Skip to main content
CVE-2026-25881 CRITICAL POC PATCH Act Now

SandboxJS prior to 0.8.31 has yet another sandbox escape via prototype pollution, the sixth distinct escape technique discovered.

RCE Sandboxjs
NVD GitHub
CVSS 3.1
9.0
EPSS
0.1%
CVE-2026-22903 CRITICAL Act Now

A device has a stack-based buffer overflow in HTTP SESSION cookie processing allowing unauthenticated remote code execution.

RCE Buffer Overflow Denial Of Service
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-1868 CRITICAL Act Now

GitLab AI Gateway's Duo Workflow Service has a CVSS 9.9 server-side template injection enabling code execution through the AI workflow system.

Gitlab Denial Of Service AI / ML
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-22904 CRITICAL Act Now

A device has a stack-based buffer overflow in cookie parsing (including TRACKID) enabling unauthenticated remote code execution.

RCE Buffer Overflow
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-25893 CRITICAL PATCH Act Now

FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.

SCADA Authentication Bypass Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25938 CRITICAL PATCH Act Now

FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.

SCADA Authentication Bypass Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25894 CRITICAL PATCH Act Now

FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.

SCADA Fuxa
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25809 CRITICAL Act Now

PlaciPy placement system 1.0.0 has an improper authorization vulnerability enabling unauthenticated admin access — second of seven critical PlaciPy vulnerabilities.

Authentication Bypass Placipy
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25814 CRITICAL Act Now

PlaciPy has an injection vulnerability allowing user input to be processed as commands — sixth critical flaw.

Information Disclosure Placipy
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-66603 CRITICAL Act Now

Yokogawa FAST/TOOLS has a second web server vulnerability involving improper cryptographic handling that weakens the security of SCADA communications.

Information Disclosure Fast Tools
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25875 CRITICAL Act Now

PlaciPy has an incorrect authorization allowing privilege escalation — seventh and final critical vulnerability.

Authentication Bypass Placipy
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22906 CRITICAL Act Now

A device stores user credentials using AES-ECB encryption with a hard-coded key, allowing any attacker to decrypt all stored passwords.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-66602 CRITICAL Act Now

Yokogawa FAST/TOOLS SCADA has a vulnerability in its web server component enabling unauthorized access to the industrial control monitoring system.

Information Disclosure Fast Tools
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25895 CRITICAL POC PATCH Act Now

FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.

SCADA Path Traversal Fuxa
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-6830 CRITICAL Act Now

An SQL injection vulnerability in a product allows unauthenticated database compromise through unsanitized input.

SQLi
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-66606 CRITICAL Act Now

Yokogawa FAST/TOOLS has a third vulnerability involving improper encoding of output that could enable injection attacks against the SCADA web interface.

Information Disclosure Fast Tools
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-66630 CRITICAL PATCH Act Now

Go Fiber web framework before 2.52.11 has a weak PRNG vulnerability (on Go < 1.24) that makes session tokens predictable, enabling session hijacking.

Golang CSRF Fiber Red Hat Suse
NVD GitHub
CVSS 3.1
9.4
EPSS
0.0%
CVE-2026-25057 CRITICAL PATCH Act Now

MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or grading data.

Path Traversal Markus
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-2234 CRITICAL Act Now

HGiga C&Cm@il email system has a missing authentication vulnerability allowing unauthenticated remote access to email server functions.

Authentication Bypass
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-25876 CRITICAL Act Now

PlaciPy has another missing authorization vulnerability — fourth of seven critical security flaws.

Authentication Bypass Placipy
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25810 CRITICAL Act Now

PlaciPy has a missing authorization vulnerability — third of seven critical security flaws.

Authentication Bypass Placipy
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25811 CRITICAL Act Now

PlaciPy has an incorrect authorization vulnerability — fifth of seven critical flaws.

Authentication Bypass Placipy
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25923 CRITICAL Act Now

my little forum PHP forum software has an unrestricted file upload allowing authenticated users to upload dangerous file types.

PHP Deserialization File Upload My Little Forum
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-24679 CRITICAL PATCH Act Now

FreeRDP prior to 3.22.0 has a heap buffer overflow in the URBDRC USB redirection client enabling RCE through malicious RDP servers.

Buffer Overflow Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-24677 CRITICAL PATCH Act Now

FreeRDP prior to 3.22.0 has a use-after-free in ecam_encoder_compress allowing malicious RDP servers to crash or execute code on clients.

Use After Free Buffer Overflow Freerdp Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25939 CRITICAL PATCH Act Now

FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.

SCADA Fuxa
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-25848 CRITICAL Act Now

JetBrains Hub before 2025.3.119807 has an authentication bypass allowing administrative actions without proper credentials.

Authentication Bypass Hub
NVD
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy