CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-62615 AutoGPT has SSRF vulnerability in ReadRSSFeedBlock 05.02.2026 9.3
CVE-2025-62616 AutoGPT has SSRF vulnerability in SendDiscordFileBlock 05.02.2026 9.3
CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints 05.02.2026 9.2
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE 04.02.2026 9.1
CVE-2026-25547 Uncontrolled Resource Consumption in @isaacs/brace-expansion 05.02.2026 9.2
CVE-2026-25526 JinJava Bypass through ForTag leads to Arbitrary Java Execution 04.02.2026 9.8
CVE-2026-25521 Locutus is vulnerable to Prototype Pollution 05.02.2026 9.4
CVE-2025-13375 IBM Common Cryptographic Architecture Arbitrary Command Execution 04.02.2026 9.8
CVE-2026-25512 Group-Office is vulnerable to RCE due to Command Injection via TNEF Attachment Handler 04.02.2026 9.4
CVE-2026-25481 Langroid has WAF Bypass Leading to RCE in TableChatAgent 04.02.2026 9.4
CVE-2026-25505 Bambuddy Uses Hardcoded Secret Key + Many API Endpoints do not Require Authentication 04.02.2026 9.8
CVE-2026-25160 Alist has Insecure TLS Config 05.02.2026 9.1
CVE-2025-64712 Unstructured has Path Traversal via Malicious MSG Attachment that Allows Arbitrary File Write 04.02.2026 9.8
CVE-2026-21893 n8n Vulnerable to Command Injection in Community Package Installation 04.02.2026 9.4
CVE-2026-25049 n8n Has an Expression Escape Vulnerability Leading to RCE 05.02.2026 9.4
CVE-2026-25052 n8n Improper File Access Controls Allow Arbitrary File Read by Authenticated Users 05.02.2026 9.4
CVE-2026-25053 n8n is Vulnerable to OS Command Injection in Git Node 05.02.2026 9.4
CVE-2026-25056 n8n Arbitrary File Write leading to RCE in n8n Merge Node 05.02.2026 9.4
CVE-2026-25115 n8n is vulnerable to Python sandbox escape 05.02.2026 9.4
CVE-2025-5329 SQLi in Martcode Software's Delta Course Automation 04.02.2026 9.8
CVE-2025-59818 Authenticated Remote Code Execution via the file name of an uploaded file 04.02.2026 10
CVE-2026-1633 Synectix LAN 232 TRIO Missing Authentication for Critical Function 04.02.2026 10
CVE-2026-1632 RISS SRL MOMA Seismic Station Missing Authentication for Critical Function 04.02.2026 9.3
CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution 04.02.2026 9.3
CVE-2020-37092 Netis E1+ 1.2.32533 - Backdoor Account (root) 04.02.2026 9.3
CVE-2026-1341 Missing Authentication for Critical Function in Avation Light Engine Pro 04.02.2026 9.3
CVE-2026-25150 Prototype Pollution via FormData Processing in Qwik City 04.02.2026 9.3
CVE-2026-25510 CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor 04.02.2026 10
CVE-2025-65078 Untrusted search path vulnerability in Embedded Solutions Framework 03.02.2026 9.3
CVE-2026-1803 Ziroom ZHOME A0101 Dropbear SSH Service default credentials 03.02.2026 9.2
CVE-2025-10878 04.02.2026 10
CVE-2026-25237 PEAR is Vulnerable to PHP Code Execution via preg_replace /e in Bug Update Emails 04.02.2026 9.2
CVE-2026-25238 PEAR is Vulnerable to SQL Injection in Bug Subscription Deletion via Weak Email Validation 04.02.2026 9.2
CVE-2026-25241 PEAR is Vulnerable to SQL Injection in /get/<package>/<version> Endpoint 04.02.2026 9.3
CVE-2025-70841 04.02.2026 10
CVE-2026-1568 Rapid7 InsightVM Signature Validation Vulnerability 04.02.2026 9.6
CVE-2025-5319 SQLi in Emit Informatics' DIGITA Efficiency Management System 04.02.2026 9.8
CVE-2026-1432 SQL injection (SQLi) on the Buroweb platform 03.02.2026 9.3
CVE-2026-24465 03.02.2026 9.3
CVE-2026-24936 An improper input validation vulnerability was found in ADM while joining a AD Domain. 04.02.2026 9.5
CVE-2025-66480 Wildfire has Arbitrary File Upload via Directory Traversal in UploadFileAction 03.02.2026 9.8
CVE-2026-22778 vLLM leaks a heap address when PIL throws an error 03.02.2026 9.8
CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin 03.02.2026 10
CVE-2026-24471 Improper Validation in Conduit-derived homeservers resulting in Unintended Proxy or Intermediary ('Confused Deputy') 03.02.2026 9.3
CVE-2026-25134 Group-Office Argument Injection in MaintenanceController::actionZipLanguage 04.02.2026 9.4
CVE-2026-25137 NixOs Odoo database and filestore publicly accessible with default odoo configuration 04.02.2026 9.1
CVE-2026-25142 SandboxJS Prototype Pollution -> Sandbox Escape -> RCE 04.02.2026 10
CVE-2022-50981 Multiple Innomic VibroLine VLX HD 5.0 and avibia AVLX weak password requirements 02.02.2026 9.8
CVE-2024-2356 Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui 02.02.2026 9.6
CVE-2024-5386 Account Hijacking via Password Reset Token Leak in lunary-ai/lunary 02.02.2026 9.6
CVE-2024-5986 Remote Arbitrary File Write with Arbitrary Data in h2oai/h2o-3 02.02.2026 9.1
CVE-2026-25200 03.02.2026 9.8
CVE-2026-25202 03.02.2026 9.8
CVE-2026-25069 SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion 02.02.2026 9.3
CVE-2020-37027 Sickbeard 0.1 - Remote Command Injection 03.02.2026 9.3
CVE-2020-37052 AirControl 1.4.2 - PreAuth Remote Code Execution 02.02.2026 9.3
CVE-2026-1723 TOTOLINK X6000R Unauthenticated Command Injection Vulnerability 04.02.2026 9.2
CVE-2025-24293 02.02.2026 9.2
CVE-2026-25130 Cybersecurity AI vulnerable to command Injection through argument injection in find_file Agent tool 02.02.2026 9.7
CVE-2026-25141 Orval has a code injection via unsanitized x-enum-descriptions uing JS comments 02.02.2026 9.3
CVE-2025-7964 Zigbee Router Denial of Service 30.01.2026 9.2
CVE-2025-26385 Metasys product command injection vulnerability could allow remote SQL execution 30.01.2026 9.5
CVE-2026-1699 02.02.2026 10
CVE-2026-0963 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Crafty Controller 02.02.2026 9.9
CVE-2026-24728 Interinfo DreamMaker - Missing Authentication for Critical Function 30.01.2026 9.3
CVE-2026-24729 Interinfo DreamMaker - Unrestricted Upload of File with Dangerous Type 30.01.2026 10
CVE-2026-1281 30.01.2026 9.8
CVE-2026-1340 30.01.2026 9.8
CVE-2026-25047 deepHas vulnerable to Prototype Pollution via constructor.prototype 02.02.2026 9.4

Latest Updates

CVE Title Updated Score
CVE-2020-37151 phpMyChat Plus 1.98 'deluser.php' SQL Injection 05.02.2026
CVE-2025-13491 IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to loss of confidentiality [] 05.02.2026 5.1
CVE-2025-14150 IBM webMethods Integration Sever is affected by 05.02.2026 6.5
CVE-2025-13379 A SQL Injection vulnerability has been addressed in IBM Aspera Console 05.02.2026 8.6
CVE-2026-1523 Path Traversal in Digitek from Grupo Azkoyen 05.02.2026
CVE-2026-1927 GreenShift - Animation and Page Builder Blocks <= 12.5.7 - Authenticated (Subscriber+) Information Disclosure of AI API Keys 05.02.2026 4.3
CVE-2026-1517 iomad Company Admin Block sql injection 05.02.2026
CVE-2026-1966 YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI 05.02.2026
CVE-2026-23572 Improper Access Control in TeamViewer clients 05.02.2026 7.2
CVE-2026-23796 Session Fixation in Quick.Cart 05.02.2026
CVE-2026-23797 Plaintext password display in Quick.Cart 05.02.2026
CVE-2025-14079 ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update 05.02.2026 5.3
CVE-2026-1271 ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Profile and Cover Image Modification 05.02.2026 5.3
CVE-2026-1294 All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint 05.02.2026 7.2
CVE-2026-1654 Peter's Date Countdown <= 2.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 05.02.2026 6.1
CVE-2025-13416 ProfileGrid – User Profiles, Groups and Communities <= 5.9.7.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Suspension 05.02.2026 4.3
CVE-2026-1319 Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field 05.02.2026 6.4
CVE-2026-25198 05.02.2026
CVE-2025-10258 A time-based SQL Injection vulnerability in Infinera DNA 05.02.2026
CVE-2026-0867 Essential Widgets <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes 05.02.2026 6.4
CVE-2026-1246 ShortPixel Image Optimizer <= 6.4.2 - Authenticated (Editor+) Arbitrary File Read via 'loadFile' Parameter 05.02.2026 4.9
CVE-2026-1268 Dynamic Widget Content <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Content Field 05.02.2026 6.4
CVE-2026-1953 Stored Cross Site Scripting(XSS) in Nukegraphic CMS V3.1.2 05.02.2026
CVE-2025-15080 Information Disclosure, Information Tampering, and Denial of Service (DoS) Vulnerability in Mitsubishi Electric proprietary protocol communication and SLMP communication for FA products 05.02.2026
CVE-2025-61732 Potential code smuggling via doc comments in cmd/cgo 05.02.2026
CVE-2025-10314 Malicious Code Execution Vulnerability in Mitsubishi Small-Capacity UPS Shutdown Software FREQSHIP-mini for Windows 05.02.2026 8.8
CVE-2025-11730 05.02.2026 7.2
CVE-2026-1897 WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization 05.02.2026
CVE-2026-1898 WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control 05.02.2026
