Skip to main content
CVE-2025-56005 CRITICAL POC PATCH Act Now

PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.

Python RCE Deserialization Ply
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.9%
CVE-2025-55423 CRITICAL POC Act Now

Multiple ipTIME router models have a command injection vulnerability in the upnp_relay() function, allowing remote attackers to execute arbitrary OS commands through crafted UPnP requests.

Command Injection A104 Firmware A604mu Firmware Ax2004 Firmware N2plus I Firmware +159
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-23876 CRITICAL POC PATCH Act Now

Heap buffer overflow in ImageMagick's XBM image decoder (ReadXBMImage) lets remote attackers write attacker-controlled data past an allocated heap buffer by submitting a maliciously crafted XBM file, affecting all versions prior to 7.1.2-13 and 6.9.13-38. Because any read or identify operation triggers the flaw, it is reachable through ordinary image upload and conversion pipelines, raising the risk of memory corruption and potential remote code execution. Publicly available exploit code exists and a vendor patch is available, though EPSS exploitation probability remains low (0.08%) and it is not listed in CISA KEV.

Buffer Overflow Imagemagick Heap Overflow
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-53912 CRITICAL POC Act Now

MedDream PACS Premium 7.3.6.870 has an arbitrary file read vulnerability in the encapsulatedDoc feature that allows attackers to read sensitive server files including DICOM medical records.

Information Disclosure Pacs Server
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-21962 CRITICAL PATCH Act Now

Oracle HTTP Server and WebLogic Server Proxy Plug-in have a CVSS 10.0 access control vulnerability allowing unauthenticated network attackers to fully compromise the middleware layer.

Oracle Apache IIS Http Server Weblogic Server Proxy Plug In
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-21636 CRITICAL PATCH Act Now

Node.js has a CVSS 10.0 permission model bypass that allows Unix Domain Socket connections to completely bypass network restrictions when --allow-net is configured.

Node.js Privilege Escalation Node.Js Red Hat Suse
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-22844 CRITICAL Act Now

Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 have a CVSS 9.9 command injection vulnerability allowing meeting participants to execute OS commands on the router.

Zoom RCE Command Injection
NVD
CVSS 3.1
9.9
EPSS
0.4%
CVE-2026-0933 CRITICAL PATCH Act Now

Cloudflare Wrangler CLI has a CVSS 9.9 command injection vulnerability in the 'wrangler pages deploy' command that allows arbitrary code execution during deployment.

Command Injection Wrangler Cloudflare
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-21969 CRITICAL Act Now

Oracle Agile PLM for Process has a CVSS 9.8 vulnerability in the Supply Chain Sourcing component that allows unauthenticated remote attackers to fully compromise the system.

Oracle Agile Product Lifecycle Management For Process
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-14533 CRITICAL Act Now

Advanced Custom Fields: Extended plugin for WordPress has a privilege escalation vulnerability allowing unauthenticated users to gain admin access in all versions up to the latest.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1221 CRITICAL Act Now

PrismX MX100 AP controller by BROWAN has hard-coded credentials that allow remote attackers to gain full administrative access to the wireless network controller.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-0907 CRITICAL PATCH Act Now

Chrome Split View prior to 144.0.7559.59 has a UI spoofing vulnerability that allows remote attackers to display misleading content in the split view interface.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-0906 CRITICAL PATCH Act Now

Chrome for Android prior to 144.0.7559.59 has a security UI spoofing vulnerability that allows remote attackers to display misleading security indicators.

Google Android Chrome Suse
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-64087 CRITICAL PATCH Act Now

A server-side template injection vulnerability (CWE-1336) with CVSS 9.8 allows remote attackers to execute arbitrary code through crafted template expressions.

RCE Xdocreport
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-65482 CRITICAL PATCH Act Now

XDocReport v0.9.2 through v2.0.3 has an XML External Entity (XXE) vulnerability that allows attackers to read arbitrary files, perform SSRF, and potentially achieve remote code execution.

XXE Xdocreport
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23947 CRITICAL PATCH Act Now

Orval, a TypeScript API client generator, has a command injection vulnerability that allows code execution through malicious OpenAPI specifications.

Command Injection RCE Orval
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-0905 CRITICAL PATCH Act Now

Google Chrome prior to 144.0.7559.59 has insufficient policy enforcement in Network that allows attackers who obtained a network position to access sensitive data.

Google Chrome Red Hat Suse
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-55130 CRITICAL PATCH Act Now

Node.js has a permissions model bypass that allows attackers to circumvent --allow-fs-read and --allow-fs-write restrictions using alternate path representations.

Node.js Information Disclosure Node Js
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy