CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform 11.02.2026 9.8
CVE-2026-2248 Unauthenticated Remote Root Shell Access via Web Console in METIS WIC 11.02.2026 9.8
CVE-2026-2249 Unauthenticated Remote Command Execution via Web Console in METIS DFS 11.02.2026 9.8
CVE-2025-8668 Reflected XSS in E-Kalite Software Hardware Engineering's Turboard 11.02.2026 9.4
CVE-2025-66277 QTS, QuTS hero 11.02.2026 9.2
CVE-2025-8025 Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP 11.02.2026 9.8
CVE-2026-1357 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 11.02.2026 9.8
CVE-2026-26009 Catalyst Affected by Remote Code Execution as Root via Containerized Install Script Execution 10.02.2026 10
CVE-2026-21531 Azure SDK for Python Remote Code Execution Vulnerability 11.02.2026 9.8
CVE-2026-25993 EverShop has a Second-Order SQL Injection in URL Rewrite Processing Derived from Category URL Keys 10.02.2026 9.3
CVE-2026-25728 ClipBucket v5 Affected by Remote Code Execution via Avatar/Background File Upload Race Condition 11.02.2026 9.3
CVE-2025-11242 SSRF in Teknolist Computer's Okulistik 10.02.2026 9.8
CVE-2026-2095 Flowring|Agentflow - Authentication Bypass 10.02.2026 9.3
CVE-2026-2096 Flowring|Agentflow - Missing Authenticaton 10.02.2026 9.3
CVE-2026-0488 Code Injection vulnerability in SAP CRM and SAP S/4HANA (Scripting Editor) 11.02.2026 9.9
CVE-2026-0509 Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform 10.02.2026 9.6
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting 09.02.2026 10
CVE-2026-25894 FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration 09.02.2026 9.5
CVE-2026-25895 FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API 09.02.2026 9.5
CVE-2026-25938 FUXA Unauthenticated Remote Code Execution in Node-RED Integration 09.02.2026 9.5
CVE-2026-25939 FUXA Unauthenticated Remote Arbitrary Scheduler Write 09.02.2026 9.3
CVE-2026-25812 PlaciPy is Missing CSRF Protection on State-Changing Endpoints 10.02.2026 9.3
CVE-2026-25814 NoSQL Injection Risk via Unsanitized Query Parameters 10.02.2026 9.3
CVE-2026-25875 PlaciPy Admin Privilege Escalation via Trusted JWT Claims 10.02.2026 9.3
CVE-2026-25881 @nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape) 10.02.2026 9.1
CVE-2026-25885 PolarLearn allows Unauthenticated WebSocket access allows subscribing to and posting in arbitrary group chats 10.02.2026 10
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE 10.02.2026 9.1
CVE-2025-66630 Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure 10.02.2026 9.2
CVE-2025-6830 SQLi in Xpoda Türkiye Information Technology's Password Module 11.02.2026 9.8
CVE-2026-25848 10.02.2026 9.1
CVE-2026-22903 Stack Overflow via SESSIONID Cookie in lighttpd 09.02.2026 9.8
CVE-2026-22904 Stack Overflow via Oversized Cookie Fields in lighttpd 09.02.2026 9.8
CVE-2026-22906 Hardcoded Key Allows Credential Disclosure 09.02.2026 9.8
CVE-2026-2234 HGiga|C&Cm@il - Missing Authentication 09.02.2026 9.3
CVE-2026-1868 Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway 09.02.2026 9.9
CVE-2026-1615 09.02.2026 9.2
CVE-2025-15027 JAY Login & Register <= 2.6.03 - Unauthenticated Privilege Escalation via jay_login_register_ajax_create_final_user 09.02.2026 9.8
CVE-2026-25858 macrozheng mall <= 1.0.3 Unauthenticated Password Reset via OTP Disclosure 10.02.2026 9.3
CVE-2020-37135 AMSS++ 4.7 - Backdoor Admin Account 10.02.2026 9.3
CVE-2026-25803 3DP-MANAGER Uses Hard-coded Credentials 09.02.2026 9.8
CVE-2026-25763 Command Injection on OpenProject repositories leads to Remote Code Execution 09.02.2026 9.4
CVE-2026-1731 Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) 10.02.2026 9.9
CVE-2026-1727 Information Disclosure via Bucket Squatting in Google Cloud Agentspace. 09.02.2026 9.1
CVE-2026-25544 Payload has an SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters 09.02.2026 9.8
CVE-2026-25592 Semantic Kernel has an Arbitrary File Write via AI Agent Function Calling in .NET SDK 09.02.2026 10
CVE-2026-25632 EPyT-Flow has unsafe JSON deserialization (__type__) 06.02.2026 10
