CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-22891 03.03.2026 9.8
CVE-2026-22886 03.03.2026 9.8
CVE-2026-1492 User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration 03.03.2026 9.8
CVE-2026-2628 All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass 03.03.2026 9.8
CVE-2025-50187 Chamilo: Evaluation of untrusted user input leads to Remote Code Execution 02.03.2026 9.8
CVE-2026-23600 03.03.2026 10
CVE-2025-12462 Blind SQL Injection in DobryCMS 02.03.2026 9.3
CVE-2025-14532 Remote Code Execution via Unrestricted File Upload in DobryCMS 02.03.2026 9.3
CVE-2026-3431 Sim Studio AI - MongoDB SSRF and Arbitrary Document Deletion 02.03.2026 9.8
CVE-2026-3432 Sim Studio AI - Unauthenticated OAuth Token Theft 02.03.2026 9.3
CVE-2025-30035 Lack of API authentication allowing session generation for any user 02.03.2026 9
CVE-2025-30042 Session generation possible with certificate number only 02.03.2026 9
CVE-2025-30044 RCE on uhcapache user permissions 02.03.2026 9.4
CVE-2026-2584 SQL Injection in Ciser System SL firmware 02.03.2026 9.3
CVE-2026-2999 Changing|IDExpert Windows Logon Agent - Remote Code Execution 02.03.2026 9.3
CVE-2026-3000 Changing|IDExpert Windows Logon Agent - Remote Code Execution 02.03.2026 9.3
CVE-2026-3422 e-Excellence|U-Office Force - Insecure Deserialization 02.03.2026 9.3
CVE-2026-2844 TimePictra Authentication Bypass Vulnerability 02.03.2026 9.3
CVE-2026-3010 TimePictra Stored Cross-Site Scripting 02.03.2026 9.3
CVE-2026-28515 openDCIM <= 23.04 Missing Authorization in install.php 02.03.2026 9.3
CVE-2026-28516 openDCIM <= 23.04 SQL Injection in Config::UpdateParameter 02.03.2026 9.3
CVE-2026-28517 openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter 02.03.2026 9.3
CVE-2026-28408 WeGIA lacks authentication verification in adicionar_tipo_docs_atendido.php 02.03.2026 9.8
CVE-2026-28409 WeGIA Vulnerable to Remote Code Execution (RCE) via OS Command Injection 02.03.2026 10
CVE-2026-28411 WeGIA Vulnerable to Authentication Bypass via `extract($_REQUEST)` 02.03.2026 9.8
CVE-2026-28268 Vikunja Vulnerable to Account Takeover via Password Reset Token Reuse 27.02.2026 9.8
CVE-2026-27947 Group-Office Vulnerable to Remote Code Execution (RCE) 27.02.2026 9.4
CVE-2026-27755 SODOLA SL902-SWTGW124AS <= 200.1.20 Predictable Session ID 02.03.2026 9.3
CVE-2026-27751 SODOLA SL902-SWTGW124AS <= 200.1.20 Use of Default Credentials 02.03.2026 9.3
CVE-2026-2749 Path traversal in Centreon Open Tickets 27.02.2026 9.9
CVE-2026-2750 Command Injection via CLAPI generatetraps 27.02.2026 9.1
CVE-2025-15498 SQL Injection in Pro3W CMS 27.02.2026 9.3
CVE-2025-11252 SQLi in Signum Technologies' windesk.fm 27.02.2026 9.8
CVE-2025-11251 SQLi in Dayneks Software's E-Commerce Platform 27.02.2026 9.8
CVE-2026-2251 Path Traversal leading to Remote Code Execution (RCE) 03.03.2026 9.8
CVE-2025-12981 Listee <= 1.1.6 - Unauthenticated Privilege Escalation 27.02.2026 9.8
CVE-2026-3301 Totolink N300RH Web Management cstecgi.cgi setWebWlanIdx os command injection 27.02.2026 9.3
CVE-2026-28370 27.02.2026 9.1
CVE-2026-28363 27.02.2026 9.9
CVE-2026-21718 Copeland XWEB and XWEB Pro Use of a Broken or Risky Cryptographic Algorithm 02.03.2026 10
CVE-2026-24663 Copeland XWEB and XWEB Pro OS Command Injection 02.03.2026 9
CVE-2026-27028 Mobility46 mobility46.se Missing Authentication for Critical Function 03.03.2026 9.4
CVE-2026-27767 SWITCH EV swtchenergy.com Missing Authentication for Critical Function 02.03.2026 9.4
CVE-2026-27772 EV Energy ev.energy Missing Authentication for Critical Function 02.03.2026 9.4
CVE-2026-24731 EV2GO ev2go.io Missing Authentication for Critical Function 03.03.2026 9.4
CVE-2026-20781 CloudCharge cloudcharge.se Missing Authentication for Critical Function 02.03.2026 9.4
CVE-2026-25851 Chargemap chargemap.com Missing Authentication for Critical Function 02.03.2026 9.4
CVE-2026-28213 EverShop Vulnerable to Arbitrary Customer Account Takeover via Exposure of Password Reset Token in API Response 27.02.2026 9.8
CVE-2026-28215 hoppscotch Vulnerable to Unauthenticated Onboarding Config Takeover 02.03.2026 9.1
CVE-2026-22207 OpenViking Missing root_api_key Allows Anonymous ROOT Access 02.03.2026 9.3
CVE-2026-27966 Langflow has Remote Code Execution in CSV Agent 28.02.2026 9.8
CVE-2026-27969 Vitess users with backup storage access can write to arbitrary file paths on restore 26.02.2026 9.3
CVE-2026-27941 OpenLIT Vulnerable to Remote Code Execution and Secret Exposure via Misuse of `pull_request_target` in GitHub Actions Workflows 26.02.2026 10
CVE-2026-27804 Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter 26.02.2026 9.3
CVE-2026-27613 CGI Parameter Injection (Bypass of STRICT_CGI_PARAMS and EscapeShellParam) 26.02.2026 10
CVE-2026-27498 n8n has Arbitrary Command Execution via File Write and Git Operations 26.02.2026 9
CVE-2026-27497 n8n has Potential Remote Code Execution via Merge Node 26.02.2026 9.4
CVE-2026-27577 n8n: Expression Sandbox Escape Leads to RCE 26.02.2026 9.4
CVE-2026-27493 n8n has Unauthenticated Expression Evaluation via Form Node 26.02.2026 9.5
CVE-2026-27495 n8n has a Sandbox Escape in its JavaScript Task Runner 26.02.2026 9.4
CVE-2026-27575 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change 26.02.2026 9.1
CVE-2026-0542 Remote Code Execution in ServiceNow AI Platform 26.02.2026 9.2
CVE-2026-24908 OpenEMR has SQL Injection in Patient API Sort Parameter 26.02.2026 10
CVE-2026-21902 Junos OS Evolved: PTX Series: A vulnerability allows a unauthenticated, network-based attacker to execute code as root 03.03.2026 9.3
CVE-2026-27739 Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline 27.02.2026 9.2
CVE-2026-20127 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability 26.02.2026 10
CVE-2026-20129 Cisco Catayst SD-WAN Authentication Bypass Vulnerability 26.02.2026 9.8
CVE-2026-27728 OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec() 25.02.2026 10
CVE-2025-1242 Administrative Credentials Can Be Extracted Through Gardyn API Responses 25.02.2026 9.3
CVE-2026-27702 Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud) 25.02.2026 9.9
CVE-2026-27699 Basic FTP has Path Traversal Vulnerability in its downloadToDir() method 27.02.2026 9.1
CVE-2026-2624 Authentication Bypass in ePati's Antikor NGFW 25.02.2026 9.8
CVE-2025-62878 Local Path Provisioner vulnerable to Path Traversal via parameters.pathPattern 26.02.2026 9.9
CVE-2026-25785 25.02.2026 9.3
CVE-2026-3179 A path traversal vulnerability was found in the FTP Backup on the ADM. 25.02.2026 9.2
CVE-2026-27597 @enclave-vm/core is vulnerable to Sandbox Escape 25.02.2026 10
CVE-2026-27637 FreeScout's Predictable Authentication Token Enables Account Takeover 25.02.2026 9.8
CVE-2026-27641 Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection 25.02.2026 9.8
CVE-2026-27743 SPIP referer_spam <= 1.2.1 Unauthenticated SQL Injection 26.02.2026 9.3
CVE-2026-27744 SPIP tickets < 4.3.3 Unauthenticated RCE 26.02.2026 9.3
CVE-2026-27595 Parse Dashboard has incomplete authentication on AI Agent endpoint 27.02.2026 9.9
CVE-2026-27608 Parse Dashboard Missing Authorization on Agent Endpoint 25.02.2026 9.3
CVE-2026-27614 Bugsink is vulnerable to Stored XSS via Pygments fallback in stacktrace rendering 25.02.2026 9.3
CVE-2026-27626 OliveTin vulnerable to OS Command Injection via `password` argument type and webhook JSON extraction bypasses shell safety checks 27.02.2026 10
CVE-2026-27822 Rust has Critical Stored XSS in Preview Modal, leading to Administrative Account Takeover 25.02.2026 9.1
CVE-2026-24849 OpenEMR Arbitrary File Read Vulnerability 25.02.2026 10
CVE-2026-27593 Statamic is vulnerable to account takeover via password reset link injection 27.02.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2025-66680 03.03.2026
CVE-2026-24103 03.03.2026
CVE-2026-3465 Tuya App/SDK JSON Data Point denial of service 03.03.2026
CVE-2025-52365 03.03.2026
CVE-2025-57622 03.03.2026
CVE-2025-64736 03.03.2026 6.1
CVE-2025-70821 03.03.2026
CVE-2026-20777 03.03.2026 8.1
CVE-2026-22891 03.03.2026 9.8
CVE-2026-25673 Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows 03.03.2026
CVE-2026-25674 Potential incorrect permissions on newly created file system objects 03.03.2026
CVE-2026-28518 OpenViking .ovpack Import ZIP Slip Path Traversal 03.03.2026
CVE-2026-2637 03.03.2026
CVE-2026-3342 WatchGuard Firebox Out of Bounds Write Vulnerability 03.03.2026
CVE-2026-3343 WatchGuard Firebox Reflected Cross-Site-Scripting (XSS) Vulnerability in Fireware Web UI 03.03.2026
CVE-2026-3344 WatchGuard Firebox System Integrity Check Bypass 03.03.2026
CVE-2026-3351 Authorization Bypass in LXD GET /1.0/certificates Endpoint 03.03.2026
CVE-2026-3463 xlnt-community xlnt Compound Document binary.hpp append heap-based overflow 03.03.2026
CVE-2025-59059 Apache Ranger: Remote Code Execution Vulnerability in NashornScriptEngineCreator 03.03.2026
CVE-2025-59060 Apache Ranger: Hostname verification bypass in NiFiRegistryClient and NifiClient 03.03.2026
CVE-2025-15598 Dataease SQLBot JWT Token auth.py validateEmbedded signature verification 03.03.2026
CVE-2026-2568 WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.5 - Unauthenticated Stored Cross-Site Scripting 03.03.2026 7.2
CVE-2026-22886 03.03.2026 9.8
CVE-2026-1876 Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series Ethernet module 03.03.2026
CVE-2026-1874 Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series EtherNet/IP module and Ethernet module 03.03.2026
CVE-2026-1875 Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series EtherNet/IP module 03.03.2026
CVE-2025-12345 LLM-Claw Agent Deployment initiate.c agent_deploy_init buffer overflow 03.03.2026
CVE-2025-15595 Privilege escalation via dll hijacking in Inno Setup 03.03.2026
CVE-2026-3449 03.03.2026 3.3
CVE-2026-3455 03.03.2026 6.1
CVE-2026-1492 User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation via Membership Registration 03.03.2026 9.8
CVE-2025-47147 03.03.2026 5.7
CVE-2026-20757 03.03.2026 2.5
CVE-2026-20801 03.03.2026 5.6
CVE-2026-1487 LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import 03.03.2026 6.5
CVE-2026-2269 Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 7.0.0.3 - Authenticated (Administrator+) Server-Side Request Forgery to Arbitrary File Upload 03.03.2026 7.2
CVE-2026-2448 Page Builder by SiteOrigin <= 2.33.5 - Authenticated (Contributor+) Local File Inclusion 03.03.2026 8.8
CVE-2026-2628 All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login <= 2.2.5 - Authentication Bypass 03.03.2026 9.8
CVE-2026-0754 SIP Service Providers – Possible Impersonation of Poly Voice Device 03.03.2026
CVE-2026-1336 AI ChatBot with ChatGPT and Content Generator by AYS <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification 03.03.2026 5.3
CVE-2026-1566 LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation 03.03.2026 8.8
CVE-2026-2583 Blocksy <= 2.1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via `blocksy_meta` Fields 03.03.2026 6.4
CVE-2026-3337 Timing Side-Channel in AES-CCM Tag Verification in AWS-LC 02.03.2026 5.9
CVE-2026-3338 PKCS7_verify Signature Validation Bypass in AWS-LC 03.03.2026 7.5
CVE-2026-3336 PKCS7_verify Certificate Chain Validation Bypass in AWS-LC 02.03.2026 7.5