Microsoft Office SharePoint contains a deserialization vulnerability (CVE-2026-20963) that allows authenticated users to execute arbitrary code over the network through crafted serialized objects. KEV-listed with public PoC, this CVSS 8.8 vulnerability enables any SharePoint user to escalate to server-level code execution, making it a critical threat for organizations relying on SharePoint for document management and collaboration.
Eclipse Che che-machine-exec exposes an unauthenticated JSON-RPC/WebSocket API on port 3333 that allows remote command execution and secret exfiltration from other users' developer workspace containers.
Tdarr 2.00.15 media transcoding server has unauthenticated RCE through command injection in the Help terminal. Commands can be chained without any input filtering. PoC available.
VIAVIWEB Wallpaper Admin 1.0 allows unauthenticated PHP file upload through the add_gallery_image.php endpoint. PoC available.
Covenant C2 framework (0.1.3-0.5) allows forging JWT tokens with admin roles due to hardcoded credentials. Attackers can upload and execute DLL payloads for RCE. PoC available.
Webgrind 1.1 has unauthenticated command injection via the dataFile parameter in index.php. The profiling tool executes OS commands directly from URL parameters. PoC available.
Inbit Messenger 4.6.0-4.9.0 has unauthenticated RCE through a stack overflow in the XML protocol on port 10883. PoC available.
Beehive Forum 1.5.2 has host header injection in the forgot password function that allows intercepting password reset tokens. PoC available.
eXtplorer 2.1.14 has an authentication bypass that allows passwordless login. Combined with the file manager's upload capability, this achieves unauthenticated RCE. PoC available.
Inbit Messenger 4.6.0-4.9.0 has a second stack buffer overflow in the network handler. SEH overwrite leads to shellcode execution on Windows. PoC available.
Audio Conversion Wizard v2.01 has a buffer overflow in the registration code field that enables RCE through a crafted payload. PoC available.
ImpressCMS 1.4.4 has weak file upload extension filtering that can be bypassed using alternative PHP extensions (.php2, .php6, .php7, .phps, .pht). PoC available.
Eigent multi-agent workflow CI pipeline (ci.yml) uses pull_request_target with checkout of untrusted PR code, enabling arbitrary code execution with repository write permissions from fork PRs. PoC available, patch available.
WAGO PFC200 G2 PLC (firmware affected) allows privilege escalation through cookie manipulation. Users can modify cookie values to gain admin privileges. PoC available.
phpgurukul News Portal V4.1 allows unauthenticated upload of any file type via upload.php. The third critical vulnerability in this application alongside file deletion and SQL injection. PoC available.
Explorer32++ 1.3.5.531 has a buffer overflow in filename handling that corrupts the SEH chain with filenames over 396 characters. PoC available.
e107 CMS 3.2.1 has multiple XSS vulnerabilities in news comments that allow executing arbitrary JavaScript. Rated CVSS 9.8 suggesting further exploitation potential beyond typical XSS. PoC available.
Flame II HSPA USB Modem has an unquoted service path vulnerability that enables privilege escalation to SYSTEM on Windows. PoC available.
Aero CMS 0.0.1 has SQL injection in the author parameter exploitable through boolean-based, error-based, time-based, and UNION query techniques. PoC available.
Fortinet FortiSIEM (6.7.0 through 7.4.0) has OS command injection via crafted TCP requests. As a SIEM, compromise gives attackers access to all security logs and the ability to suppress alerts. PoC available.
phpgurukul News Portal V4.1 has SQL injection in check_availablity.php. PoC available.
Prowise Reflect 1.0.9 exposes a WebSocket on port 8082 that accepts unauthenticated keyboard injection commands. Malicious web pages can type keystrokes and open applications on the display device. PoC available.
phpgurukul News Portal V4.1 allows unauthenticated arbitrary file deletion via remove_file.php. Attackers can delete any file on the server. PoC available.
Sysax Multi Server 6.95 crashes when the admin password field receives 800 bytes, causing denial of service. PoC available.
OpenC3 COSMOS (space mission control software, 5.0.0-6.10.1) has unauthenticated RCE through the JSON-RPC API. String parameters are evaluated as Ruby code via convert_to_value. Maximum CVSS 10.0 with scope change.
Fortinet FortiFone 7.0.0-7.0.1 and 3.0.13-3.0.23 allows unauthenticated attackers to download the complete device configuration via crafted HTTP/HTTPS requests. Configuration files contain credentials and network settings.
An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with scope change. Requires knowledge of a legitimate user's identity.
Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Firefox < 147 and Thunderbird < 147.
GuardDog security scanner before 2.7.1 has a path traversal in safe_extract() that allows malicious PyPI packages to write files outside the extraction directory. Ironic vulnerability in a tool designed to detect malicious packages. Patch available.
SAP S/4HANA General Ledger (Private Cloud and On-Premise) has SQL injection allowing authenticated users to read, modify, and delete backend database data with scope change (CVSS 9.9). Financial data is directly at risk.
Cal.com scheduling software (3.1.6 to 6.0.7) has a critical authentication bypass in the NextAuth JWT callback. Attackers can gain full access to any user account by supplying a target email via session.update(). Fixed in 6.0.7.
Hub v2.0 property management system allows unauthenticated arbitrary file upload via /utils/uploadFile. Malicious PDF files can be uploaded and may achieve code execution.
Dreamer Blog WordPress theme (through 1.2) allows unauthenticated arbitrary plugin/theme installations due to a missing capability check. Attackers can install malicious plugins to achieve RCE.
Firefox JavaScript engine has a use-after-free vulnerability. Affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147 and < 140.7.
Firefox sandbox escape via incorrect boundary conditions in the Graphics component. Affects Firefox < 147, Firefox ESR < 115.32 and < 140.7, Thunderbird < 147 and < 140.7.
Firefox 146 and Thunderbird 146 contain memory safety bugs with evidence of memory corruption that could potentially be exploited for code execution.
SAP Wily Introscope Enterprise Manager uses a vulnerable third-party component that allows unauthenticated attackers to create malicious JNLP files at public URLs. Victims who click these URLs execute OS commands on their machines. Scope change. Patch available.
E-xact Hosted Payment WordPress plugin (through 2.0) allows unauthenticated arbitrary file deletion. Attackers can delete wp-config.php to trigger the WordPress installer and take over the site.
ManageEngine ADSelfService Plus before 6519 has an authentication bypass due to improper filter configurations. As a self-service password management tool for Active Directory, compromise enables mass password resets across the enterprise. Patch available.
SAP S/4HANA (Private Cloud and On-Premise) has the same backdoor vulnerability as CVE-2026-0491 – admin-exploitable ABAP/OS command injection via RFC function module. Patch available.
SAP Landscape Transformation has an admin-exploitable backdoor via RFC function module that allows injection of arbitrary ABAP code and OS commands, bypassing authorization checks. Scope change enables full SAP system compromise.
A hardware vulnerability allows exfiltration of intermediate register values from secure workloads running in ARM TrustZone or similar TEE environments. Non-secure applications can read secure-world register contents.