Skip to main content
CVE-2025-10915 CRITICAL Act Now

Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.

WordPress PHP
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-20947 HIGH PATCH This Week

SQL injection in Microsoft SharePoint Server enables authenticated attackers to execute arbitrary code remotely through improper sanitization of database queries. This vulnerability affects authorized users with network access and could allow them to compromise affected systems with high-level privileges. No patch is currently available for this issue.

Microsoft SQLi Sharepoint Server
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0884 CRITICAL PATCH Act Now

Firefox JavaScript engine has a use-after-free vulnerability. Affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 and < 140.7.

Use After Free Memory Corruption Mozilla Information Disclosure
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0879 CRITICAL PATCH Act Now

Firefox sandbox escape via incorrect boundary conditions in the Graphics component. Affects Firefox < 147, Firefox ESR < 115.32 and < 140.7, Thunderbird < 147 and < 140.7.

Mozilla Buffer Overflow Thunderbird
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0892 CRITICAL PATCH Act Now

Firefox 146 and Thunderbird 146 contain memory safety bugs with evidence of memory corruption that could potentially be exploited for code execution.

Mozilla Buffer Overflow RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0500 CRITICAL PATCH Act Now

SAP Wily Introscope Enterprise Manager uses a vulnerable third-party component that allows unauthenticated attackers to create malicious JNLP files at public URLs. Victims who click these URLs execute OS commands on their machines. Scope change. Patch available.

SAP Java Command Injection Introscope Enterprise Manager
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2021-47749 MEDIUM POC This Month

YouPHPTube <= 7.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to access arbitrary files by manipulating the 'lang' parameter in GET requests. [CVSS 5.5 MEDIUM]

PHP LFI Path Traversal Youphptube
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
0.2%
CVE-2022-50897 MEDIUM POC This Month

mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications. [CVSS 5.5 MEDIUM]

LFI Mpdf
NVD Exploit-DB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20944 HIGH PATCH This Week

Microsoft Office Word contains an out-of-bounds read vulnerability that enables local code execution on affected systems. Users of Microsoft 365 Apps and Office Long Term Servicing Channel are at risk, as an attacker with local access can exploit this memory safety flaw to execute arbitrary code with full system privileges. No patch is currently available for this high-severity vulnerability.

Microsoft 365 Apps Office Long Term Servicing Channel
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-20953 HIGH PATCH This Week

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]

Microsoft Use After Free 365 Apps Office Long Term Servicing Channel Office
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-20952 HIGH PATCH This Week

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. [CVSS 8.4 HIGH]

Microsoft Use After Free Office Long Term Servicing Channel Office 365 Apps
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-14829 CRITICAL Act Now

E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.

WordPress PHP
NVD WPScan
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-11250 CRITICAL PATCH Act Now

ManageEngine ADSelfService Plus before 6519 has an authentication bypass due to improper filter configurations. As a self-service password management tool for Active Directory, compromise enables mass password resets across the enterprise. Patch available.

Authentication Bypass Manageengine Adselfservice Plus
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-0498 CRITICAL PATCH Act Now

SAP S/4HANA (Private Cloud and On-Premise) has the same backdoor vulnerability as CVE-2026-0491 – admin-exploitable ABAP/OS command injection via RFC function module. Patch available.

SAP Command Injection
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-0491 CRITICAL Act Now

SAP Landscape Transformation has an admin-exploitable backdoor via RFC function module that allows injection of arbitrary ABAP code and OS commands, bypassing authorization checks. Scope change enables full SAP system compromise.

SAP Command Injection
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-25176 CRITICAL Act Now

A hardware vulnerability allows exfiltration of intermediate register values from secure workloads running in ARM TrustZone or similar TEE environments. Non-secure applications can read secure-world register contents.