CVE-2026-25520 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25586 SandboxJS has a Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution 06.02.2026 10
CVE-2026-25587 SandboxJS has a Sandbox Escape 06.02.2026 10
CVE-2026-25641 SandboxJS has a sandbox escape via TOCTOU bug on keys in property accesses 06.02.2026 10
CVE-2026-1709 Keylime: keylime: authentication bypass allows unauthorized administrative operations due to missing client-side tls authentication 09.02.2026 9.4
CVE-2026-25643 Frigate Affected by Authenticated Remote Command Execution (RCE) and Container Escape 06.02.2026 9.1
CVE-2026-25751 FUXA Unauthenticated Exposure of Plaintext Database Credentials 09.02.2026 9.1
CVE-2026-25752 FUXA Unauthenticated Remote Arbitrary Device Tag Write 09.02.2026 9.3
CVE-2026-25753 PlaciPy has a Hard-Coded Default Password for All Student Accounts (Account Takeover) 09.02.2026 9.3
CVE-2025-69212 OpenSTAManager has an OS Command Injection in P7M File Processing 09.02.2026 9.4
CVE-2025-64111 Gogs's update .git/config file allows remote command execution 07.02.2026 9.3
CVE-2026-2017 IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow 06.02.2026 9.3
CVE-2026-1499 WP Duplicate <= 1.1.8 - Authenticated (Subscriber+) Arbitrary File Upload via 'process_add_site' AJAX Action 06.02.2026 9.8
CVE-2026-21643 11.02.2026 9.1
CVE-2026-21626 Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.15 for Joomla 06.02.2026 9.2
CVE-2026-24300 Azure Front Door Elevation of Privilege Vulnerability 11.02.2026 9.8
CVE-2020-37123 Pinger 1.0 - Remote Code Execution 06.02.2026 9.3
CVE-2020-37125 Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution 05.02.2026 9.3
CVE-2025-62615 AutoGPT has SSRF vulnerability in ReadRSSFeedBlock 05.02.2026 9.3
CVE-2025-62616 AutoGPT has SSRF vulnerability in SendDiscordFileBlock 05.02.2026 9.3
CVE-2026-25579 Navidrome affected by Denial of Service and disk exhaustion via oversized `size` parameter in `/rest/getCoverArt` and `/share/img/<token>` endpoints 05.02.2026 9.2
CVE-2026-25539 SiYuan has Arbitrary File Write via /api/file/copyFile leading to RCE 05.02.2026 9.1
CVE-2026-25547 Uncontrolled Resource Consumption in @isaacs/brace-expansion 05.02.2026 9.2
CVE-2026-25526 JinJava Bypass through ForTag leads to Arbitrary Java Execution 05.02.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2025-12474 libjxl: Uninitialized memory read in decoder due to incorrect optimization in patch handling 11.02.2026
CVE-2026-1837 libjxl: Out-of-bounds write in grayscale color transformation when using LCMS2 11.02.2026
CVE-2026-25868 MiniGal Nano <= 0.3.5 Reflected XSS via dir Parameter 11.02.2026
CVE-2018-25157 Phraseanet 4.0.3 Stored XSS via Document Upload 11.02.2026
CVE-2019-25306 BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path 11.02.2026
CVE-2019-25307 WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path 11.02.2026
CVE-2019-25308 Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Service Path 11.02.2026
CVE-2019-25309 Zilab Remote Console Server 3.2.9 - 'Zilab Remote Console Server' Unquoted Service Path 11.02.2026
CVE-2019-25310 ActiveFax Server 6.92 Build 0316 - 'ActiveFaxServiceNT' Unquoted Service Path 11.02.2026
CVE-2019-25311 thesystem Persistent XSS 11.02.2026
CVE-2019-25312 InoERP 0.7.2 - Persistent Cross-Site Scripting 11.02.2026
CVE-2019-25314 Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting 11.02.2026
CVE-2019-25315 WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting 11.02.2026
CVE-2019-25316 GOautodial 4.0 - 'CreateEvent' Persistent Cross-Site Scripting 11.02.2026
CVE-2019-25317 Kimai 2- persistent cross-site scripting (XSS) 11.02.2026
CVE-2026-2344 Stored XSS on Plunet BusinessManager 11.02.2026
CVE-2026-2345 Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers 11.02.2026 3.6
CVE-2023-20514 11.02.2026
CVE-2023-20548 11.02.2026
CVE-2023-31324 11.02.2026
CVE-2024-36316 11.02.2026 5.5
CVE-2024-36320 11.02.2026
CVE-2024-36324 11.02.2026 8.8
CVE-2025-48508 11.02.2026 6
CVE-2025-48518 11.02.2026
CVE-2025-52541 11.02.2026 7.3
CVE-2025-61969 11.02.2026
CVE-2025-12059 Improper Access Control in Logo Software's Logo j-Platform 11.02.2026 9.8
CVE-2025-48503 11.02.2026 7.8
CVE-2026-2248 Unauthenticated Remote Root Shell Access via Web Console in METIS WIC 11.02.2026 9.8
CVE-2026-2249 Unauthenticated Remote Command Execution via Web Console in METIS DFS 11.02.2026 9.8
CVE-2026-2250 Unauthenticated Data Export and Source Code Disclosure via /dbviewer/ in METIS WIC 11.02.2026 7.5
CVE-2025-8668 Reflected XSS in E-Kalite Software Hardware Engineering's Turboard 11.02.2026 9.4
CVE-2026-1226 11.02.2026
CVE-2026-1227 11.02.2026
CVE-2026-2337 Refleccted XSS on Plunet BusinessManager 11.02.2026
CVE-2026-0910 wpForo Forum <= 2.4.13 - Authenticated (Subscriber+) PHP Object Injection 11.02.2026 8.8
CVE-2024-56807 Media Streaming add-on 11.02.2026
CVE-2024-56808 Media Streaming add-on 11.02.2026
CVE-2025-30266 Qsync Central 11.02.2026
CVE-2025-30269 Qsync Central 11.02.2026
CVE-2025-30276 Qsync Central 11.02.2026
CVE-2025-47205 QTS, QuTS hero 11.02.2026
CVE-2025-47209 Qsync Central 11.02.2026
CVE-2025-48722 Qsync Central 11.02.2026
CVE-2025-48723 Qsync Central 11.02.2026
CVE-2025-48724 Qsync Central 11.02.2026
CVE-2025-48725 QuTS hero 11.02.2026
CVE-2025-52868 Qsync Central 11.02.2026
CVE-2025-52869 Qsync Central 11.02.2026
CVE-2025-52870 Qsync Central 11.02.2026
CVE-2025-53598 Qsync Central 11.02.2026
CVE-2025-54146 Qsync Central 11.02.2026
CVE-2025-54147 Qsync Central 11.02.2026
CVE-2025-54148 Qsync Central 11.02.2026
CVE-2025-54149 Qsync Central 11.02.2026
CVE-2025-54150 Qsync Central 11.02.2026
CVE-2025-54151 Qsync Central 11.02.2026
CVE-2025-54152 Qsync Central 11.02.2026
CVE-2025-54155 File Station 5 11.02.2026
CVE-2025-54161 File Station 5 11.02.2026
CVE-2025-54162 File Station 5 11.02.2026
CVE-2025-54163 File Station 5 11.02.2026
CVE-2025-54169 File Station 5 11.02.2026
CVE-2025-54170 Qsync Central 11.02.2026
CVE-2025-57707 File Station 5 11.02.2026
CVE-2025-57708 Qsync Central 11.02.2026
CVE-2025-57709 Qsync Central 11.02.2026
CVE-2025-57710 Qsync Central 11.02.2026
CVE-2025-57711 Qsync Central 11.02.2026
CVE-2025-57713 File Station 5 11.02.2026
CVE-2025-58466 QTS, QuTS hero 11.02.2026
CVE-2025-58467 Qsync Central 11.02.2026
CVE-2025-58470 Qsync Central 11.02.2026
CVE-2025-58471 Qsync Central 11.02.2026
CVE-2025-58472 Qsync Central 11.02.2026
CVE-2025-59386 QuTS hero 11.02.2026
CVE-2025-62853 File Station 5 11.02.2026
CVE-2025-62854 File Station 5 11.02.2026
CVE-2025-62855 File Station 5 11.02.2026
CVE-2025-62856 File Station 5 11.02.2026
CVE-2025-66274 QuTS hero 11.02.2026
CVE-2025-66277 QTS, QuTS hero 11.02.2026
CVE-2025-66278 File Station 5 11.02.2026
CVE-2025-68406 Qsync Central 11.02.2026
CVE-2025-8025 Improper Access Control in Dinosoft Business Solutions' Dinosoft ERP 11.02.2026 9.8
CVE-2026-22894 File Station 5 11.02.2026
CVE-2025-10174 Improper Access Control in Pan Software's PanCafe Pro 11.02.2026 8.3
CVE-2025-7659 Origin Validation Error in GitLab 11.02.2026 8
CVE-2025-12073 Server-Side Request Forgery (SSRF) in GitLab 11.02.2026 4.3
CVE-2025-12575 Server-Side Request Forgery (SSRF) in GitLab 11.02.2026 5.4
CVE-2025-14560 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab 11.02.2026 7.3
CVE-2025-14592 Missing Authorization in GitLab 11.02.2026 3.7
CVE-2025-14594 Authorization Bypass Through User-Controlled Key in GitLab 11.02.2026 3.5
CVE-2025-8099 Allocation of Resources Without Limits or Throttling in GitLab 11.02.2026 7.5
CVE-2026-0595 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab 11.02.2026 7.3
CVE-2026-0958 Interpretation Conflict in GitLab 11.02.2026 7.5
CVE-2026-1080 Authorization Bypass Through User-Controlled Key in GitLab 11.02.2026 4.3
CVE-2026-1094 Improper Validation of Unsafe Equivalence in Input in GitLab 11.02.2026 4.6
CVE-2026-1282 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab 11.02.2026 3.5
CVE-2026-1387 Allocation of Resources Without Limits or Throttling in GitLab 11.02.2026 6.5
CVE-2026-1456 Allocation of Resources Without Limits or Throttling in GitLab 11.02.2026 6.5
CVE-2026-1458 Allocation of Resources Without Limits or Throttling in GitLab 11.02.2026 6.5
CVE-2025-15096 Videospirecore Theme Plugin <= 1.0.6 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover 11.02.2026 8.8
CVE-2026-2295 WPZOOM Addons for Elementor – Starter Templates & Widgets <= 1.3.2 - Unauthenticated Protected Post Exposure via ajax_post_grid_load_more 11.02.2026 5.3
CVE-2025-13648 STORED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB 11.02.2026
CVE-2025-13649 REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB 11.02.2026
CVE-2025-13650 REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB 11.02.2026
CVE-2025-13651 LEAK OF SENSITIVE INFORMATION ON MICROCOM'S ZEUSWEB 11.02.2026
CVE-2025-9986 Improper Access Control in Vadi Corporate Information System's DIGIKENT 11.02.2026 8.2
CVE-2025-15440 iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact Form Parameters 11.02.2026 7.2
CVE-2026-0724 WPlyr Media Block <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via '_wplyr_accent_color' Parameter 11.02.2026 4.4
CVE-2026-0815 Category Image <= 2.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'tag-image' Parameter 11.02.2026 4.4
CVE-2026-1215 MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update 11.02.2026 4.3
CVE-2026-1560 Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution 11.02.2026 8.8
CVE-2026-1748 Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure 11.02.2026 4.3
CVE-2026-1786 Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update 11.02.2026 6.5
CVE-2026-1804 WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'attr' Shortcode Attribute 11.02.2026 6.4
CVE-2026-1809 HTML Shortcodes <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 11.02.2026 6.4
CVE-2026-1821 Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 11.02.2026 6.4
CVE-2026-1826 OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 11.02.2026 6.4
CVE-2026-1827 IDE Micro code-editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute 11.02.2026 6.4
CVE-2026-1833 WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking 11.02.2026 5.3
CVE-2026-1853 BuddyHolis ListSearch <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'placeholder' Shortcode Attribute 11.02.2026 6.4
CVE-2026-1885 Slideshow Wp <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sswp-slide' Shortcode 'sswpid' Attribute 11.02.2026 6.4
CVE-2025-10913 XSS in saastech.io's TemizlikYolda 11.02.2026 8.3
CVE-2025-10912 IDOR in saastech.io's TemizlikYolda 11.02.2026 5.4
CVE-2025-15400 OpenPix <= 2.13.3 - Subscriber+ Payment Gateway Settings Reset 11.02.2026
CVE-2026-1235 WP eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection 11.02.2026
CVE-2026-1357 Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload 11.02.2026 9.8
CVE-2026-1893 Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute 11.02.2026 6.4
CVE-2026-26079 11.02.2026 4.7
CVE-2026-26036 11.02.2026
CVE-2026-26037 11.02.2026
CVE-2026-26038 11.02.2026
CVE-2026-26039 11.02.2026
CVE-2026-26040 11.02.2026
CVE-2026-26041 11.02.2026
CVE-2026-26042 11.02.2026
CVE-2026-26043 11.02.2026
CVE-2026-26044 11.02.2026
CVE-2025-13431 SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter 11.02.2026 6.5
CVE-2025-14541 Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter 11.02.2026 7.2
CVE-2025-15524 Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure 11.02.2026 4.3
CVE-2026-1231 Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings 11.02.2026 6.4
CVE-2026-1571 Reflected XSS Vulnerability on TP-Link Archer C60 11.02.2026
CVE-2026-25251 10.02.2026
CVE-2026-25872 JUNG Smart Panel 5.1 KNX Unauthenticated Path Traversal 10.02.2026
CVE-2026-25870 DoraCMS <= 3.1 UEditor Remote Image Fetch SSRF 10.02.2026
CVE-2026-26013 LangChain affected by SSRF via image_url token counting in ChatOpenAI.get_num_tokens_from_messages 10.02.2026 3.7
CVE-2026-26007 cryptography Subgroup Attack Due to Missing Subgroup Validation for SECT Curves 10.02.2026