Skip to main content
CVE-2026-21983 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21957 HIGH This Week

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]

Oracle Virtualbox Vm Virtualbox Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59466 HIGH PATCH This Week

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. [CVSS 7.5 HIGH]

Node.js Denial Of Service Node.Js Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-58744 HIGH This Week

Imagedirector Capture versions up to 7.6.3.25808. is affected by use of hard-coded credentials (CVSS 7.5).

Windows Imagedirector Capture
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-58743 HIGH This Week

Imagedirector Capture versions up to 7.6.3.25808. is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).

Windows Imagedirector Capture
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-33230 HIGH PATCH This Week

NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. [CVSS 7.3 HIGH]

Linux Denial Of Service Privilege Escalation Command Injection Information Disclosure +2
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-33228 HIGH PATCH This Week

NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. [CVSS 7.3 HIGH]

Denial Of Service Privilege Escalation Command Injection Information Disclosure Cuda Toolkit +1
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-36418 HIGH This Week

Applinx versions up to 11.1.0 is affected by improper verification of cryptographic signature (CVSS 7.3).

IBM Privilege Escalation Applinx
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-33229 HIGH PATCH This Week

NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. [CVSS 7.3 HIGH]

Windows Denial Of Service Privilege Escalation Information Disclosure Cuda Toolkit +1
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-1222 HIGH This Week

Remote code execution in BROWAN COMMUNICATIONS PrismX MX100 AP controller allows high-privileged remote attackers to upload arbitrary files and execute web shell backdoors without user interaction. This vulnerability affects administrators with elevated credentials and enables complete compromise of the affected access point. No patch is currently available to remediate this issue.

File Upload RCE
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-15380 HIGH This Week

The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-21976 HIGH This Week

Business Intelligence versions up to 7.6.0.0.0 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 7.1).

Oracle Industrial Business Intelligence
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-55131 HIGH PATCH This Week

A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. [CVSS 7.1 HIGH]

Node.js RCE Buffer Overflow
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-21986 HIGH This Week

Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 7.1).

Oracle Windows Virtualbox Denial Of Service Vm Virtualbox
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-21939 HIGH This Week

Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. [CVSS 7.0 HIGH]

Oracle Database Server
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-1203 LOW POC Monitor

Improper authentication in CRMEB up to version 5.6.3 allows remote attackers to manipulate the uid parameter in the LoginServices.php token handler to bypass authentication, despite requiring high complexity. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.

PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2025-33231 MEDIUM PATCH This Month

NVIDIA Nsight Systems for Windows contains a vulnerability in the application’s DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. [CVSS 6.7 MEDIUM]

Windows Denial Of Service Privilege Escalation Information Disclosure Cuda Toolkit
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-1245 MEDIUM PATCH This Month

Unsafe code generation in binary-parser prior to version 2.3.0 allows remote code execution when processing untrusted input for parser field names or encoding parameters. Node.js applications using vulnerable versions of the library can be compromised to execute arbitrary JavaScript with process-level privileges. A patch is available and exploitation requires no authentication or user interaction.

Node.js Code Injection Binary Parser
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-22770 MEDIUM PATCH This Month

ImageMagick versions prior to 7.1.2-13 fail to properly initialize buffer elements in the BilateralBlurImage method, leading to invalid pointer dereference and potential denial of service when memory allocation fails. An attacker can exploit this through network vectors to crash affected applications or trigger undefined behavior with high complexity requirements. A patch is available in version 7.1.2-13 and later.

Information Disclosure Imagemagick Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-21960 MEDIUM PATCH This Month

Oracle Applications DBA versions 12.2.3-12.2.15 contain an authorization flaw in the Java utilities component that allows high-privileged attackers to gain unauthorized read and write access to sensitive data via HTTP. An authenticated attacker with administrative credentials can exploit this vulnerability to create, modify, or delete critical application data without restriction. A patch is available and should be prioritized for deployment in affected Oracle E-Business Suite environments.

Oracle Java Applications Dba
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-21978 MEDIUM This Month

Flexcube Universal Banking contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle FLEXCUBE U (CVSS 6.5).

Oracle Flexcube Universal Banking
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21970 MEDIUM This Month

Life Sciences Central Designer versions up to 7.0.1.0 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle Life Scien (CVSS 6.5).

Oracle Life Sciences Central Designer
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21968 MEDIUM PATCH This Month

Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 6.5).

Oracle MySQL MSSQL Denial Of Service Mysql Server +2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21950 MEDIUM PATCH This Month

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]

Oracle MySQL MSSQL Denial Of Service Mysql Server +2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21949 MEDIUM PATCH This Month

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]

Oracle MySQL MSSQL Denial Of Service Mysql Server +2
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21944 MEDIUM This Month

Agile Product Lifecycle Management For Process versions up to 6.2.4 is affected by cross-site scripting (xss) (CVSS 6.5).

Oracle Agile Product Lifecycle Management For Process
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0622 MEDIUM PATCH This Month

Open5gs WebUI authentication can be bypassed by attackers who exploit the default hardcoded JWT signing key ("change-me") that is used when the JWT_SECRET_KEY environment variable is not configured. An attacker can forge valid JWT tokens to gain unauthorized access to the WebUI with limited confidentiality and integrity impacts. A patch is available to remediate this vulnerability by enforcing proper key configuration or using secure defaults.

Authentication Bypass Open5gs
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-12573 MEDIUM This Month

The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD WPScan
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21980 MEDIUM This Month

Life Sciences Central Coding versions up to 7.0.1.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Life Sciences Cen (CVSS 6.5).

Oracle Life Sciences Central Coding
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21923 MEDIUM This Month

Life Sciences Central Designer versions up to 7.0.1.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Life Sciences Cen (CVSS 6.5).

Oracle Life Sciences Central Designer
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67261 MEDIUM This Month

Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. [CVSS 6.5 MEDIUM]

SQLi Retail Point Of Sale
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-21641 MEDIUM This Month

Revive Adserver contains an authorization flaw in the tracker deletion function that permits authenticated users to delete trackers belonging to other accounts. An attacker with valid credentials can exploit this access control bypass to remove tracking objects outside their administrative scope, potentially disrupting competitor or other user operations. No patch is currently available for this vulnerability.

PHP Revive Adserver
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0690 MEDIUM This Month

Stored cross-site scripting in FlatPM - Ad Manager plugin for WordPress up to version 3.2.2 allows authenticated contributors and higher-privileged users to inject malicious scripts through the rank_math_description field due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing affected pages, potentially enabling credential theft, session hijacking, or other client-side attacks. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0608 MEDIUM This Month

Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-36408 MEDIUM This Month

IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 6.4 MEDIUM]

IBM XSS Applinx
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-36115 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by session fixation (CVSS 6.3).

IBM
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36065 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).

IBM
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36063 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).

IBM
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-36066 MEDIUM This Month

Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 6.1).

IBM XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-67263 MEDIUM This Month

Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. [CVSS 6.1 MEDIUM]

XSS Retail Point Of Sale
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-67824 MEDIUM This Month

WorklogPRO - Jira Timesheets plugin in the Jira Data Center versions up to 4.24.2 is affected by cross-site scripting (xss) (CVSS 6.1).

Jira XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-66523 MEDIUM This Month

URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. [CVSS 6.1 MEDIUM]

XSS Esign
NVD VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21664 MEDIUM This Month

Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21663 MEDIUM This Month

Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21642 MEDIUM This Month

Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.

PHP XSS Revive Adserver
NVD
CVSS 3.0
6.1
EPSS
0.0%
CVE-2026-21961 MEDIUM This Month

Unauthenticated attackers can exploit a cross-site request forgery vulnerability in Oracle PeopleSoft Enterprise HCM Human Resources 9.2 through the Company Directory/Org Chart Viewer component to read, modify, or delete sensitive employee data via HTTP with user interaction. The vulnerability requires a victim to click a malicious link but impacts multiple PeopleSoft products and modules beyond the initial target. No patch is currently available for this medium-severity issue (CVSS 6.1).

Oracle Peoplesoft Enterprise Hcm Human Resources
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21951 MEDIUM This Month

Peoplesoft Enterprise Peopletools versions up to 8.60 is affected by cross-site scripting (xss) (CVSS 6.1).

Oracle Peoplesoft Enterprise Peopletools
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21946 MEDIUM This Month

JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.0 are vulnerable to cross-site scripting (XSS) in the Web Runtime SEC component, allowing unauthenticated attackers to manipulate data and read sensitive information through HTTP with user interaction. The vulnerability has network-wide scope, potentially compromising connected systems beyond the primary application. No patch is currently available.

Oracle Jd Edwards Enterpriseone Tools
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21943 MEDIUM This Month

Reflected cross-site scripting in Oracle E-Business Suite Scripting Admin (versions 12.2.3-12.2.15) allows unauthenticated attackers to modify or read sensitive data via malicious HTTP requests that require user interaction. The vulnerability can impact other Oracle products due to scope changes and currently lacks an available patch. CVSS 6.1 (Medium) reflects low-complexity network-based exploitation with confidentiality and integrity impacts.

Oracle Scripting
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-21966 MEDIUM This Month

Hospitality Opera 5 versions up to 5.6.19.23 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Hospitality OPERA (CVSS 6.1).

Oracle Hospitality Opera 5
NVD
CVSS 3.1
6.1
EPSS
0.0%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy