THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — February 10, 2026

286 CVEs tracked today. 10 Critical, 120 High, 117 Medium, 14 Low.

CVE-2026-26009 CRITICAL CVSS 9.9
Command injection in Catalyst game server management platform. Install scripts in server templates allow injecting OS commands. EPSS 0.29%.

RCE
CVE-2026-25993 CRITICAL CVSS 9.8
SQL injection in EverShop e-commerce platform during category update/deletion event handling. Path/request_path values injected unsanitized into SQL. Patch available.

SQLi Evershop
CVE-2026-23906 CRITICAL CVSS 9.8
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific prerequisites are met.

Apache Dns Ldap Authentication Bypass Druid
CVE-2026-21533 HIGH CVSS 7.8
Windows Remote Desktop contains an improper privilege management vulnerability (CVE-2026-21533, CVSS 7.8) enabling authorized local attackers to escalate to SYSTEM. KEV-listed, this vulnerability in the RDP subsystem is particularly concerning in environments where Remote Desktop is widely used, as it can be chained with RDP session access for complete system compromise.

Privilege Escalation Microsoft
CVE-2026-21531 CRITICAL CVSS 9.8
Deserialization of untrusted data in Azure SDK allows unauthorized code execution over a network. EPSS 0.32%.

Azure Deserialization Azure Conversation Authoring Client Library
CVE-2026-21519 HIGH CVSS 7.8
Desktop Window Manager (DWM) in Windows contains a type confusion vulnerability (CVE-2026-21519, CVSS 7.8) that enables authorized local attackers to escalate privileges. KEV-listed, this kernel-level vulnerability in the Windows compositor allows any authenticated user to achieve SYSTEM-level access through exploitation of an incompatible type access in DWM's resource handling.

Buffer Overflow Windows 11 24h2 Windows 11 23h2 Windows 10 21h2 Windows Server 2022 23h2
CVE-2026-21514 HIGH CVSS 7.8
Microsoft Office Word contains a security decision bypass (CVE-2026-21514, CVSS 7.8) through reliance on untrusted inputs, allowing local attackers to bypass protections when opening malicious documents. KEV-listed, this vulnerability enables document-based attacks that circumvent Word's security features designed to protect users from malicious content.

Microsoft 365 Apps Office Long Term Servicing Channel
CVE-2026-21513 HIGH CVSS 8.8
MSHTML Framework contains a protection mechanism failure (CVE-2026-21513, CVSS 8.8) allowing remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the legacy HTML rendering engine (still used by many Windows applications and email clients) enables execution of malicious content by circumventing the browser's security sandbox and content restrictions.

Authentication Bypass
CVE-2026-21510 HIGH CVSS 8.8
Windows Shell contains a protection mechanism failure (CVE-2026-21510, CVSS 8.8) that allows unauthenticated remote attackers to bypass security features over a network. KEV-listed, this vulnerability in the core Windows Shell component enables remote code execution by circumventing security boundaries designed to prevent execution of untrusted content received from the network.

Windows Windows 11 23h2 Windows Server 2016 Windows 10 21h2 Windows Server 2025
CVE-2026-2096 CRITICAL CVSS 9.8
Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.

Authentication Bypass AI / ML Agentflow
CVE-2026-2095 CRITICAL CVSS 9.8
Authentication bypass in Flowring Agentflow workflow system allows unauthenticated remote attackers to exploit specific functions. EPSS 0.63%.

Authentication Bypass Agentflow
CVE-2026-1774 CRITICAL CVSS 9.8
Prototype pollution in CASL Ability authorization library versions 2.4.0 through 6.7.4. Can lead to authorization bypass in applications using CASL for access control.

Information Disclosure
CVE-2026-1603 HIGH CVSS 8.6
Ivanti Endpoint Manager before 2024 SU5 contains an authentication bypass (CVE-2026-1603, CVSS 8.6) that allows unauthenticated remote attackers to leak stored credential data. KEV-listed with EPSS 43.9%, this vulnerability exposes credentials stored in the endpoint management platform — potentially including service accounts, deployment credentials, and other secrets used to manage the entire endpoint fleet.

Ivanti Authentication Bypass Endpoint Manager
CVE-2026-0509 CRITICAL CVSS 9.6
Unauthorized Remote Function Call execution in SAP NetWeaver ABAP. Low-privileged users can execute background RFCs without proper authorization checks. CVSS 9.6.

Sap Netweaver As Abap Kernel Netweaver As Abap Krnl64nuc Netweaver As Abap Krnl64uc
CVE-2026-0488 CRITICAL CVSS 9.9
Unauthorized code execution in SAP CRM and SAP S/4HANA Scripting Editor. Authenticated attacker exploits generic function module call to execute unauthorized ABAP code. CVSS 9.9.

Sap Netweaver Application Server Abap Webclient Ui Framework
CVE-2025-11242 CRITICAL CVSS 9.8
SSRF vulnerability in Teknolist Okulistik application allows server-side requests to internal resources.

SSRF
CVE-2026-25992 HIGH CVSS 7.5
Unauthenticated attackers can read sensitive configuration files from SiYuan knowledge management systems prior to version 3.5.5 by exploiting case-sensitivity bypass in file access controls on Windows and other case-insensitive filesystems. The /api/file/getFile endpoint fails to properly validate mixed-case path traversal attempts, allowing unauthorized access to protected data. Public exploit code exists for this vulnerability, and no patch is currently available.

Windows Siyuan
CVE-2026-25947 HIGH CVSS 8.8
Worklenz is a project management tool. [CVSS 8.8 HIGH]

SQLi Worklenz
CVE-2026-25728 HIGH CVSS 7.5
Arbitrary PHP code execution in ClipBucket v5 prior to 5.5.3-#40 through a race condition in file upload validation, where files are moved to a web-accessible directory before security checks are performed. An authenticated attacker can exploit the time window between file placement and validation deletion to execute malicious PHP code on the server. Public exploit code exists for this vulnerability.

PHP Race Condition Clipbucket
CVE-2026-25656 HIGH CVSS 7.8
Arbitrary code execution with SYSTEM privileges in SINEC NMS User Management Component (all versions prior to V2.15.2.1) stems from improper access controls allowing low-privileged users to modify configuration files and load malicious DLLs. An authenticated attacker can exploit this to achieve complete system compromise. No patch is currently available.

Privilege Escalation RCE Sinec Nms User Management Component
CVE-2026-25655 HIGH CVSS 7.8
Arbitrary code execution in Siemens SINEC NMS versions prior to V4.0 SP2 can be achieved when a low-privileged user modifies configuration files to load malicious DLLs, resulting in administrative privilege execution. This local vulnerability affects all current deployments and currently has no available patch. An authenticated attacker with local access can exploit this to gain full system compromise.

Privilege Escalation RCE Sinec Nms
CVE-2026-25646 HIGH CVSS 8.1
Out-of-bounds heap buffer reads in libpng versions prior to 1.6.55 can be triggered through the png_set_quantize() function when processing specially crafted PNG images with specific palette configurations, potentially causing denial of service or information disclosure. Public exploit code exists for this vulnerability, affecting applications that use libpng to process untrusted PNG files. A patch is available in version 1.6.55 and later.

Buffer Overflow Denial Of Service Libpng Redhat Suse
CVE-2026-25611 HIGH CVSS 7.5
MongoDB instances are vulnerable to denial of service attacks when processing specially crafted unauthenticated messages that trigger memory exhaustion and server crashes. An unauthenticated remote attacker can exploit this vulnerability to disable MongoDB availability without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.

MongoDB Denial Of Service
CVE-2026-25577 HIGH CVSS 7.5
Emmett is a framework designed to simplify your development process. versions up to 1.3.11 contains a vulnerability that allows attackers to trigger HTTP 500 errors and cause denial of service (CVSS 7.5).

Denial Of Service
CVE-2026-25506 HIGH CVSS 7.7
Buffer overflow in MUNGE authentication daemon (versions 0.5 to 0.5.17) allows local attackers to extract cryptographic key material from memory, enabling forgery of credentials to impersonate any user on systems relying on MUNGE for authentication. By sending a crafted message with an oversized address length field, an attacker can corrupt the daemon's internal state and retrieve the MAC subkey used for credential verification. The vulnerability affects Debian Linux and other distributions packaging affected MUNGE versions; patching to 0.5.18 or later is available.

Buffer Overflow Munge Debian Linux Redhat Suse
CVE-2026-24343 HIGH CVSS 8.8
Apache HertzBeat versions 1.7.1 through 1.8.0 contain an XPath injection vulnerability that allows authenticated attackers to manipulate XPath queries and potentially extract or modify sensitive data. An attacker with valid credentials can exploit this flaw to bypass access controls and execute arbitrary XPath expressions against the application's XML data stores. Affected users should upgrade to version 1.8.0 immediately as no patch is currently available for earlier versions.

Apache Hertzbeat
CVE-2026-24322 HIGH CVSS 7.7
Authenticated users in SAP Solution Tools Plug-In (ST-PI) can access sensitive information through a function module that lacks proper authorization controls, allowing disclosure of confidential data without requiring additional privileges. The vulnerability affects all users with basic authentication to the affected SAP systems, as the missing checks permit lateral data exposure across the application.

Sap Solution Tools Plug In
CVE-2026-24045 HIGH CVSS 7.3
Stored XSS in Docmost before version 0.25.0 allows authenticated attackers to inject malicious scripts into public share page titles that execute when victims visit shared links, compromising user sessions and data. The vulnerability stems from improper HTML escaping of page titles in meta and title tags, and public exploit code is available. Upgrade to version 0.25.0 or later to remediate.

XSS Docmost
CVE-2026-23720 HIGH CVSS 7.8
Code execution in Simcenter Femap and Nastran versions prior to V2512 results from an out-of-bounds read flaw triggered when parsing malicious NDB files. A local attacker with user interaction can exploit this vulnerability to execute arbitrary code with the privileges of the affected application. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure Simcenter Nastran Simcenter Femap
CVE-2026-23719 HIGH CVSS 7.8
Heap-based buffer overflow in Simcenter Femap and Nastran versions prior to V2512 allows local attackers to achieve arbitrary code execution by crafting malicious NDB files. The vulnerability requires user interaction to trigger and affects all current versions of both products. No patch is currently available, leaving affected systems at risk of privilege escalation and system compromise.

Buffer Overflow Heap Overflow Simcenter Femap Simcenter Nastran
CVE-2026-23718 HIGH CVSS 7.8
Out-of-bounds read in Simcenter Femap and Nastran versions prior to V2512 during NDB file parsing enables local code execution under the current process context. An attacker can exploit this vulnerability through specially crafted NDB files to achieve arbitrary code execution. No patch is currently available for this high-severity vulnerability affecting both products.

Buffer Overflow Information Disclosure Simcenter Femap Simcenter Nastran
CVE-2026-23717 HIGH CVSS 7.8
Simcenter Femap and Nastran versions prior to 2512 are vulnerable to out-of-bounds memory reads when processing maliciously crafted XDB files, enabling arbitrary code execution with the privileges of the affected application. Local attackers can exploit this vulnerability through specially designed files to achieve full system compromise. No patch is currently available for this high-severity flaw.

Buffer Overflow Information Disclosure Simcenter Nastran Simcenter Femap
CVE-2026-23716 HIGH CVSS 7.8
Arbitrary code execution in Simcenter Femap and Nastran versions prior to 2512 results from an out-of-bounds read when processing malicious XDB files, enabling local attackers to achieve process-level code execution. An attacker with local access can craft a specially designed XDB file to trigger the memory vulnerability and execute arbitrary code with the privileges of the affected application. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure Simcenter Femap Simcenter Nastran
CVE-2026-23715 HIGH CVSS 7.8
Arbitrary code execution in Simcenter Femap and Nastran versions prior to V2512 results from an out-of-bounds write flaw triggered by parsing malicious XDB files. Local attackers with user interaction can exploit this vulnerability to execute arbitrary code with the privileges of the affected application. No patch is currently available for this high-severity vulnerability.

Buffer Overflow Simcenter Nastran Simcenter Femap
CVE-2026-23689 HIGH CVSS 7.7
Denial-of-service vulnerability in SAP Advanced Planning And Optimization and Supply Chain Management allows authenticated users to exhaust system resources by repeatedly calling a remote function module with oversized parameters, causing service unavailability. An attacker with standard user credentials and network access can trigger prolonged resource consumption that may render the affected system unresponsive. No patch is currently available.

Denial Of Service Advanced Planning And Optimization Supply Chain Management
CVE-2026-23687 HIGH CVSS 8.8
Sap Basis versions up to 700 is affected by improper verification of cryptographic signature (CVSS 8.8).

Sap Sap Basis
CVE-2026-22923 HIGH CVSS 7.8
Nx versions prior to V2512 contain an insufficient input validation flaw in the PDF export functionality that permits local attackers to corrupt internal data structures and achieve arbitrary code execution. An attacker with local file system access can exploit this vulnerability to manipulate the export process and gain code execution privileges. No patch is currently available for this vulnerability.

Buffer Overflow RCE Nx
CVE-2026-22153 HIGH CVSS 8.1
Fortios versions up to 7.6.4 contains a vulnerability that allows attackers to an unauthenticated attacker to bypass LDAP authentication of Agentless VPN or FS (CVSS 8.1).

Fortinet Fortigate Ldap Authentication Bypass Fortios
CVE-2026-21743 HIGH CVSS 7.2
FortiAuthenticator 6.3 through 6.6.6 allows read-only users to modify local user accounts by uploading files to an unprotected endpoint, bypassing authorization controls. This vulnerability requires high privileges to initiate but could enable unauthorized account modifications in affected deployments. No patch is currently available for this high-severity flaw.

Fortinet Fortiauthenticator
CVE-2026-21537 HIGH CVSS 8.8
Microsoft Defender for Endpoint on Linux contains a code injection vulnerability that enables adjacent network attackers to execute arbitrary code without authentication. The flaw affects multiple platforms and carries high severity (CVSS 8.8) with no patch currently available. An attacker on the local network could achieve complete system compromise through this unauthenticated attack vector.

Microsoft Linux Code Injection Defender For Endpoint
CVE-2026-21523 HIGH CVSS 8.0
Authenticated users can exploit a race condition in GitHub Copilot and Visual Studio Code to execute arbitrary code remotely by manipulating file state between verification and use. This vulnerability affects users with network access to these development tools and requires user interaction to trigger. No patch is currently available to address this high-severity flaw.

Github Race Condition AI / ML Visual Studio Code
CVE-2026-21518 HIGH CVSS 8.8
GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers to bypass security features over the network through improper neutralization of special command elements. The vulnerability requires user interaction to exploit and could enable attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. No patch is currently available for this issue.

Github Command Injection AI / ML Visual Studio Code
CVE-2026-21516 HIGH CVSS 8.8
GitHub Copilot is vulnerable to command injection attacks that enable remote code execution without requiring authentication or user interaction beyond a click. An attacker can exploit this network-accessible vulnerability to execute arbitrary commands on affected systems. No patch is currently available for this high-severity vulnerability.

Github Command Injection AI / ML Github Copilot
CVE-2026-21511 HIGH CVSS 7.5
Microsoft Outlook's unsafe deserialization of untrusted data enables remote attackers to spoof messages and identities without authentication over the network. This vulnerability affects Outlook, Word, and Microsoft 365 Apps, allowing attackers to impersonate legitimate senders and deceive users. No patch is currently available, making this a high-risk threat requiring immediate defensive measures.

Microsoft Outlook Deserialization 365 Apps Word
CVE-2026-21508 HIGH CVSS 7.0
Windows Storage component contains an authentication bypass that enables authenticated local users to escalate privileges on Windows 10, Windows 11, and Windows Server 2016/2019 systems. An attacker with valid local credentials can exploit this vulnerability to gain elevated system access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 10 1809 Windows Server 2016 Windows 11 24h2 Windows 10 1607
CVE-2026-21357 HIGH CVSS 7.8
Arbitrary code execution in Adobe InDesign versions 21.1, 20.5.1, and earlier through a heap buffer overflow vulnerability triggered by opening a malicious file. The vulnerability requires user interaction and executes with the privileges of the current user, with no patch currently available. Local attackers can leverage this to achieve code execution on affected systems.

Adobe Buffer Overflow Heap Overflow Indesign
CVE-2026-21353 HIGH CVSS 7.8
Arbitrary code execution in DNG SDK 1.7.1 2410 and earlier stems from an integer overflow vulnerability that executes with user privileges when a victim opens a crafted file. The local attack vector requires user interaction but carries high impact across confidentiality, integrity, and availability with no patch currently available.