Information Disclosure Ddk
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2022-50891 MEDIUM POC This Month

Owlfiles File Manager 12.0.1 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the path parameter in HTTP server endpoints. [CVSS 5.0 MEDIUM]

XSS Owlfiles
NVD Exploit-DB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-20868 HIGH PATCH This Week

Remote code execution in Windows RRAS affects Windows 10 21h2 and Windows Server 2022 variants through a heap-based buffer overflow triggered over the network without authentication. An attacker can exploit this vulnerability to execute arbitrary code with high privileges, though a user interaction is required to trigger the flaw. No patch is currently available, making this a critical risk for exposed systems.

Windows Buffer Overflow Heap Overflow Windows Server 2022 Windows Server 2022 23h2 +13
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-20957 HIGH PATCH This Week

Arbitrary code execution in Microsoft Office Excel results from an integer underflow vulnerability in the Long Term Servicing Channel and Online Server editions, exploitable by local attackers with user interaction. This HIGH severity flaw (CVSS 7.8) grants full system compromise capabilities including code execution, data theft, and service disruption with no available patch.

Microsoft Integer Overflow Office Long Term Servicing Channel Office Online Server Excel +2
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2022-50906 MEDIUM POC This Month

e107 CMS 3.2.1 contains an upload restriction bypass vulnerability that allows authenticated administrators to upload malicious SVG files through the media manager. [CVSS 4.8 MEDIUM]

XSS E107
NVD Exploit-DB
CVSS 3.1
4.8
EPSS
0.1%
CVE-2026-20956 HIGH PATCH This Week

Memory corruption in Microsoft Excel within Office 365 Apps and Long Term Servicing Channel enables local code execution through a malicious file requiring user interaction. An attacker can achieve arbitrary code execution with full system privileges by exploiting improper pointer handling in the application. No patch is currently available, leaving affected systems vulnerable until Microsoft releases a fix.

Microsoft 365 Apps Office Long Term Servicing Channel
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-20955 HIGH PATCH This Week

Arbitrary code execution in Microsoft Excel through unsafe pointer handling enables local attackers to achieve full system compromise without requiring elevated privileges. This vulnerability affects Microsoft 365 Apps, Office, Office Online Server, and Office Long Term Servicing Channel across multiple versions. No patch is currently available, leaving affected systems vulnerable to exploitation via maliciously crafted spreadsheets.

Microsoft 365 Apps Office Office Online Server Office Long Term Servicing Channel
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-20951 HIGH PATCH This Week

Local code execution in Microsoft SharePoint Server results from inadequate input validation, enabling attackers with local access to execute arbitrary code with user interaction. The vulnerability affects SharePoint deployments and carries high impact across confidentiality, integrity, and authenticity. No patch is currently available.

Microsoft Sharepoint Server
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-0492 HIGH PATCH This Week

Hana Database versions up to 2.00 is affected by missing authentication for critical function (CVSS 8.8).

SAP Privilege Escalation Hana Database
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-41717 HIGH This Week

An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. [CVSS 8.8 HIGH]

Code Injection
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20837 HIGH PATCH This Week

Local code execution in Windows Media affects Windows 11 25h2, Windows Server 2019, and Windows Server 2025 through a heap buffer overflow that requires user interaction to trigger. An attacker with local access can exploit this vulnerability to achieve arbitrary code execution with full system privileges. No patch is currently available for this vulnerability.

Windows Buffer Overflow Heap Overflow Windows Server 2025 Windows Server 2019 +9
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-13774 HIGH This Week

A vulnerability exists in Progress Flowmon ADS versions prior to 12.5.4 and 13.0.1 where an SQL injection vulnerability allows authenticated users to execute unintended SQL queries and commands. [CVSS 8.8 HIGH]

SQLi Flowmon Anomaly Detection System
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20865 HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 11 24H2, Windows Server 2022, and 2025 through a use-after-free memory vulnerability that allows authenticated local attackers to gain elevated system privileges. The vulnerability requires local access and manual user interaction is not required, making it exploitable by any authorized account on the system. Currently no patch is available to remediate this issue.

Windows Use After Free Windows 11 24h2 Windows Server 2025 Windows Server 2022 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20946 HIGH PATCH This Week

Local code execution in Microsoft Office Excel occurs through an out-of-bounds memory read vulnerability affecting the Long Term Servicing Channel, Office 365 Apps, and standalone Office installations. An attacker with local access and user interaction can exploit this flaw to achieve arbitrary code execution with full system privileges. No patch is currently available for this high-severity vulnerability.

Microsoft Office Long Term Servicing Channel 365 Apps Office Excel
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20877 HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 10 22h2, Windows Server 2022 23h2, and Windows 11 23h2 through a use-after-free memory flaw. An authenticated local attacker can exploit this vulnerability to gain elevated system privileges. Currently, no patch is available.

Windows Use After Free Windows 10 22h2 Windows Server 2022 23h2 Windows 11 23h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20858 HIGH PATCH This Week

Privilege escalation in Windows Management Services affects Windows 10, Windows 11, and Windows Server 2022 through a use-after-free memory vulnerability. An authenticated local attacker can exploit this flaw to gain elevated system privileges. Currently no patch is available and exploitation requires specific conditions to trigger.

Windows Use After Free Windows Server 2022 23h2 Windows 11 23h2 Windows 10 22h2 +8
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20950 HIGH PATCH This Week

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. [CVSS 7.8 HIGH]

Microsoft Use After Free Excel Office Online Server 365 Apps +2
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20948 HIGH PATCH This Week

Local code execution in Microsoft Office Word (including 365 Apps and SharePoint Server) results from unsafe pointer dereferencing that can be triggered by user interaction with a malicious document. An attacker with local access can exploit this vulnerability to execute arbitrary code with the privileges of the affected user. No patch is currently available for this vulnerability.

Microsoft Office Long Term Servicing Channel Sharepoint Server Word 365 Apps +1
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-20817 HIGH PATCH This Week

Windows Error Reporting on Windows 10, Windows 11, and Windows Server 2022 fails to properly validate user privileges, enabling local authenticated users to escalate to system-level access. An attacker with valid credentials can exploit this permission handling flaw to gain full control over the affected system. Currently no patch is available for this high-severity vulnerability (CVSS 7.8).

Microsoft Information Disclosure
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-0882 HIGH PATCH This Week

A use-after-free vulnerability in the IPC component of Firefox (versions below 147 and ESR versions below 115.32/140.7) and Thunderbird (versions below 147 and 140.7) enables remote code execution when users interact with malicious content. The flaw requires user interaction and network access, allowing attackers to achieve full system compromise with high integrity and confidentiality impact. No patch is currently available for this vulnerability.

Use After Free Memory Corruption Mozilla Information Disclosure Thunderbird
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-0880 HIGH PATCH This Week

Integer overflow in Firefox and Thunderbird's Graphics component enables sandbox escape, allowing remote attackers to execute arbitrary code with high privileges through a malicious webpage or content requiring user interaction. Affected versions include Firefox below 147, Firefox ESR below 115.32 and 140.7, and Thunderbird below 147 and 140.7. No patch is currently available.

Integer Overflow Mozilla Buffer Overflow Thunderbird
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-20949 HIGH PATCH This Week

Microsoft Office Excel in the Long Term Servicing Channel and 365 Apps contains an access control bypass vulnerability that allows a local attacker with user interaction to gain unauthorized access to sensitive data and modify or delete system resources. The vulnerability requires local access and user interaction to exploit, affecting the confidentiality, integrity, and availability of affected systems. No patch is currently available.

Microsoft Office Long Term Servicing Channel 365 Apps
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-66177 HIGH This Week

There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision NVR/DVR/CVR/IPC models. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. [CVSS 8.8 HIGH]

Hikvision Stack Overflow Buffer Overflow
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-36640 HIGH This Week

A vulnerability has been identified in the installation/uninstallation of the Nessus Agent Tray App on Windows Hosts which could lead to escalation of privileges. [CVSS 8.8 HIGH]

Windows Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-66176 HIGH This Week

There is a Stack overflow Vulnerability in the device Search and Discovery feature of Hikvision Access Control Products. If exploited, an attacker on the same local area network (LAN) could cause the device to malfunction by sending specially crafted packets to an unpatched device. [CVSS 8.8 HIGH]

Hikvision Stack Overflow Buffer Overflow Ds K5671 Firmware Ds K1t6qt F43 Firmware +26
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-58411 HIGH This Week

Software installed and run as a non-privileged user may conduct improper GPU system calls to cause mismanagement of resources reference counting creating a potential use after free scenario. [CVSS 8.8 HIGH]

Use After Free Ddk
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-40942 HIGH This Week

A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.4). Affected application contains a local privilege escalation vulnerability that could allow an attacker to run arbitrary code with elevated privileges. [CVSS 8.8 HIGH]

Privilege Escalation Telecontrol Server Basic
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-40944 HIGH This Week

Denial of service in Siemens SIMATIC ET 200 family PROFINET interface modules and PN/PN couplers allows remote unauthenticated attackers to render industrial controllers unresponsive by sending a single malformed S7 protocol Disconnect Request to TCP/102. The CVSS 4.0 score of 8.7 reflects the network-reachable, no-privileges-required vector against availability-critical OT assets, though EPSS is only 0.02% and no public exploit has been identified at time of analysis. Recovery requires a physical power cycle, which is operationally severe in plant environments.

Denial Of Service
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-0507 HIGH This Week

SAP Application Server for ABAP and NetWeaver RFCSDK contain an OS command injection vulnerability that allows authenticated administrators with adjacent network access to execute arbitrary system commands by uploading malicious content. Successful exploitation results in complete system compromise affecting confidentiality, integrity, and availability. No patch is currently available.

SAP Command Injection
NVD
CVSS 3.1
8.4
EPSS
1.4%
CVE-2026-21271 HIGH This Week

Arbitrary code execution in Adobe Dreamweaver versions 21.6 and earlier allows local attackers to execute commands with user privileges by delivering malicious files that bypass input validation. Successful exploitation requires social engineering to convince a user to open a crafted file, with impact extending beyond the application context. No patch is currently available for this high-severity vulnerability.

RCE Code Injection Dreamweaver
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-21268 HIGH This Week

Improper input validation in Adobe Dreamweaver 21.6 and earlier allows arbitrary code execution with user privileges through a malicious file. An attacker can exploit this vulnerability by tricking a user into opening a crafted file, with no special privileges required. A patch is currently unavailable, making this a significant risk for affected Dreamweaver users.

RCE Code Injection Dreamweaver
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-21272 HIGH This Week

Dreamweaver Desktop versions 21.6 and earlier suffer from improper input validation that enables arbitrary file writes when a user opens a malicious file. An attacker can exploit this to manipulate or inject malicious content into the victim's file system with broad impact across confidentiality, integrity, and availability. No patch is currently available.

Code Injection Dreamweaver
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-21267 HIGH This Week

Arbitrary code execution in Adobe Dreamweaver 21.6 and earlier via OS command injection allows attackers to execute arbitrary commands on affected systems when a victim opens a malicious file. The vulnerability requires local access and user interaction but impacts all confidentiality, integrity, and availability of the system. No patch is currently available.

Command Injection Dreamweaver
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-21280 HIGH This Week

Arbitrary code execution in Adobe Illustrator 29.8.3 and 30.0 through an untrusted search path vulnerability that allows attackers to redirect application resource lookups to malicious executables. Exploitation requires local access and user interaction to open a crafted file, but executes with full user privileges and can affect the entire system. No patch is currently available.

Adobe Illustrator
NVD
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-13447 HIGH This Week

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters [CVSS 8.4 HIGH]

RCE Command Injection Multi Tenant Hypervisor Loadmaster Moveit Waf +1
NVD
CVSS 3.1
8.4
EPSS
0.1%
Prev Page 3 of 9 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy