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution |
06.02.2026 |
10 |
| CVE-2026-25587 |
SandboxJS has a Sandbox Escape |
06.02.2026 |
10 |
| CVE-2026-25641 |
SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses |
06.02.2026 |
10 |
| CVE-2026-1709 |
Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication |
09.02.2026 |
9.4 |
| CVE-2026-25643 |
Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape |
06.02.2026 |
9.1 |
| CVE-2026-25751 |
FUXA Unauthenticated Exposure of Plaintext Database Credentials |
09.02.2026 |
9.1 |
| CVE-2026-25752 |
FUXA Unauthenticated Remote Arbitrary Device Tag Write |
09.02.2026 |
9.3 |
| CVE-2026-25753 |
PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) |
09.02.2026 |
9.3 |
| CVE-2025-69212 |
OpenSTAManager has an OS Command Injection in P7M File Processing |
09.02.2026 |
9.4 |
| CVE-2025-64111 |
Gogs's update .git/config file allows remote command execution |
07.02.2026 |
9.3 |
| CVE-2026-2017 |
IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow |
06.02.2026 |
9.3 |
| CVE-2026-1499 |
WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action |
06.02.2026 |
9.8 |
| CVE-2026-21643 |
|
07.02.2026 |
9.1 |
| CVE-2026-21626 |
Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla |
06.02.2026 |
9.2 |
| CVE-2026-24300 |
Azure Front Door Elevation of Privilege Vulnerability |
07.02.2026 |
9.8 |
| CVE-2020-37123 |
Pinger 1.0 - Remote Code Execution |
06.02.2026 |
9.3 |
| CVE-2020-37125 |
Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution |
05.02.2026 |
9.3 |
| CVE-2025-62615 |
AutoGPT has SSRF vulnerability in ReadRSSFeedBlock |
05.02.2026 |
9.3 |
| CVE-2025-62616 |
AutoGPT has SSRF vulnerability in SendDiscordFileBlock |
05.02.2026 |
9.3 |
| CVE-2026-25579 |
Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints |
05.02.2026 |
9.2 |
| CVE-2026-25539 |
SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE |
05.02.2026 |
9.1 |
| CVE-2026-25547 |
Uncontrolled Resource Consumption in @isaacs/brace-expansion |
05.02.2026 |
9.2 |
| CVE-2026-25526 |
JinJava Bypass through ForTag leads to Arbitrary Java Execution |
05.02.2026 |
9.8 |
| CVE-2026-25521 |
Locutus is vulnerable to Prototype Pollution |
05.02.2026 |
9.4 |
| CVE-2025-13375 |
IBM Common Cryptographic Architecture Arbitrary Command Execution |
06.02.2026 |
9.8 |
| CVE-2026-25512 |
Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler |
05.02.2026 |
9.4 |
| CVE-2026-25481 |
Langroid has WAF Bypass Leading to RCE in TableChatAgent |
04.02.2026 |
9.4 |
| CVE-2026-25505 |
Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication |
06.02.2026 |
9.8 |
| CVE-2026-25160 |
Alist has Insecure TLS Config |
05.02.2026 |
9.1 |
| CVE-2025-64712 |
Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write |
04.02.2026 |
9.8 |
| CVE-2026-21893 |
n8n Vulnerable to Command Injection in Community Package Installation |
04.02.2026 |
9.4 |
| CVE-2026-25049 |
n8n Has an Expression Escape Vulnerability Leading to RCE |
05.02.2026 |
9.4 |
| CVE-2026-25052 |
n8n Improper File Access Controls Allow Arbitrary File Read by Authenticated Users |
05.02.2026 |
9.4 |
| CVE-2026-25053 |
n8n is Vulnerable to OS Command Injection in Git Node |
05.02.2026 |
9.4 |
| CVE-2026-25056 |
n8n Arbitrary File Write leading to RCE in n8n Merge Node |
05.02.2026 |
9.4 |
| CVE-2026-25115 |
n8n is vulnerable to Python sandbox escape |
05.02.2026 |
9.4 |
| CVE-2025-5329 |
SQLi in Martcode Software's Delta Course Automation |
04.02.2026 |
9.8 |
| CVE-2025-59818 |
Authenticated Remote Code Execution via the file name of an uploaded file |
04.02.2026 |
10 |
| CVE-2026-1633 |
Synectix LAN 232 TRIO Missing Authentication for Critical Function |
04.02.2026 |
10 |
| CVE-2026-1632 |
RISS SRL MOMA Seismic Station Missing Authentication for Critical Function |
04.02.2026 |
9.3 |
| CVE-2020-37071 |
CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution |
04.02.2026 |
9.3 |
| CVE-2020-37092 |
Netis E1+ 1.2.32533 - Backdoor Account (root) |
04.02.2026 |
9.3 |
| CVE-2026-1341 |
Missing Authentication for Critical Function in Avation Light Engine Pro |
04.02.2026 |
9.3 |
| CVE-2026-25150 |
Prototype Pollution via FormData Processing in Qwik City |
04.02.2026 |
9.3 |
| CVE-2026-25510 |
CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor |
04.02.2026 |
10 |
| CVE-2025-65078 |
Untrusted search path vulnerability in Embedded Solutions Framework |
06.02.2026 |
9.3 |
| CVE-2026-1803 |
Ziroom ZHOME A0101 Dropbear SSH Service default credentials |
03.02.2026 |
9.2 |
| CVE-2025-10878 |
|
04.02.2026 |
10 |
| CVE-2026-25237 |
PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails |
04.02.2026 |
9.2 |
| CVE-2026-25238 |
PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation |
04.02.2026 |
9.2 |
| CVE-2026-25241 |
PEAR is Vulnerable to SQL Injection in /get/<package>/<version> Endpoint |
04.02.2026 |
9.3 |
| CVE-2025-70841 |
|
04.02.2026 |
10 |
| CVE-2026-1568 |
Rapid7 InsightVM Signature Validation Vulnerability |
04.02.2026 |
9.6 |
| CVE-2025-5319 |
SQLi in Emit Informatics' DIGITA Efficiency Management System |
04.02.2026 |
9.8 |
| CVE-2026-1432 |
SQL injection (SQLi) on the Buroweb platform |
03.02.2026 |
9.3 |
| CVE-2026-24465 |
|
03.02.2026 |
9.3 |
| CVE-2026-24936 |
An improper input validation vulnerability was found in ADM while joining a AD Domain. |
04.02.2026 |
9.5 |
| CVE-2025-66480 |
Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction |
03.02.2026 |
9.8 |
| CVE-2026-22778 |
vLLM leaks a heap address when PIL throws an error |
03.02.2026 |
9.8 |
| CVE-2026-25134 |
Group-Office Argument Injection in MaintenanceController::actionZipLanguage |
04.02.2026 |
9.4 |
| CVE-2026-25137 |
NixOs Odoo database and filestore publicly accessible with default odoo configuration |
04.02.2026 |
9.1 |
| CVE-2026-25142 |
SandboxJS Prototype Pollution -> Sandbox Escape -> RCE |
04.02.2026 |
10 |