CVE-2026-1896 WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control 04.02.2026
CVE-2019-25267 Wing FTP Server 6.0.7 - Unquoted Service Path 04.02.2026
CVE-2019-25269 Amiti Antivirus 25.0.640 - Unquoted Service Path Vulnerability 04.02.2026
CVE-2019-25271 NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path 04.02.2026
CVE-2019-25272 TexasSoft CyberPlanet 6.4.131 - 'CCSrvProxy' Unquoted Service Path 04.02.2026
CVE-2019-25273 Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path 04.02.2026
CVE-2019-25274 ProShow Producer 9.0.3797 - Unquoted Service Path 05.02.2026
CVE-2019-25275 BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path 05.02.2026
CVE-2019-25276 Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path 04.02.2026
CVE-2019-25281 NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths 04.02.2026
CVE-2019-25283 Shrew Soft VPN Client 2.2.2 - 'iked' Unquoted Service Path 04.02.2026
CVE-2019-25285 Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path 04.02.2026
CVE-2019-25286 _GCafé 3.0 - 'gbClienService' Unquoted Service Path 04.02.2026
CVE-2019-25287 Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path 04.02.2026
CVE-2019-25288 Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path 04.02.2026
CVE-2025-13192 Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints 04.02.2026 8.2
CVE-2025-22873 Improper access to parent directory of root in os 05.02.2026
CVE-2026-1895 WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control 05.02.2026
CVE-2025-62615 AutoGPT has SSRF vulnerability in ReadRSSFeedBlock 05.02.2026
CVE-2025-62616 AutoGPT has SSRF vulnerability in SendDiscordFileBlock 05.02.2026
CVE-2026-1894 WeKan REST API checklistItems.js Checklist REST Bleed improper authorization 05.02.2026
CVE-2026-22038 AutoGPT's API Keys and Secrets Logged in Plaintext in Stagehand Integration Blocks 05.02.2026 8.1
CVE-2026-25585 iccDEV vulnerable to OOB in CIccXform3DLut::Apply() 05.02.2026 7.8
CVE-2026-1892 WeKan REST API boards.js setBoardOrgs improper authorization 05.02.2026
CVE-2026-25541 Bytes is vulnerable to integer overflow in BytesMut::reserve 05.02.2026
CVE-2026-25582 iccDEV vulnerable to Heap Buffer Overflow in CIccIO::WriteUInt16Float() 05.02.2026 7.8
CVE-2026-25583 iccDEV vulnerable to Heap Buffer Overflow in CIccFileIO::Read8() 05.02.2026 7.8
CVE-2026-25584 iccDEV vulnerable to Stack-based Buffer Overflow in CIccTagFloatNum::GetValues() 05.02.2026 7.8
CVE-2026-25575 NavigaTUM has a Path Traversal Vulnerability in the propose_edits functionality 04.02.2026
CVE-2026-25578 Navidrome is vulnerable to XSS via comment from song metadata 05.02.2026 6.1
CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints 05.02.2026
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE 04.02.2026 9.1
CVE-2026-25540 Mastodon's signature-dependent ActivityPub collection responses cached under signature-independent keys (Web Cache Poisoning via `Rails.cache`) 04.02.2026 6.5
CVE-2026-25543 HtmlSanitizer has a bypass via template tag 04.02.2026
CVE-2026-25546 Godot MCP is vulnerable to Command Injection via unsanitized projectPath 04.02.2026 7.8
CVE-2026-25547 Uncontrolled Resource Consumption in @isaacs/brace-expansion 05.02.2026
CVE-2026-1884 ZenTao Webhook model.php fetchHook server-side request forgery 04.02.2026
CVE-2026-25526 JinJava Bypass through ForTag leads to Arbitrary Java Execution 04.02.2026 9.8
CVE-2026-25536 @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse 04.02.2026 7.1
CVE-2026-25537 jsonwebtoken has Type Confusion that leads to potential authorization bypass 04.02.2026
CVE-2026-25538 Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage 04.02.2026
CVE-2024-40685 IBM Operations Analytics - Log Analysis is affected by CSRF Token Replay Attack 05.02.2026 4.3
CVE-2024-43181 Multiple Vulnerabilities in IBM Concert Software 05.02.2026 6.3
CVE-2024-51451 Multiple Vulnerabilities in IBM Concert Software 05.02.2026 6.5
CVE-2026-25518 cert-manager-controller DoS via Specially Crafted DNS Response 05.02.2026 5.9
CVE-2026-25521 Locutus is vulnerable to Prototype Pollution 05.02.2026
CVE-2026-25523 Magento's X-Original-Url header can expose admin url 04.02.2026 5.3
CVE-2025-1823 IBM Jazz Reporting Service Denial of Service 05.02.2026 3.5
CVE-2025-27550 IBM Jazz Reporting Service Information Disclosure 04.02.2026 3.5
CVE-2025-2134 IBM Jazz Reporting Service Denial of Service 04.02.2026 3.5