Integer Overflow Dng Software Development Kit
CVE-2026-21352 HIGH CVSS 7.8
Arbitrary code execution in DNG SDK 1.7.1 build 2410 and earlier via out-of-bounds write when processing malicious DNG files. An attacker can achieve code execution with user privileges by tricking a victim into opening a specially crafted file. No patch is currently available for this vulnerability.

Buffer Overflow RCE Dng Software Development Kit
CVE-2026-21351 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier through a use-after-free memory vulnerability requires user interaction to open a specially crafted file. An attacker can exploit this flaw to execute malicious code with the privileges of the affected user. No patch is currently available.

Use After Free After Effects
CVE-2026-21349 HIGH CVSS 7.8
Arbitrary code execution in Adobe Lightroom Desktop 15.1 and earlier via an out-of-bounds write vulnerability when users open malicious files. Local exploitation requires user interaction but executes with the privileges of the current user. No patch is currently available.

Buffer Overflow RCE Lightroom
CVE-2026-21347 HIGH CVSS 7.8
Arbitrary code execution in Bridge versions 15.1.3, 16.0.1 and earlier results from an integer overflow vulnerability that executes with user privileges when a victim opens a malicious file. The flaw requires user interaction but carries a high severity rating with no available patch, leaving affected systems vulnerable to immediate compromise.

Integer Overflow Bridge
CVE-2026-21346 HIGH CVSS 7.8
Arbitrary code execution in Bridge 15.1.3, 16.0.1 and earlier through an out-of-bounds write vulnerability triggered when users open malicious files. An attacker can execute commands with the privileges of the affected user, though exploitation requires social engineering to convince a victim to open a crafted file. No patch is currently available.

Buffer Overflow RCE Bridge
CVE-2026-21345 HIGH CVSS 7.8
Code execution in Substance 3D Stager 3.1.6 and earlier through a crafted file that triggers an out-of-bounds memory read during parsing. An attacker can exploit this vulnerability by tricking a user into opening a malicious file, achieving arbitrary code execution with the victim's privileges. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure Substance 3d Stager
CVE-2026-21344 HIGH CVSS 7.8
Substance 3D Stager 3.1.6 and earlier contains an out-of-bounds read vulnerability in file parsing that allows arbitrary code execution when a victim opens a malicious crafted file. The vulnerability affects local users and requires user interaction to exploit, making social engineering a viable attack vector. No patch is currently available for this high-severity flaw.

Buffer Overflow Information Disclosure Substance 3d Stager
CVE-2026-21343 HIGH CVSS 7.8
Code execution in Substance 3D Stager 3.1.6 and earlier results from an out-of-bounds read vulnerability in malformed file parsing that allows attackers to corrupt memory and execute arbitrary code within the user's context. The vulnerability requires user interaction, as victims must open a specially crafted file to trigger exploitation. No patch is currently available for this high-severity flaw.

Buffer Overflow Information Disclosure Substance 3d Stager
CVE-2026-21342 HIGH CVSS 7.8
Arbitrary code execution in Substance 3D Stager 3.1.6 and earlier results from an out-of-bounds write vulnerability that executes with user privileges. An attacker can exploit this by crafting a malicious file that, when opened by a victim, triggers the memory corruption and executes arbitrary code. No patch is currently available, making user education about untrusted files critical for mitigation.

Buffer Overflow RCE Substance 3d Stager
CVE-2026-21341 HIGH CVSS 7.8
Arbitrary code execution in Substance 3D Stager 3.1.6 and earlier via an out-of-bounds write vulnerability allows local attackers to execute arbitrary code with user privileges when a victim opens a malicious file. The vulnerability requires user interaction but no special privileges, making it practical to exploit through social engineering. No patch is currently available.

Buffer Overflow RCE Substance 3d Stager
CVE-2026-21335 HIGH CVSS 7.8
Arbitrary code execution in Substance 3D Designer 15.1.0 and earlier via an out-of-bounds write vulnerability that triggers when users open a crafted malicious file. This local attack requires user interaction but executes with the privileges of the affected user, and no patch is currently available.

Buffer Overflow RCE Substance 3d Designer
CVE-2026-21334 HIGH CVSS 7.8
Arbitrary code execution in Substance 3D Designer 15.1.0 and earlier through an out-of-bounds write vulnerability that requires a user to open a malicious file. An attacker can execute code with the privileges of the targeted user by crafting a specially designed file. No patch is currently available for this high-severity vulnerability.

Buffer Overflow RCE Substance 3d Designer
CVE-2026-21330 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier through type confusion allows attackers to execute malicious code with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but poses a significant risk to creative professionals and organizations using affected versions. No patch is currently available.

Buffer Overflow RCE After Effects
CVE-2026-21329 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier via a use-after-free memory vulnerability that executes with user privileges when opening a malicious file. The vulnerability requires user interaction but has no available patch, leaving affected systems at risk from social engineering attacks delivering weaponized project files.

Use After Free After Effects
CVE-2026-21328 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier via out-of-bounds write vulnerability when users open malicious files. This local attack requires user interaction but grants the attacker full execution privileges within the victim's session. No patch is currently available.

Buffer Overflow RCE After Effects
CVE-2026-21327 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier through out-of-bounds write vulnerability (CWE-787) when processing malicious files. An attacker can execute code with user privileges by convincing a victim to open a specially crafted file, with no patch currently available.

Buffer Overflow RCE After Effects
CVE-2026-21326 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier through a use-after-free memory vulnerability requires victims to open a malicious file. An attacker can execute commands with the privileges of the affected user without requiring special permissions. No patch is currently available for this high-severity vulnerability.

Use After Free After Effects
CVE-2026-21325 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier results from an out-of-bounds read vulnerability triggered when parsing specially crafted files. An attacker can exploit this by tricking users into opening a malicious file, gaining execution privileges within the victim's user context. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure After Effects
CVE-2026-21324 HIGH CVSS 7.8
Code execution in Adobe After Effects 25.6 and earlier through out-of-bounds memory reads when processing malicious files. An attacker can exploit this vulnerability to execute arbitrary code with user privileges by tricking victims into opening a crafted file. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure After Effects
CVE-2026-21323 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects versions 25.6 and earlier through a use-after-free vulnerability that requires a user to open a malicious file. An attacker can execute arbitrary code with the privileges of the affected user by crafting a specially designed file. No patch is currently available.

Use After Free After Effects
CVE-2026-21322 HIGH CVSS 7.8
Out-of-bounds memory reads in Adobe After Effects 25.6 and earlier enable arbitrary code execution when users open specially crafted files. An attacker can exploit this parsing vulnerability by delivering a malicious file that triggers a read past allocated buffer boundaries, executing code with the privileges of the affected user. No patch is currently available for this high-severity vulnerability that requires user interaction to exploit.

Buffer Overflow Information Disclosure After Effects
CVE-2026-21321 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier through an integer overflow vulnerability affecting file processing. An attacker can exploit this by crafting a malicious file that, when opened by a user, executes code with the privileges of the current user. No patch is currently available for this high-severity vulnerability.

Integer Overflow After Effects
CVE-2026-21320 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier through a use-after-free flaw allows attackers to execute commands with user privileges when a victim opens a crafted file. The vulnerability requires user interaction but poses high risk to creative professionals and design teams. No patch is currently available.

Use After Free After Effects
CVE-2026-21318 HIGH CVSS 7.8
Arbitrary code execution in Adobe After Effects 25.6 and earlier via out-of-bounds write when processing malicious files. An attacker can achieve code execution with user privileges by tricking a victim into opening a crafted file. No patch is currently available.

Buffer Overflow RCE After Effects
CVE-2026-21312 HIGH CVSS 7.8
Arbitrary code execution in Adobe Audition 25.3 and earlier through a local out-of-bounds write vulnerability that requires victims to open a specially crafted file. The vulnerability impacts all users running affected versions and allows attackers to execute code with the privileges of the current user. No patch is currently available.

Buffer Overflow RCE Audition
CVE-2026-21260 HIGH CVSS 7.5
Information disclosure in Microsoft Outlook, SharePoint Server, Office, and 365 Apps enables remote attackers to conduct email spoofing attacks without authentication or user interaction. The vulnerability affects multiple Microsoft collaboration products and could allow threat actors to impersonate legitimate senders to compromise organizational security. No patch is currently available for this high-severity issue.

Microsoft Outlook Sharepoint Server Office 365 Apps
CVE-2026-21259 HIGH CVSS 7.8
Privilege escalation in Microsoft Office Excel (including 365 Apps and Long Term Servicing Channel) via heap-based buffer overflow allows local attackers with user interaction to gain elevated system privileges. The vulnerability affects multiple Office product lines and currently lacks a security patch. With a CVSS score of 7.8, this poses a significant risk to organizations using affected Excel versions.

Microsoft Buffer Overflow Heap Overflow Office Long Term Servicing Channel 365 Apps
CVE-2026-21257 HIGH CVSS 8.0
GitHub Copilot and Visual Studio 2022 contain a command injection vulnerability that allows authenticated users to execute arbitrary commands through improper sanitization of special elements. An attacker with valid credentials can leverage user interaction to escalate privileges and gain elevated access across the network. No patch is currently available for this vulnerability.

Github Command Injection AI / ML Visual Studio 2022
CVE-2026-21256 HIGH CVSS 8.8
Remote code execution in GitHub Copilot and Visual Studio 2022 via command injection allows unauthenticated attackers to execute arbitrary code over the network with user interaction. The vulnerability stems from improper sanitization of special elements in commands, enabling attackers to break out of intended command contexts and inject malicious payloads. No patch is currently available for this high-severity issue affecting both development environments.

Github Command Injection AI / ML Visual Studio 2022
CVE-2026-21255 HIGH CVSS 8.8
Windows Hyper-V fails to properly enforce access controls, enabling local authenticated users to circumvent security features and gain unauthorized system access. This high-severity flaw affects Windows 10, Windows 11, Windows Server 2022, and Hyper-V implementations, allowing privileged attackers to escalate privileges across system boundaries. No patch is currently available for this vulnerability.

Windows Hyper V Windows 10 1607 Windows 11 25h2 Windows Server 2022
CVE-2026-21253 HIGH CVSS 7.0
Use after free in Mailslot File System allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Use After Free Denial Of Service Memory Corruption
CVE-2026-21251 HIGH CVSS 7.8
Privilege escalation in Windows Cluster Client Failover exploits a use-after-free memory vulnerability, enabling authenticated local users to gain elevated system privileges. The flaw affects Windows Server 2016, 2019, and 2025 installations where an attacker with existing local access can trigger the vulnerability through the failover clustering component. No patch is currently available for this high-severity vulnerability.

Windows Use After Free Windows Server 2019 Windows Server 2025 Windows Server 2016
CVE-2026-21250 HIGH CVSS 7.8
Windows HTTP.sys contains an unsafe pointer dereference vulnerability that enables authenticated local attackers to escalate privileges on affected systems including Windows 11, Windows Server 2025, and related versions. An attacker with local user access can exploit this flaw to gain system-level privileges with high confidence in successful exploitation. No patch is currently available for this vulnerability.

Windows Windows Server 2025 Windows 11 24h2 Windows Server 2022 23h2 Windows 11 25h2
CVE-2026-21248 HIGH CVSS 7.3
Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges on affected Windows and Windows Server systems. An attacker with local access and user-level permissions can trigger memory corruption through user interaction to compromise system integrity and confidentiality. This vulnerability affects Windows 10 1809, Windows Server 2025, and related Hyper-V implementations with no patch currently available.

Windows Hyper V Buffer Overflow Heap Overflow Windows Server 2025
CVE-2026-21247 HIGH CVSS 7.3
Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. [CVSS 7.3 HIGH]

Windows Hyper V Windows 11 24h2 Windows 10 22h2 Windows Server 2022
CVE-2026-21246 HIGH CVSS 7.8
Privilege escalation in Microsoft Graphics Component on Windows 11 24H2 and Windows 10 21H2 exploits a heap buffer overflow to allow authenticated local attackers to gain system-level access. The vulnerability requires local access and user interaction is not required, presenting a significant risk in multi-user environments. No patch is currently available.

Microsoft Industrial Buffer Overflow Heap Overflow Windows 11 24h2
CVE-2026-21245 HIGH CVSS 7.8
Windows Kernel heap overflow in Windows 11 25h2 and Windows Server 2025 enables authenticated local attackers to achieve privilege escalation with high impact on confidentiality, integrity, and availability. The vulnerability requires local access and user privileges but no user interaction, making it a practical attack vector for lateral movement within systems. No patch is currently available, leaving affected systems exposed until remediation is released.

Linux Windows Buffer Overflow Heap Overflow Windows 11 25h2
CVE-2026-21244 HIGH CVSS 7.3
Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges (CVSS 7.3). Exploitation requires user interaction and local system access, affecting Windows 10 1809 and Windows Server 2025. No patch is currently available.

Windows Hyper V Buffer Overflow Heap Overflow Windows 10 1809
CVE-2026-21243 HIGH CVSS 7.5
Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.

Windows Ldap Null Pointer Dereference Windows Server 2022 Windows Server 2022 23h2
CVE-2026-21242 HIGH CVSS 7.0
Windows Subsystem for Linux contains a use-after-free vulnerability that enables local privilege escalation for authenticated users. An attacker with valid local access could exploit this memory safety flaw to gain elevated system privileges on affected Windows Server 2022 systems.

Linux Windows Use After Free Windows Server 2022 Windows Server 2022 23h2
CVE-2026-21241 HIGH CVSS 7.0
Windows Ancillary Function Driver for WinSock in Windows 11 23h2 and Windows Server 2022 23h2 contains a use-after-free vulnerability that allows authenticated local users to achieve privilege escalation. An attacker with local access and valid credentials can trigger the memory safety flaw to gain elevated system privileges. No patch is currently available for this HIGH severity vulnerability.

Windows Use After Free Windows Server 2022 23h2 Windows 11 23h2 Windows Server 2022
CVE-2026-21240 HIGH CVSS 7.8
Windows HTTP.sys contains a race condition between privilege checks and resource access that enables local authenticated users to escalate privileges on Windows 10 21H2, Windows 11 23H2, and Windows Server 2025. An attacker with valid credentials can exploit this timing vulnerability to gain system-level access. No patch is currently available for this vulnerability.

Windows Race Condition Windows 10 21h2 Windows 11 23h2 Windows Server 2025
CVE-2026-21239 HIGH CVSS 7.8
Privilege escalation via heap buffer overflow in Windows Kernel (Windows 10 21H2, Windows Server 2016) allows authenticated local users to gain elevated system privileges. The vulnerability requires local access and user-level permissions, making it exploitable by authorized account holders to bypass security boundaries. No patch is currently available for this issue.

Linux Windows Buffer Overflow Heap Overflow Windows 10 21h2
CVE-2026-21238 HIGH CVSS 7.8
Privilege escalation in the Windows Ancillary Function Driver for WinSock affects Windows 11 and Windows Server 2022/2019, allowing authenticated local users to gain elevated system privileges. The vulnerability stems from improper access control mechanisms and currently lacks a patch. An authenticated attacker with local access can exploit this to achieve full system compromise.

Windows Windows 11 23h2 Windows Server 2022 23h2 Windows 11 25h2 Windows Server 2019
CVE-2026-21237 HIGH CVSS 7.0
Local privilege escalation in Windows Subsystem for Linux affects Windows 11 23h2 and Windows 10 22h2 through a race condition in shared resource synchronization. An authenticated local attacker can exploit this vulnerability to gain elevated privileges on the system. No patch is currently available for this vulnerability.

Linux Windows Race Condition Windows 11 23h2 Windows 10 22h2
CVE-2026-21236 HIGH CVSS 7.8
Windows Ancillary Function Driver for WinSock contains a heap buffer overflow vulnerability that enables authenticated local users to achieve privilege escalation on affected Windows 10 and Server 2012 systems. An attacker with valid user credentials can exploit this memory corruption flaw to execute arbitrary code with elevated privileges. No patch is currently available for this vulnerability.

Windows Buffer Overflow Heap Overflow Windows 10 1607 Windows 10 21h2
CVE-2026-21235 HIGH CVSS 7.3
Privilege escalation in Microsoft Graphics Component via use-after-free memory corruption affects Windows Server 2019 and 2012, allowing authenticated local attackers to gain elevated system privileges with user interaction. The vulnerability poses a significant risk in industrial environments where Windows Server hosts critical infrastructure. No patch is currently available for this high-severity issue.

Microsoft Industrial Use After Free Windows Server 2019 Windows Server 2012
CVE-2026-21234 HIGH CVSS 7.0
Local privilege escalation in Windows Connected Devices Platform Service exploits a race condition in resource synchronization, allowing authenticated attackers to gain elevated privileges on affected Windows systems including Server 2022, Windows 11 25h2, and Windows 10 21h2. The vulnerability requires local access and user interaction is not needed, making it a practical attack vector for users with standard privileges. No patch is currently available.

Windows Race Condition Windows Server 2022 Windows 11 25h2 Windows 10 21h2
CVE-2026-21232 HIGH CVSS 7.8
Windows HTTP.sys contains an untrusted pointer dereference vulnerability that enables authenticated local users to escalate privileges on Windows 11 and Windows Server 2022/2025 systems. An attacker with valid credentials can exploit this flaw to gain elevated access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 11 25h2 Windows Server 2022 23h2 Windows 11 24h2 Windows Server 2025
CVE-2026-21231 HIGH CVSS 7.8
Windows Kernel privilege escalation vulnerability in Windows 10 21H2 and Windows Server 2012 stems from improper synchronization of concurrent access to shared resources, enabling local authenticated users to gain elevated system privileges. The race condition can be triggered without user interaction and impacts confidentiality, integrity, and availability of the affected system. No patch is currently available.

Linux Windows Race Condition Windows 10 21h2 Windows Server 2012
CVE-2026-21229 HIGH CVSS 8.0
Improper input validation in Power BI allows an authorized attacker to execute code over a network. [CVSS 8.0 HIGH]

Code Injection Power Bi Report Server
CVE-2026-21228 HIGH CVSS 8.1
Remote code execution in Azure Local stems from improper certificate validation, enabling unauthenticated attackers to execute arbitrary code over the network without user interaction. This HIGH severity vulnerability (CVSS 8.1) affects Azure and Azure Local deployments, with no patch currently available. Organizations using these products face immediate risk of compromise through network-based attacks exploiting this validation bypass.

Azure Azure Local
CVE-2026-21218 HIGH CVSS 7.5
.NET applications are vulnerable to spoofing attacks due to improper validation of a required security element, allowing unauthenticated remote attackers to forge or manipulate application data over the network. This vulnerability affects multiple .NET versions and currently has no available patch, exposing organizations to authentication bypass and data integrity risks. The attack requires no user interaction and can be exploited directly from the network.

Dotnet .Net
CVE-2026-20846 HIGH CVSS 7.5
Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]

Windows Buffer Overflow Windows 11 23h2 Windows 11 24h2 Windows Server 2012
CVE-2026-20841 HIGH CVSS 7.8
Local code execution in Windows Notepad stems from inadequate sanitization of command metacharacters, enabling authenticated users to execute arbitrary commands through specially crafted input. The vulnerability requires user interaction and local access, making it exploitable by attackers with limited system privileges. No patch is currently available.

Windows Command Injection Windows Notepad Microsoft
CVE-2026-2268 HIGH CVSS 7.5
Unauthenticated attackers can extract arbitrary post metadata from WordPress sites running Ninja Forms plugin versions up to 3.14.0 through improper merge tag filtering in repeater fields, potentially exposing sensitive data like API keys, billing information, and customer details. The vulnerability is exploitable remotely without authentication via the nf_ajax_submit AJAX action and currently lacks a patch.

WordPress Information Disclosure
CVE-2026-2260 HIGH CVSS 7.2
Remote code execution in D-Link DCS-931L camera firmware through OS command injection in the /goform/setSysAdmin endpoint allows authenticated attackers to execute arbitrary commands on affected devices. Public exploit code exists for this vulnerability, and no patch is available since the product is no longer supported by the vendor.

D-Link Command Injection Dcs 931l Firmware
CVE-2026-2097 HIGH CVSS 8.8
Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

File Upload RCE AI / ML Agentflow
CVE-2026-2094 HIGH CVSS 8.8
Docpedia by Flowring contains a SQL injection vulnerability (CWE-89) that allows authenticated users to execute arbitrary database queries with network access. Attackers can exploit this flaw to read, modify, or delete sensitive database contents, with no patch currently available. The vulnerability has a high CVSS score of 8.8 and affects all confidentiality, integrity, and availability of the underlying database.

SQLi
CVE-2026-2093 HIGH CVSS 7.5
Unauthenticated attackers can exploit SQL injection in Flowring's Docpedia to execute arbitrary database queries and extract sensitive information without authentication. The vulnerability requires no user interaction and is remotely accessible over the network, presenting a critical risk to all deployments. No patch is currently available to remediate this issue.

SQLi
CVE-2026-1866 HIGH CVSS 7.2
The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.

WordPress XSS
CVE-2026-1848 HIGH CVSS 7.5
MongoDB proxy port connections bypass connection accounting mechanisms, allowing unauthenticated remote attackers to exhaust server resources and trigger denial of service without authentication. Servers relying on connection limits for resource management are vulnerable to crashes when connection counts are artificially inflated through the proxy protocol. No patch is currently available for this high-severity issue affecting MongoDB deployments.

Denial Of Service MongoDB
CVE-2026-1507 HIGH CVSS 7.5
Unauthenticated attackers can crash core PI services through an unhandled exception vulnerability accessible over the network, causing denial-of-service without authentication or user interaction required. This high-severity flaw (CVSS 7.5) impacts availability of affected PI deployments with no patch currently available.

Denial Of Service
CVE-2026-0845 HIGH CVSS 7.2
Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.

