Skip to main content
CVE-2025-64087 CRITICAL PATCH Act Now

A server-side template injection vulnerability (CWE-1336) with CVSS 9.8 allows remote attackers to execute arbitrary code through crafted template expressions.

RCE Xdocreport
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-65482 CRITICAL PATCH Act Now

XDocReport v0.9.2 through v2.0.3 has an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files, perform SSRF, and potentially achieve remote code execution.

XXE Xdocreport
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23947 CRITICAL PATCH Act Now

Orval, a TypeScript API client generator, has a command injection vulnerability that allows code execution through malicious OpenAPI specifications.

Command Injection RCE Orval
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0905 CRITICAL PATCH Act Now

Google Chrome prior to 144.0.7559.59 has insufficient policy enforcement in Network that allows attackers who obtained a network position to access sensitive data.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1202 MEDIUM POC This Month

Authentication bypass in CRMEB up to version 5.6.3 allows unauthenticated remote attackers to manipulate the openId parameter in the Apple login function, gaining unauthorized access without valid credentials. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The flaw affects the LoginController.php authentication mechanism and carries a CVSS score of 7.3 with confirmed impact to confidentiality, integrity, and availability.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-21945 HIGH PATCH CISA Act Now

Remote denial of service in Oracle Java SE, GraalVM for JDK, and GraalVM Enterprise Edition allows unauthenticated attackers to trigger application hangs or crashes via network-accessible protocols. Multiple Java versions including JDK 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1 are affected through a flaw in the Security component. No patch is currently available for this high-severity vulnerability.

Oracle Java Denial Of Service Graalvm Graalvm For Jdk +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-23874 MEDIUM POC PATCH This Month

Imagemagick versions up to 7.1.2-13 is affected by loop with unreachable exit condition (infinite loop) (CVSS 5.5).

Stack Overflow Imagemagick Red Hat Suse
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-21932 HIGH PATCH CISA Act Now

Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 7.4).

Oracle Java Authentication Bypass Graalvm Graalvm For Jdk +2
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-1194 MEDIUM POC This Month

Information disclosure in MineAdmin 1.x/2.x through an exposed Swagger component allows unauthenticated remote attackers to access sensitive data over the network. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Information Disclosure Mineadmin
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-55130 CRITICAL PATCH Act Now

Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.

Node.js Information Disclosure Node Js
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-0908 HIGH PATCH This Week

Heap corruption in Google Chrome's ANGLE graphics library prior to version 144.0.7559.59 can be triggered through a crafted HTML page, enabling remote attackers to execute arbitrary code without user interaction beyond visiting a malicious website. The vulnerability stems from a use-after-free memory flaw that affects all Chrome users, though no patch is currently available. With a CVSS score of 8.8 and minimal exploit complexity, this presents a significant risk to the browser's security model.

Use After Free Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0902 HIGH PATCH This Week

Out-of-bounds memory read in Chrome's V8 JavaScript engine prior to version 144.0.7559.59 enables remote attackers to leak sensitive information through maliciously crafted web pages requiring only user interaction. The vulnerability affects all Chrome users and exposes high-impact confidentiality and integrity risks with no available patch at this time.

Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0900 HIGH PATCH This Week

Object corruption in Google Chrome's V8 engine prior to version 144.0.7559.59 can be triggered by remote attackers through malicious HTML pages, potentially leading to complete system compromise including unauthorized access, data modification, and denial of service. The vulnerability requires user interaction to exploit but does not require authentication or special privileges. No patch is currently available for affected users.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0899 HIGH PATCH This Week

Out-of-bounds memory access in Chrome's V8 engine (versions prior to 144.0.7559.59) enables remote attackers to corrupt objects and potentially achieve code execution by delivering a malicious HTML page to users. The vulnerability requires user interaction but poses significant risk due to its high CVSS score (8.8) and impact on confidentiality, integrity, and availability. No patch is currently available.

