Skip to main content
CVE-2026-23526 HIGH PATCH This Week

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]

Information Disclosure AI / ML Computer Vision Annotation Tool
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23754 HIGH PATCH This Week

D-Link D-View 8 versions 2.0.1.107 and below allow authenticated users to bypass access controls on backend API endpoints and retrieve credential data for arbitrary accounts, including administrators. An attacker can leverage exposed credentials to directly authenticate as any user and gain full administrative control over the D-View system. A patch is available to address this high-severity improper access control vulnerability.

D-Link D View 8
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-22022 HIGH PATCH This Week

Unauthorized API access in Apache Solr 5.3.0 through 9.10.0 allows unauthenticated attackers to bypass the RuleBasedAuthorizationPlugin due to insufficient input validation in permission rule enforcement. This vulnerability affects only deployments using multiple roles with specific predefined permissions like config-read, config-edit, schema-read, metrics-read, or security-read without the "all" permission rule defined. Successful exploitation grants attackers unauthorized access to sensitive Solr APIs, potentially exposing configuration and security data.

Apache Solr Red Hat
NVD HeroDevs
CVSS 3.1
8.2
EPSS
0.2%
CVE-2026-23517 HIGH PATCH This Week

Fleet device management software versions prior to 4.78.3 suffer from broken access control that permits any authenticated user, including low-privilege observers, to access debug and profiling endpoints. Attackers can leverage this vulnerability to extract sensitive server diagnostics, runtime profiling data, and application state, or trigger CPU-intensive operations resulting in denial of service. The vulnerability affects multiple Fleet versions and has patches available.

Industrial Denial Of Service Fleet Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-24016 HIGH This Week

Arbitrary code execution in ServerView Agents for Windows installer results from insecure DLL loading, allowing local attackers with user privileges to execute malicious code with administrator rights during installation. The vulnerability affects Fsas Technologies Inc.'s installer component and currently has no available patch. An attacker with physical or local access can exploit this during the installation process to achieve full system compromise.

Windows
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2026-23737 HIGH POC PATCH This Week

Arbitrary code execution in Seroval versions 1.4.0 and below allows authenticated attackers to execute malicious JavaScript through improper deserialization handling in the fromJSON and fromCrossJSON functions. Exploitation requires multiple requests to the affected function and partial knowledge of runtime data usage, but grants full code execution capabilities. A patch is available in version 1.4.1 and later.

Deserialization Seroval Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-13878 HIGH PATCH This Week

to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 versions up to 9.18.43 is affected by reachable assertion (CVSS 7.5).

Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21852 HIGH POC PATCH This Week

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.

Authentication Bypass AI / ML Claude Code
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-68134 HIGH This Week

EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. [CVSS 7.4 HIGH]

Denial Of Service Everest
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-23736 HIGH PATCH This Week

Seroval is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 7.3).

Deserialization Seroval Red Hat Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-23755 HIGH PATCH This Week

D-Link D-View 8 installer versions 2.0.1.107 and below are vulnerable to DLL preloading attacks that execute with administrator privileges when a user approves a UAC prompt. An attacker can place a malicious version.dll file in the installer directory to achieve arbitrary code execution with system-level access. This vulnerability affects users installing or updating D-View 8 on Windows systems.

D-Link D View 8
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-0834 HIGH This Week

Unauthenticated adjacent network attackers can exploit a logic vulnerability in the TDDP module of TP-Link Archer C20 v6.0 and Archer AX53 v1.0 to execute administrative commands such as factory reset and device reboot without credentials. This allows attackers to cause loss of device configuration and service disruption on vulnerable routers. No patch is currently available for this high-severity vulnerability affecting both router models.

TP-Link Authentication Bypass
NVD
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-22444 HIGH PATCH This Week

Apache Solr 8.6 through 9.10.0 in standalone mode fails to properly validate the "create core" API parameters, allowing authenticated users to bypass the allowPaths security restriction and access unauthorized filesystem locations. On Windows systems configured with UNC path support, this vulnerability can lead to NTLM credential hash disclosure. Affected deployments using the allowPaths setting are at risk of unauthorized core creation and information exposure.

Windows Apache Solr Red Hat
NVD HeroDevs
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-24046 HIGH PATCH This Week

Backstage Scaffolder actions and archive extraction utilities are vulnerable to symlink-based path traversal attacks, allowing authenticated users with template creation privileges to read sensitive files, delete arbitrary files outside the workspace, or write malicious files via crafted symlinks in tar/zip archives. This affects deployments where users can create or execute Scaffolder templates, with no patch currently available for versions prior to @backstage/backend-defaults 0.12.2.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy