CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-21627 Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla 20.02.2026 9.5
CVE-2025-10970 SQLi in Kolay Software's Talentics 20.02.2026 9.8
CVE-2026-26064 calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution 20.02.2026 9.3
CVE-2026-26065 calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution 20.02.2026 9.3
CVE-2026-26980 Ghost has a SQL Injection in its Content API 20.02.2026 9.4
CVE-2026-26988 LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream 20.02.2026 9.3
CVE-2025-30410 20.02.2026 9.8
CVE-2025-30411 20.02.2026 10
CVE-2025-30412 20.02.2026 10
CVE-2025-30416 20.02.2026 10
CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control 19.02.2026 9.3
CVE-2026-27475 SPIP < 4.4.9 Insecure Deserialization 19.02.2026 9.2
CVE-2026-2409 19.02.2026 9.3
CVE-2026-26339 Hyland Alfresco Transformation Service Argument Injection RCE 20.02.2026 9.3
CVE-2026-24834 Kata Container to Guest micro VM privilege escalation 19.02.2026 9.4
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization 19.02.2026 9.2
CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution 20.02.2026 10
CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution 19.02.2026 9.3
CVE-2025-9953 SQLi in Database Software's Databank Accreditation Software 19.02.2026 9.8
CVE-2025-8350 Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS 19.02.2026 9.8
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability. 19.02.2026 10
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. 19.02.2026 9.1
CVE-2026-1994 s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover 19.02.2026 9.8
CVE-2026-2731 Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8 19.02.2026 10
CVE-2025-13563 Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-13851 Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration 19.02.2026 9.8
CVE-2026-0926 Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] 19.02.2026 9.8
CVE-2026-1405 Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload 19.02.2026 9.8
CVE-2025-12882 Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-15586 19.02.2026 10
CVE-2026-2686 SECCN Dingcheng G10 session_login.cgi qq os command injection 19.02.2026 9.3
CVE-2026-25548 InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning 19.02.2026 9.1
CVE-2019-25362 WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow 19.02.2026 9.3
CVE-2019-25364 Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow 19.02.2026 9.3
CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval 18.02.2026 9.3
CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition 18.02.2026 9.2
CVE-2026-27180 MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning 18.02.2026 9.3
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller 18.02.2026 9.3
CVE-2025-14009 Zip Slip Vulnerability in nltk/nltk Leading to Remote Code Execution 19.02.2026 10
CVE-2025-70152 18.02.2026 9.8
CVE-2025-70150 18.02.2026 9.8
CVE-2025-15579 An Insecure Deserialization vulnerability has been discovered in OpenText™ Directory Services. 18.02.2026 9.5
CVE-2026-2329 Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow 18.02.2026 9.3
CVE-2026-1435 Incorrect management of session invalidation vulnerability in Graylog Web Interface 18.02.2026 9.3
CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action 18.02.2026 9.8
CVE-2026-1670 Honeywell CCTV Products Missing Authentication for Critical Function 18.02.2026 9.3
CVE-2026-22769 19.02.2026 10
CVE-2026-23647 Glory RBG-100 Recycler System Hard-coded OS Credentials 18.02.2026 9.3
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access 17.02.2026 9.4
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE 17.02.2026 9.3
CVE-2026-2564 Intelbras VIP 3260 Z IA OutsideCmd password recovery 17.02.2026 9.2
CVE-2026-2550 EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload 17.02.2026 9.3
CVE-2026-2577 Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge 17.02.2026 10
CVE-2026-26366 JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials 17.02.2026 9.3
CVE-2026-26369 JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup 17.02.2026 9.3
CVE-2025-32058 Stack Overflow in processing requests over INC interface on RH850 side of Infotainment ECU 17.02.2026 9.3
CVE-2026-1490 Spam protection, Honeypot, Anti-Spam by CleanTalk <= 6.71 - Authorization Bypass via Reverse DNS (PTR record) Spoofing to Unauthenticated Arbitrary Plugin Installation 17.02.2026 9.8
CVE-2025-8572 Truelysell Core <= 1.8.7 - Unauthenticated Privilege Escalation via Registration 17.02.2026 9.8
CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action 18.02.2026 9.8
CVE-2026-26273 Known affected by Account Takeover via Password Reset Token Leakage 17.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2025-52603 HCL Connections is vulnerable to information disclosure 20.02.2026 3.5
CVE-2025-67438 20.02.2026
CVE-2026-20761 EnOcean SmartServer IoT Command Injection 20.02.2026 8.1
CVE-2026-22885 EnOcean SmartServer IoT Out-of-bounds Read 20.02.2026 3.7
CVE-2026-2846 UTT HiPER 520 Web Management formPdbUpConfig sub_44D264 os command injection 20.02.2026
CVE-2026-2847 UTT HiPER 520 Web Management formReleaseConnect sub_44EFB4 os command injection 20.02.2026
CVE-2025-14055 Integer underflow in Secure NCP host 20.02.2026
CVE-2025-14547 ECJ-PAKE Integer Underflow Vulnerability in Silicon Labs PSA Crypto and SE Manager APIs 20.02.2026
CVE-2026-21627 Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla 20.02.2026
CVE-2025-10970 SQLi in Kolay Software's Talentics 20.02.2026 9.8
CVE-2026-2486 Master Addons For Elementor <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ma_el_bh_table_btn_text' 20.02.2026 6.4
CVE-2026-21620 TFTP Path Traversal 20.02.2026
CVE-2026-26050 20.02.2026
CVE-2025-59819 Authenticated Arbitrary File Read via filepath parameter 20.02.2026 6.5
CVE-2026-26370 20.02.2026
CVE-2026-2825 rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting 20.02.2026
CVE-2026-2824 Comfast CF-E7 webmggnt mbox-config sub_441CF4 command injection 20.02.2026
CVE-2026-2739 20.02.2026 5.3
CVE-2026-2823 Comfast CF-E7 webmggnt mbox-config sub_41ACCC command injection 20.02.2026
CVE-2026-2822 JeecgBoot Backend airag_app,1,create_by sql injection 20.02.2026
CVE-2026-27317 20.02.2026
CVE-2026-27318 20.02.2026
CVE-2026-27319 20.02.2026
CVE-2026-27320 20.02.2026
CVE-2026-27321 20.02.2026
CVE-2026-27322 20.02.2026
CVE-2026-27323 20.02.2026
CVE-2026-27324 20.02.2026
CVE-2026-27325 20.02.2026
CVE-2026-26991 LibreNMS vulnerable to Stored Cross-site Scripting through unsanitized /device-groups name 20.02.2026
CVE-2026-26992 LibreNMS has Stored Cross-Site Scripting via unsanitized /port-groups name 20.02.2026
CVE-2026-26993 Flare has XSS vulnerability in Raw File Preview 20.02.2026 4.6
CVE-2026-26994 uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries 20.02.2026 6.5
CVE-2026-26995 20.02.2026
CVE-2026-26996 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern 20.02.2026
CVE-2026-27017 uTLS has a Chrome Parrot Fingerprint Vulnerability due to GREASE ECH Cipher Suite Mismatch 20.02.2026
CVE-2026-2384 Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 20.02.2026 6.4
CVE-2026-2821 Fujian Smart Integrated Management Platform System XCamera.ashx sql injection 20.02.2026
CVE-2026-26064 calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution 20.02.2026
CVE-2026-26065 calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution 20.02.2026
CVE-2026-26989 LibreNMS has Stored XSS in Alert Rule 20.02.2026 4.3
CVE-2026-26990 LibreNMS has Time-Based Blind SQL Injection in address-search.inc.php 20.02.2026 8.8
CVE-2026-27016 LibreNMS has Stored XSS in Custom OID - unit parameter missing strip_tags() 20.02.2026 5.4
CVE-2026-2819 Dromara RuoYi-Vue-Plus Workflow deleteByInstanceIds SaServletFilter authorization 20.02.2026
CVE-2026-2820 Fujian Smart Integrated Management Platform System XAccessPermissionPlus.ashx sql injection 20.02.2026
CVE-2026-26960 node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction 20.02.2026 7.1
CVE-2026-26977 Frappe Learning Management System exposes details of unpublished courses to unauthorized users 20.02.2026
CVE-2026-26980 Ghost has a SQL Injection in its Content API 20.02.2026 9.4
CVE-2026-26987 LibreNMS affected by reflected XSS via email field 20.02.2026
CVE-2026-26988 LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream 20.02.2026
CVE-2025-30410 20.02.2026
CVE-2025-30411 20.02.2026
CVE-2025-30412 20.02.2026
CVE-2025-30416 20.02.2026
CVE-2026-26967 PJSIP has a Heap-based Buffer Overflow vulnerability in its H.264 unpacketizer 20.02.2026
CVE-2026-26974 Sylde has Improper Control of Generation of Code 20.02.2026
CVE-2026-26975 Music Assistant Server Path Traversal in Playlist Update API Allows Remote Code Execution 20.02.2026 8.8
CVE-2026-26964 Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members 20.02.2026 2.7
CVE-2026-26957 Libredesk has an SSRF Vulnerability via Webhooks 20.02.2026
CVE-2026-26963 Cilium may not enforce host firewall policies when Native Routing, WireGuard and Node Encryption are enabled 20.02.2026 6.1
CVE-2026-26959 ADB Explorer Vulnerable to RCE via Insufficient Input Validation 20.02.2026 7.8
CVE-2026-27004 OpenClaw session tool visibility hardening and Telegram webhook secret fallback 20.02.2026
CVE-2026-27007 OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation 20.02.2026
CVE-2026-27008 OpenClaw hardened the skill download target directory validation 20.02.2026
CVE-2026-27009 OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection 20.02.2026 5.8
CVE-2026-1292 Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. 19.02.2026 6.5
CVE-2026-26328 OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities 19.02.2026 6.5
CVE-2026-26329 OpenClaw has a path traversal in browser upload allows local file read 19.02.2026
CVE-2026-26972 OpenClaw has a Path Traversal in Browser Download Functionality 19.02.2026 6.7
CVE-2026-27001 OpenClaw: Unsanitized CWD path injection into LLM prompts 19.02.2026
CVE-2026-27002 OpenClaw: Docker container escape via unvalidated bind mount config injection 20.02.2026
CVE-2026-27003 OpenClaw: Telegram bot token exposure via logs 20.02.2026
CVE-2026-2350 Tanium addressed an insertion of sensitive information into log file vulnerability in Interact and TDS. 19.02.2026 6.5
CVE-2026-2408 Use-after-free in Cloud Workloads 19.02.2026 4.7
CVE-2026-2435 ASSET-7706 19.02.2026 6.3
CVE-2026-2605 Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS. 19.02.2026 5.3
CVE-2026-26324 OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable) 19.02.2026 7.5
CVE-2026-26325 OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals 19.02.2026 7.2
CVE-2026-26326 OpenClaw skills.status could leak secrets to operator.read clients 19.02.2026
CVE-2026-26327 OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning 19.02.2026
CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table 19.02.2026 5.4
CVE-2026-26958 filippo.io/edwards25519 MultiScalarMult function produces invalid results or undefined behavior if receiver is not the identity 19.02.2026
CVE-2025-13671 Cross Site request forgery vulnerability discovered in OpenText WSM Management Server. 19.02.2026
CVE-2025-13672 Reflected Cross-Site Scripting discovered in OpenText WSM Management Server. 19.02.2026
CVE-2025-9208 Stored-XSS vulnerability discovered in OpenText WSM Management Server. 19.02.2026
CVE-2026-1658 Content spoofing vulnerability discovered in OpenText™ Directory Services 19.02.2026
CVE-2026-26322 OpenClaw Gateway tool allowed unrestricted gatewayUrl override 19.02.2026 7.6
CVE-2026-26323 OpenClaw has a command injection in maintainer clawtributors updater 19.02.2026
CVE-2026-26952 Pi-hole Web Interface has Stored HTML Injection via Local DNS Records (CNAME/Hosts) in data-tag Attribute 19.02.2026 5.4
CVE-2025-8054 Path Traversal vulnerability have been discovered in OpenText™ XM Fax. 19.02.2026
CVE-2025-8055 SSRF vulnerability have been discovered in OpenText™ XM Fax 19.02.2026
CVE-2026-24122 Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked 19.02.2026 3.7
CVE-2026-26320 OpenClaw macOS deep link confirmation truncation can conceal executed agent message 19.02.2026
CVE-2026-26321 OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension 19.02.2026 7.5
CVE-2026-21535 Microsoft Teams Information Disclosure Vulnerability 19.02.2026 8.2
CVE-2026-26319 OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests 19.02.2026 7.5
CVE-2026-26275 httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass 19.02.2026 7.5
CVE-2026-26316 OpenClaw has BlueBubbles webhook auth bypass via loopback proxy trust 19.02.2026 7.5
CVE-2026-26317 OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints 19.02.2026 7.1
CVE-2026-26314 Go Ethereum affected by DoS via malicious p2p message 19.02.2026
CVE-2026-26315 Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake 19.02.2026
CVE-2026-26744 19.02.2026
CVE-2026-26286 SillyTavern has Server-Side Request Forgery (SSRF) via Asset Download Endpoint that Allows Reading Internal Services 19.02.2026
CVE-2026-26312 Stalwart Mail Server has Out-of-Memory Denial of Service via Malformed Nested MIME Messages 19.02.2026 6.5
CVE-2026-26313 Go Ethereum affected by DoS via malicious p2p message 19.02.2026
CVE-2026-27114 NanaZip has ROMFS Archive Infinite Loop 19.02.2026