Chrome Google Red Hat Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-66803 MEDIUM POC PATCH This Month

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. [CVSS 4.8 MEDIUM]

Race Condition Turbo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2025-33015 HIGH This Week

Concert versions up to 2.1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

IBM Concert
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15347 HIGH This Week

The Creator LMS - The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-21967 HIGH This Week

Hospitality Opera 5 versions up to 5.6.19.23 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle Hospitalit (CVSS 8.6).

Oracle Denial Of Service Hospitality Opera 5
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-12985 HIGH This Week

IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. [CVSS 8.4 HIGH]

IBM
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-14115 HIGH This Week

Direct for UNIX Container 6.3.0.0 versions up to 6.3.0.6 is affected by use of hard-coded credentials (CVSS 8.4).

IBM
NVD
CVSS 3.1
8.4
EPSS
0.0%
CVE-2026-21956 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 8.2 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21955 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 8.2 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21990 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2).

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21988 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2).

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-21987 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to takeover of Oracle VM VirtualBox (CVSS 8.2).

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-0726 HIGH This Week

PHP object injection in the Nexter Extension plugin for WordPress (versions up to 4.4.6) allows unauthenticated remote attackers to deserialize untrusted data, potentially enabling arbitrary code execution, file deletion, or data theft if a compatible POP chain exists in other installed plugins or themes. The vulnerability has a high CVSS score of 8.1 but currently lacks a public exploit chain in the vulnerable software itself. No patch is currently available.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-21973 HIGH This Week

Flexcube Investor Servicing versions up to 14.5.0.15.0 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 8.1).

Oracle Flexcube Investor Servicing
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-14977 HIGH This Week

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution - Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. [CVSS 8.1 HIGH]

WordPress PHP
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-21989 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 8.1).

Oracle Virtualbox Denial Of Service Vm Virtualbox
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-33233 HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure AI / ML
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-57155 HIGH PATCH This Week

NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. [CVSS 7.5 HIGH]

Null Pointer Dereference Denial Of Service Owntone Server Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-9466 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9465 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9283 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9282 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9281 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots [CVSS 7.5 HIGH]

Denial Of Service Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-9279 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. [CVSS 7.5 HIGH]

Golang Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59465 HIGH PATCH This Week

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]

Node.js Denial Of Service Node Js
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21982 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]

Oracle Virtualbox Vm Virtualbox
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59464 HIGH PATCH This Week

A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. [CVSS 7.5 HIGH]

Node.js OpenSSL TLS Denial Of Service Node.Js +2
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21940 HIGH This Week

Unauthenticated attackers can access sensitive data in Oracle Agile PLM 9.3.6 through an HTTP network request targeting the User and User Group component, potentially exposing all accessible information within the application. This easily exploitable vulnerability requires no user interaction and affects Oracle Supply Chain Products Suite deployments. No patch is currently available.

Oracle Supply Chain Products Suite
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-15281 HIGH PATCH This Week

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. [CVSS 7.5 HIGH]

Information Disclosure Glibc Red Hat Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21926 HIGH This Week

Siebel Customer Relationship Management Deployment contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 7.5).

Oracle TLS Denial Of Service Siebel Customer Relationship Management Deployment
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-63648 HIGH PATCH This Week

A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. [CVSS 7.5 HIGH]

Null Pointer Dereference Denial Of Service Owntone Server Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21637 HIGH PATCH This Week

Node.js TLS servers using PSK or ALPN callbacks are vulnerable to denial of service when these callbacks throw unhandled synchronous exceptions during the TLS handshake. Remote attackers can exploit this by sending specially crafted TLS handshake requests to trigger resource exhaustion or process crashes, either through immediate termination or silent file descriptor leaks. No patch is currently available for this vulnerability.

Node.js TLS Denial Of Service Node.Js Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-58741 HIGH This Week

Imagedirector Capture versions up to 7.6.3.25808. is affected by insufficiently protected credentials (CVSS 7.5).

Authentication Bypass Imagedirector Capture
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9464 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. [CVSS 7.5 HIGH]

Denial Of Service Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9280 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. [CVSS 7.5 HIGH]

Industrial Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-9278 HIGH This Week

A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. [CVSS 7.5 HIGH]

Denial Of Service Armorstart Lt Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21984 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy