Skip to main content
CVE-2026-21497 MEDIUM POC PATCH This Month

iccDEV versions before 2.3.1.2 crash when processing specially crafted ICC color profile tags due to improper null pointer validation, causing denial of service on systems using the library. Local attackers with user interaction can trigger this crash through a malicious color profile file. Public exploit code exists for this vulnerability.

Null Pointer Dereference Iccdev
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21496 MEDIUM POC PATCH This Month

iccDEV versions prior to 2.3.1.2 suffer from a null pointer dereference in the signature parser that allows local attackers to trigger a denial of service condition. Public exploit code exists for this vulnerability, and the issue affects all users of iccDEV's ICC color profile manipulation libraries and tools. A patch is available in version 2.3.1.2 and should be applied immediately.

Null Pointer Dereference Iccdev
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21506 MEDIUM POC PATCH This Month

iccDEV versions prior to 2.3.1.2 are susceptible to denial of service through a null pointer dereference in the CIccProfileXml::ParseBasic() function, which can be triggered by local users with minimal privileges through user interaction. Public exploit code exists for this vulnerability, allowing attackers to crash the application and disrupt ICC color profile processing. A patch is available in version 2.3.1.2 and should be applied to affected systems.

Null Pointer Dereference Denial Of Service Iccdev
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21691 MEDIUM POC PATCH This Month

iccDEV versions prior to 2.3.1.2 contain a type confusion vulnerability in the CIccTag::IsTypeCompressed() function that allows unauthenticated attackers to cause integrity violations or service disruption by crafting malicious ICC color profiles. The vulnerability requires user interaction to exploit and affects applications using the iccDEV library to process color management profiles. Public exploit code exists, and a patch is available in version 2.3.1.2.

Code Injection Iccdev
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-0650 CRITICAL PATCH Act Now

Authentication bypass in OpenFlagr (the openflagr/flagr feature-flag service) versions up to and including 1.1.18 lets remote unauthenticated attackers reach protected API endpoints by exploiting flawed path normalization in the HTTP middleware's prefix whitelist. Attackers can read and modify feature flags and export sensitive configuration data with no credentials. A public technical writeup ('0day speedrun') exists, but there is no public exploit identified as weaponized and no active exploitation has been confirmed; EPSS is low at 0.13%.

Authentication Bypass Information Disclosure
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-0668 MEDIUM POC PATCH This Month

Visualdata versions up to - is affected by inefficient regular expression complexity (redos) (CVSS 5.3).

Mediawiki Visualdata Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-32303 CRITICAL Act Now

WPCHURCH WordPress plugin (through 2.7.0) has blind SQL injection with scope change, enabling unauthenticated extraction of the full WordPress database.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-21851 MEDIUM POC PATCH This Month

MONAI versions up to 1.5.1 contain a path traversal vulnerability in the `_download_from_ngc_private()` function that fails to validate extracted archive contents, allowing attackers to write files outside the intended directory during package extraction. An attacker with user interaction can exploit this via a malicious ZIP file to overwrite arbitrary files on the system. Public exploit code exists for this vulnerability, and a patch is available in commit 4014c8475626f20f158921ae0cf98ed259ae4d59.

Path Traversal AI / ML Monai
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68637 CRITICAL Act Now

Uniffle HTTP client (before 0.10.0) trusts all SSL certificates and disables hostname verification by default, exposing all REST API communication between the CLI and Coordinator to man-in-the-middle attacks.

TLS Uniffle
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-22190 MEDIUM POC This Month

Panda3D egg-mkfont up to version 1.10.16 contains a format string vulnerability in the -gp command-line option that allows attackers to read arbitrary stack memory and leak pointer values by injecting format specifiers into generated .egg and .png files. Public exploit code exists for this vulnerability, and no patch is currently available. This affects all users of the egg-mkfont utility who process untrusted input.

Information Disclosure Panda3d
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-21441 HIGH PATCH This Week

Uncontrolled resource consumption in the Python urllib3 HTTP client library (versions 1.22 through 2.6.2) lets a malicious or compromised server crash or exhaust memory on the client by serving a compressed redirect response. When an application streams from an untrusted source with preload_content=False and has not disabled redirects, urllib3 eagerly drains and decompresses the entire redirect body before any read call, ignoring configured read limits, leaving no defense against decompression bombs. EPSS is low (0.03%), there is no public exploit identified at time of analysis, and it is not in CISA KEV, but the bug is broadly reachable given urllib3's ubiquity.

Python Urllib3 Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.0%
CVE-2025-15158 HIGH This Week

WP Enable WebP (WordPress plugin) is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

WordPress RCE PHP
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-22046 HIGH PATCH This Week

Heap buffer overflow in iccDEV versions before 2.3.1.2 allows remote code execution when processing malicious ICC color profiles through the ParseBasic() function. An attacker can exploit this vulnerability by crafting a specially formatted ICC profile file that triggers memory corruption with high impact on confidentiality, integrity, and availability. Users of the iccDEV library should upgrade to version 2.3.1.2 immediately, as no workarounds are available.

Code Injection Iccdev
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-21683 HIGH PATCH This Week

Type confusion in iccDEV versions before 2.3.1.2 allows remote attackers to execute arbitrary code by crafting malicious ICC color profiles that trigger improper type handling in the profile evaluation function. This vulnerability affects any application or user processing ICC profiles through the iccDEV library and requires minimal user interaction to exploit. A patch is available in version 2.3.1.2.

Code Injection Iccdev
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0628 HIGH PATCH This Week

Google Chrome versions prior to 143.0.7499.192 fail to properly enforce policies on WebView tags, allowing attackers who trick users into installing malicious extensions to inject arbitrary scripts and HTML into privileged pages. This vulnerability affects all Chrome users and requires user interaction to exploit, resulting in potential code execution with high impact to confidentiality, integrity, and availability. No patch is currently available.

Google Chrome Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-31643 HIGH This Week

Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.8 HIGH]

Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-61939 HIGH This Week

An unused function in MicroServer can start a reverse SSH connection to a vendor registered domain, without mutual authentication. [CVSS 8.8 HIGH]

SSH DNS Weather Microserver Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-4676 HIGH CISA This Week

Incorrect Implementation of Authentication Algorithm vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K. [CVSS 8.8 HIGH]

SNMP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-13371 HIGH This Week

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. [CVSS 8.6 HIGH]

WordPress Information Disclosure
NVD GitHub
CVSS 3.1
8.6
EPSS
0.2%
CVE-2025-47345 HIGH This Week

Cryptographic issue may occur while encrypting license data. [CVSS 8.4 HIGH]

Information Disclosure Qca6797aq Firmware Sa7255p Firmware Wsa8832 Firmware Sa9000p Firmware +101
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-69221 MEDIUM POC PATCH This Month

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control when querying agent permissions. [CVSS 4.3 MEDIUM]

Authentication Bypass AI / ML Librechat
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0656 HIGH This Week

Unauthenticated attackers can manipulate WooCommerce orders and expose customer data in the iPaymu Payment Gateway for WooCommerce plugin (versions up to 2.0.2) due to missing webhook signature verification. An attacker can forge payment confirmations to mark orders as paid without actual payment and enumerate order details to harvest PII including customer names, addresses, and purchase history. No patch is currently available.

WordPress
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2025-69081 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Group Hope charity-is-hope allows PHP Local File Inclusion.This issue affects Hope: from n/a through 3.0.0. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69080 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JanStudio Gecko allows PHP Local File Inclusion.This issue affects Gecko: from n/a through 1.9.8. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-21697 HIGH PATCH This Week

Concurrent requests in axios4go prior to version 0.6.4 trigger unsynchronized mutations to the shared HTTP client configuration, allowing attackers to manipulate transport settings, timeouts, and redirect handlers across simultaneous operations. Applications using async requests or multiple goroutines with different proxy configurations or handling sensitive credentials are vulnerable to request interception, credential leakage, or denial of service. Upgrade to version 0.6.4 or later to resolve this race condition.

Golang Race Condition Axios4go
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-69255 MEDIUM POC PATCH This Month

RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]

Industrial Denial Of Service Deserialization Rustfs
NVD GitHub
CVSS 3.1
4.0
EPSS
0.4%
CVE-2025-66620 HIGH This Week

An unused webshell in MicroServer allows unlimited login attempts, with sudo rights on certain files and directories. [CVSS 8.0 HIGH]

Information Disclosure Weather Microserver Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-22187 HIGH This Week

Unsafe deserialization in Bio-Formats up to version 8.3.0 allows local attackers to execute arbitrary code or cause denial of service by crafting malicious .bfmemo cache files that are automatically loaded during image processing without validation. The Memoizer class deserializes untrusted data from these files, enabling potential remote code execution if suitable Java gadget chains are available on the classpath. No patch is currently available for this vulnerability (CVSS 7.8).

Java RCE Denial Of Service Deserialization Bio Formats
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2025-47396 HIGH PATCH This Week

Memory corruption occurs when a secure application is launched on a device with insufficient memory. [CVSS 7.8 HIGH]

Memory Corruption Snapdragon Ar1 Gen 1 Platform Firmware Wcd9395 Firmware Wcn3950 Firmware Wcn7750 Firmware +39
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47394 HIGH PATCH This Week

Memory corruption when copying overlapping buffers during memory operations due to incorrect offset calculations. [CVSS 7.8 HIGH]

Memory Corruption Sg6150 Firmware Snapdragon 6 Gen 1 Mobile Platform Firmware Video Collaboration Vc1 Platform Firmware Wcn7881 Firmware +40
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47393 HIGH This Week

Memory corruption when accessing resources in kernel driver. [CVSS 7.8 HIGH]

Linux Memory Corruption Qamsrv1h Firmware Qca6595 Firmware Qam8775p Firmware +15
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47388 HIGH PATCH This Week

Memory corruption while passing pages to DSP with an unaligned starting address. [CVSS 7.8 HIGH]

Memory Corruption Sm6475 Firmware Fastconnect 6200 Firmware Wsa8845h Firmware Wcd9370 Firmware +40
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47380 HIGH This Week

Memory corruption while preprocessing IOCTLs in sensors. [CVSS 7.8 HIGH]

Memory Corruption Wsa8845 Firmware Wsa8840 Firmware Wcd9378c Firmware X2000090 Firmware +10
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47356 HIGH This Week

Memory Corruption when multiple threads concurrently access and modify shared resources. [CVSS 7.8 HIGH]

Memory Corruption Fastconnect 7800 Firmware Wcd9385 Firmware Cologne Firmware Wsa8840 Firmware +15
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47348 HIGH This Week

Memory corruption while processing identity credential operations in the trusted application. [CVSS 7.8 HIGH]

Memory Corruption Qca6696 Firmware Qamsrv1m Firmware Qam8620p Firmware Qca6688aq Firmware +181
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47346 HIGH This Week

Memory corruption while processing a secure logging command in the trusted application. [CVSS 7.8 HIGH]

Memory Corruption Sm4635 Firmware Wcn7881 Firmware Ar8035 Firmware Fastconnect 7800 Firmware +108
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47343 HIGH This Week

Video Collaboration Vc3 Platform Firmware versions up to - contains a security vulnerability (CVSS 7.8).

Memory Corruption Fastconnect 6700 Firmware Xg101039 Firmware Fastconnect 6900 Firmware X2000086 Firmware +21
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47339 HIGH This Week

Memory corruption while deinitializing a HDCP session. [CVSS 7.8 HIGH]

Memory Corruption Qca6174a Firmware Qca6678aq Firmware Qca9990 Firmware Qcn6274 Firmware +180
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20893 HIGH This Week

Fujitsu Security Solution AuthConductor Client Basic V2 version 2.0.25.0 and earlier contains an origin validation flaw that allows authenticated local attackers to execute arbitrary code with SYSTEM privileges and modify registry values. An attacker with login access to an affected Windows system can exploit this vulnerability to achieve complete system compromise. No patch is currently available.

Windows
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-14804 HIGH This Week

Frontend File Manager Plugin WordPre versions up to 23.5 contains a security vulnerability (CVSS 7.7).

WordPress PHP
NVD WPScan
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-65805 HIGH This Week

OpenAirInterface CN5G AMF<=v2.1.9 has a buffer overflow vulnerability in processing NAS messages. Unauthorized remote attackers can launch a denial-of-service attack and potentially execute malicious code by accessing port N1 and sending an imsi string longer than 1000 to AMF. [CVSS 7.5 HIGH]

Buffer Overflow Oai Cn5g Amf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66786 HIGH This Week

OpenAirInterface CN5G AMF<=v2.0.1 There is a logical error when processing JSON format requests. Unauthorized remote attackers can send malicious JSON data to AMF's SBI interface to launch a denial-of-service attack. [CVSS 7.5 HIGH]

Code Injection Oai Cn5g Amf
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13151 HIGH PATCH This Week

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string. [CVSS 7.5 HIGH]

Buffer Overflow Stack Overflow Libtasn1 Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-13493 HIGH This Week

Latest Registered Users (WordPress plugin) versions up to 1.4. is affected by missing authorization (CVSS 7.5).

WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-11877 HIGH This Week

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. [CVSS 7.5 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14070 HIGH This Week

The Reviewify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'send_test_email' AJAX action in all versions up to, and including, 1.0.6. [CVSS 7.5 HIGH]

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14835 HIGH This Week

The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-21681 HIGH This Week

iccDEV versions before 2.3.1.2 contain an undefined behavior runtime error in ICC color profile processing that allows remote attackers to cause denial of service or data corruption via malformed profile files, requiring only user interaction to trigger. The vulnerability affects all users processing ICC color profiles through the iccDEV library with no available workarounds currently available.

Code Injection Iccdev
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-46494 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit Pro allows Reflected XSS.This issue affects WidgetKit Pro: from n/a through 1.13.1. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69082 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frenify Arlo arlo allows Reflected XSS.This issue affects Arlo: from n/a through 6.0.3. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy