CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-27574 OneUptime: node:vm sandbox escape in probe allows any project member to achieve RCE 21.02.2026 10
CVE-2026-27452 ASN.1 TypeScript Library: Decoding an INTEGER could leak the underlying ArrayBuffer 21.02.2026 9.2
CVE-2026-27471 ERP: Document access through endpoints due to missing validation 21.02.2026 9.3
CVE-2026-27211 Cloud Hypervisor: Host File Exfiltration via QCOW Backing File Abuse 21.02.2026 9.1
CVE-2026-27212 Swiper has a Prototype Pollution Vulnerability 21.02.2026 9.4
CVE-2026-27197 Sentry: Improper Authentication on SAML SSO process allows user identity linking 21.02.2026 9.1
CVE-2019-25441 thesystem 1.0 Command Injection via run_command endpoint 20.02.2026 9.3
CVE-2026-2635 MLflow Use of Default Password Authentication Bypass Vulnerability 20.02.2026 9.8
CVE-2026-27112 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints 20.02.2026 9.4
CVE-2026-25896 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names 20.02.2026 9.3
CVE-2021-35402 20.02.2026 10
CVE-2026-2333 Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 20.02.2026 9.2
CVE-2026-25715 Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements 20.02.2026 9.8
CVE-2026-21627 Extension - tassos.gr - SQL injection and Unauthenticated File Read in Novarain/Tassos Framework v4.10.14 – v6.0.37 for Joomla 22.02.2026 9.5
CVE-2025-10970 SQLi in Kolay Software's Talentics 20.02.2026 9.8
CVE-2026-26064 calibre: Path Traversal Vulnerability Enables Arbitrary File Write and Remote Code Execution 20.02.2026 9.3
CVE-2026-26065 calibre: Path Traversal can Lead to Arbitrary File Write and Potential Code Execution 20.02.2026 9.3
CVE-2026-26980 Ghost has a SQL Injection in its Content API 20.02.2026 9.4
CVE-2026-26988 LibreNMS: SQL Injection in ajax_table.php spreads through a covert data stream 20.02.2026 9.3
CVE-2025-30410 21.02.2026 9.8
CVE-2025-30411 21.02.2026 10
CVE-2025-30412 21.02.2026 10
CVE-2025-30416 21.02.2026 10
CVE-2026-27476 RustFly 2.0.0 Command Injection via UDP Remote Control 20.02.2026 9.3
CVE-2026-27475 SPIP < 4.4.9 Insecure Deserialization 20.02.2026 9.2
CVE-2026-2409 20.02.2026 9.3
CVE-2026-26339 Hyland Alfresco Transformation Service Argument Injection RCE 20.02.2026 9.3
CVE-2026-24834 Kata Container to Guest micro VM privilege escalation 21.02.2026 9.4
CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization 20.02.2026 9.2
CVE-2026-26030 Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution 20.02.2026 10
CVE-2025-71243 SPIP Saisies Plugin < 5.11.1 Remote Code Execution 19.02.2026 9.3
CVE-2025-9953 SQLi in Database Software's Databank Accreditation Software 20.02.2026 9.8
CVE-2025-8350 Authentication Bypass with Redirect in BiEticaret Software's BiEticaret CMS 20.02.2026 9.8
CVE-2025-12107 Potential authenticated Server-Side Template Injection (SSTI) vulnerability. 20.02.2026 10
CVE-2025-13590 Authenticated arbitrary file upload via a System REST API requiring administrator permission. 20.02.2026 9.1
CVE-2026-1994 s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover 19.02.2026 9.8
CVE-2026-2731 Unauthenticated RCE in Dynamicweb 9 and Dynamicweb 8 19.02.2026 10
CVE-2025-13563 Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-13851 Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration 19.02.2026 9.8
CVE-2026-0926 Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name] 19.02.2026 9.8
CVE-2026-1405 Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload 19.02.2026 9.8
CVE-2025-12882 Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation 19.02.2026 9.8
CVE-2025-15586 19.02.2026 10
CVE-2026-2686 SECCN Dingcheng G10 session_login.cgi qq os command injection 19.02.2026 9.3
CVE-2026-25548 InvoicePlane Vulnerable to Remote Code Execution via Local File Inclusion and Log Poisoning 19.02.2026 9.1
CVE-2019-25362 WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow 19.02.2026 9.3
CVE-2019-25364 Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow 19.02.2026 9.3
CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval 18.02.2026 9.3
CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition 18.02.2026 9.2
CVE-2026-27180 MajorDoMo Supply Chain Remote Code Execution via Update URL Poisoning 20.02.2026 9.3
CVE-2026-23491 InvoicePlane has Unauthenticated Path Traversal in Guest Controller 18.02.2026 9.3
CVE-2025-14009 Zip Slip Vulnerability in nltk/nltk Leading to Remote Code Execution 19.02.2026 10
CVE-2025-70152 18.02.2026 9.8
CVE-2025-70150 18.02.2026 9.8
CVE-2025-15579 An Insecure Deserialization vulnerability has been discovered in OpenText™ Directory Services. 18.02.2026 9.5
CVE-2026-2329 Grandstream GXP1600 VoIP Phones - Unauthenticated stack buffer overflow 18.02.2026 9.3
CVE-2026-1435 Incorrect management of session invalidation vulnerability in Graylog Web Interface 18.02.2026 9.3
CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action 18.02.2026 9.8
CVE-2026-1670 Honeywell CCTV Products Missing Authentication for Critical Function 18.02.2026 9.3
CVE-2026-22769 19.02.2026 10
CVE-2026-23647 Glory RBG-100 Recycler System Hard-coded OS Credentials 18.02.2026 9.3
CVE-2026-22208 OpenS100 Portrayal Engine Unrestricted Lua Standard Library Access 17.02.2026 9.4
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE 17.02.2026 9.3
CVE-2026-2564 Intelbras VIP 3260 Z IA OutsideCmd password recovery 17.02.2026 9.2
CVE-2026-2550 EFM iptime A6004MX timepro.cgi commit_vpncli_file_upload unrestricted upload 17.02.2026 9.3
CVE-2026-2577 Nanobot Unauthenticated WhatsApp Session Hijack via WebSocket Bridge 17.02.2026 10

Latest Updates

CVE Title Updated Score
CVE-2026-2954 Dromara UJCMS ImportDataController import-channel importChanel injection 22.02.2026
CVE-2019-25455 Web Ofisi E-Ticaret v3 SQL Injection via ara.html 22.02.2026
CVE-2019-25456 Web Ofisi Emlak v2 SQL Injection via ara Parameter 22.02.2026
CVE-2019-25457 Web Ofisi Firma v13 SQL Injection via oz Parameter 22.02.2026
CVE-2019-25458 Web Ofisi Firma Rehberi v1 SQL Injection via firmalar.html 22.02.2026
CVE-2019-25459 Web Ofisi Emlak V2 SQL Injection via emlak-ara.html 22.02.2026
CVE-2019-25460 Web Ofisi Platinum E-Ticaret v5 SQL Injection via q Parameter 22.02.2026
CVE-2019-25461 Web Ofisi Platinum E-Ticaret v5 SQL Injection via ajax/productsFilterSearch 22.02.2026
CVE-2019-25462 Web Ofisi Rent a Car v3 SQL Injection via klima Parameter 22.02.2026
CVE-2026-2952 Vaelsys HTTP POST Request tree_server.php os command injection 22.02.2026
CVE-2026-2953 Dromara UJCMS Template WebFileTemplateController.delete deleteDirectory path traversal 22.02.2026
CVE-2019-25366 microASP Portal+ CMS SQL Injection via pagina.phtml 22.02.2026
CVE-2019-25391 Ashop Shopping Cart Software Lastest Latest SQL Injection via bannedcustomers.php 22.02.2026
CVE-2019-25433 XOOPS CMS 2.5.9 SQL Injection via gerar_pdf.php 22.02.2026
CVE-2019-25439 NoviSmart CMS SQL Injection via Referer HTTP Header 22.02.2026
CVE-2019-25440 WebIncorp ERP Every version SQL Injection via product_detail.php 22.02.2026
CVE-2026-2947 rymcu forest User Profile UserInfoController.java updateUserInfo cross site scripting 22.02.2026
CVE-2019-25442 Web Wiz Forums 12.01 SQL Injection via PF Parameter 22.02.2026
CVE-2019-25443 Inventory Webapp SQL Injection via add-item.php 22.02.2026
CVE-2019-25446 DIGIT CENTRIS ERP Every version SQL Injection via datum1 Parameter 22.02.2026
CVE-2019-25450 Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php 22.02.2026
CVE-2019-25452 Dolibarr ERP/CRM 10.0.1 SQL Injection via elemid 22.02.2026
CVE-2026-2945 JeecgBoot uploadImgByHttp server-side request forgery 22.02.2026
CVE-2026-2946 rymcu forest Article Content/Comments/Portfolio XssUtils.java XssUtils.replaceHtmlCode cross site scripting 22.02.2026
CVE-2026-2944 Tosei Online Store Management System ネット店舗管理システム HTTP POST Request monitor.php system os command injection 22.02.2026
CVE-2026-2943 SapneshNaik Student Management System index.php cross site scripting 22.02.2026
CVE-2026-2940 Zaher1307 tiny_web_server URL tiny.c out-of-bounds write 22.02.2026
CVE-2026-2939 itsourcecode Student Management System Add Student add_student cross site scripting 22.02.2026
CVE-2026-2938 SourceCodester Student Result Management System update_smtp.php access control 22.02.2026
CVE-2026-2385 The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Unauthenticated Email Relay 22.02.2026 5.3
CVE-2026-2934 YiFang CMS Extended Management D_friendLinkGroup.php update cross site scripting 22.02.2026
CVE-2026-2935 UTT HiPER 810G ConfigExceptMSN strcpy buffer overflow 22.02.2026
CVE-2026-2932 YiFang CMS Extended Management D_adPosition.php update cross site scripting 22.02.2026
CVE-2026-2933 YiFang CMS Extended Management D_adManage.php update cross site scripting 22.02.2026
CVE-2026-2930 Tenda A18 Httpd Service UploadCfg webCgiGetUploadFile stack-based overflow 22.02.2026
CVE-2026-1369 Conditional CAPTCHA <= 4.0.0 - Open Redirect 22.02.2026
CVE-2026-2929 D-Link DWR-M960 Wireless Access Control Endpoint formWlAc sub_453140 stack-based overflow 22.02.2026
CVE-2026-2928 D-Link DWR-M960 WLAN Encryption Configuration Endpoint formWlEncrypt sub_452CCC stack-based overflow 22.02.2026
CVE-2026-2926 D-Link DWR-M960 LTE Configuration Endpoint formLteSetup sub_4237AC stack-based overflow 22.02.2026
CVE-2026-2927 D-Link DWR-M960 Operation Mode Configuration Endpoint formOpMode sub_462590 stack-based overflow 22.02.2026
CVE-2026-2912 code-projects Online Reviewer System studentresult-view.php sql injection 22.02.2026
CVE-2026-2913 libvips source.c vips_source_read_to_memory heap-based overflow 22.02.2026
CVE-2026-2925 D-Link DWR-M960 Bridge VLAN Configuration Endpoint formBridgeVlan sub_42B5A0 stack-based overflow 22.02.2026
CVE-2026-2910 Tenda HG9 formPing6 stack-based overflow 22.02.2026
CVE-2026-2911 Tenda FH451 GstDhcpSetSer buffer overflow 22.02.2026
CVE-2026-2906 Tenda HG9 Samba Configuration Endpoint formSamba stack-based overflow 22.02.2026
CVE-2026-2907 Tenda HG9 GPON Configuration Endpoint formgponConf stack-based overflow 22.02.2026
CVE-2026-2908 Tenda HG9 Loopback Detection Configuration Endpoint formLoopBack stack-based overflow 22.02.2026
CVE-2026-2909 Tenda HG9 Diagnostic Ping Endpoint formPing stack-based overflow 22.02.2026
CVE-2026-2905 Tenda HG9 Wireless Configuration Endpoint formWlanSetup stack-based overflow 22.02.2026
CVE-2026-2897 funadmin Backend index.html cross site scripting 22.02.2026
CVE-2026-2898 funadmin Backend Endpoint AuthCloudService.php getMember deserialization 22.02.2026
CVE-2026-2903 skvadrik re2c ast.cc check_and_merge_special_rules null pointer dereference 22.02.2026
CVE-2026-2904 UTT HiPER 810G ConfigExceptAli strcpy buffer overflow 22.02.2026
CVE-2026-2896 funadmin Configuration Ajax.php setConfig improper authorization 21.02.2026
CVE-2026-2894 funadmin forget.html getMember information disclosure 21.02.2026
CVE-2026-2895 funadmin Member.php repass password recovery 21.02.2026
CVE-2026-2889 CCExtractor mp4.c processmp4 use after free 21.02.2026