WordPress Privilege Escalation
CVE-2026-0652 HIGH CVSS 8.8
Authenticated attackers can execute arbitrary commands on TP-Link Tapo C260 v1 cameras through command injection in POST parameters during configuration synchronization, potentially achieving complete device compromise. The vulnerability stems from insufficient input validation and affects confidentiality, integrity, and availability with no patch currently available.

TP-Link Command Injection Tapo C260 Firmware
CVE-2026-0508 HIGH CVSS 7.3
Businessobjects Business Intelligence Platform versions up to 430 is affected by url redirection to untrusted site (open redirect) (CVSS 7.3).

Sap Businessobjects Business Intelligence Platform
CVE-2026-0490 HIGH CVSS 7.5
Businessobjects Business Intelligence Platform versions up to 430 is affected by missing authorization (CVSS 7.5).

Sap Businessobjects Business Intelligence Platform
CVE-2026-0485 HIGH CVSS 7.5
Businessobjects Business Intelligence Platform versions up to 430 contains a security vulnerability (CVSS 7.5).

Sap Denial Of Service Businessobjects Business Intelligence Platform
CVE-2025-62676 HIGH CVSS 7.1
Forticlient versions up to 7.4.4 is affected by improper link resolution before file access (CVSS 7.1).

Fortinet Windows Forticlient
CVE-2025-52436 HIGH CVSS 8.8
An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions may allow an unauthenticated attacker to execute commands via crafted requests. [CVSS 8.8 HIGH]

Fortinet XSS Fortisandbox
CVE-2025-40587 HIGH CVSS 7.6
A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. [CVSS 7.6 HIGH]

XSS
CVE-2025-35998 HIGH CVSS 7.9
Missing protection mechanism for alternate hardware interface in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow an escalation of privilege. [CVSS 7.9 HIGH]

Linux Privilege Escalation Redhat
CVE-2025-32008 HIGH CVSS 8.6
Out-of-bounds write in the firmware for the Intel(R) AMT and Intel(R) Standard Manageability within Ring 3: User Applications may allow a denial of service. Network adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. [CVSS 8.6 HIGH]

Denial Of Service
CVE-2025-30513 HIGH CVSS 7.9
Race condition for some TDX Module within Ring 0: Hypervisor may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. [CVSS 7.9 HIGH]

Privilege Escalation Race Condition
CVE-2025-25210 HIGH CVSS 8.2
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. [CVSS 8.2 HIGH]

Privilege Escalation
CVE-2025-22453 HIGH CVSS 7.5
Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable local code execution. [CVSS 7.5 HIGH]

Privilege Escalation
CVE-2025-15569 HIGH CVSS 7.0
A flaw has been found in Artifex MuPDF versions up to 1.26.1 is affected by untrusted search path (CVSS 7.0).

Windows
CVE-2025-15310 HIGH CVSS 7.8
Endpoint Configuration Toolset Solution is affected by improper link resolution before file access (CVSS 7.8).

Privilege Escalation Endpoint Configuration Toolset Solution Patch Endpoint Tools
CVE-2025-11547 HIGH CVSS 7.8
AXIS Camera Station Pro contained a flaw to perform a privilege escalation attack on the server as a non-admin user. [CVSS 7.8 HIGH]

Privilege Escalation Camera Station Pro
CVE-2025-11142 HIGH CVSS 7.1
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. [CVSS 7.1 HIGH]

RCE Axis Os
CVE-2025-7636 HIGH CVSS 8.8
Ergosis Security Systems Computer Industry and Trade Inc. ZEUS PDKS is affected by sql injection (CVSS 8.8).

SQLi
CVE-2025-7347 HIGH CVSS 8.8
Dinibh Puzzle Software Solutions Dinibh Patrol Tracking System is affected by authorization bypass through user-controlled key (CVSS 8.8).

Authentication Bypass
CVE-2025-6967 HIGH CVSS 8.7
Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS contains a security vulnerability (CVSS 8.7).

Authentication Bypass
CVE-2026-26007 MEDIUM CVSS 6.5
Python's cryptography library prior to version 46.0.5 fails to validate that elliptic curve public key points belong to the expected prime-order subgroup, allowing attackers to supply crafted keys from small-order subgroups. This validation gap enables attackers to extract sensitive information about a victim's private key during ECDH key exchange or compromise ECDSA signature verification. Developers using affected key loading or generation functions should update to the patched version immediately.

Python Cryptography Redhat Suse
CVE-2026-26006 MEDIUM CVSS 6.5
AutoGPT platform versions before 0.6.32 contain a regular expression denial of service vulnerability in the Code Extraction Block due to overlapping quantifiers that cause catastrophic backtracking when processing whitespace-heavy inputs. Authenticated attackers can exploit this by submitting malicious input with long sequences of spaces to trigger excessive regex processing, causing the service to become unavailable. Public exploit code exists for this vulnerability, and a patch is available in version 0.6.32 and later.

Denial Of Service AI / ML Autogpt Platform
CVE-2026-26003 MEDIUM CVSS 5.4
Unauthenticated access to the FastGPT plugin API endpoint (FastGPT/api/plugin/xxx) in versions 4.14.0 through 4.14.5 allows remote attackers to disrupt plugin functionality and cause loss of plugin installation state without authentication. The vulnerability affects the AI/ML platform's plugin system availability and integrity, though sensitive data such as cryptographic keys are not exposed. A patch is available in version 4.14.5-fix.

Denial Of Service AI / ML Fastgpt
CVE-2026-25956 MEDIUM CVSS 6.1
Malicious signup URLs in Frappe versions prior to 14.99.14 and 15.94.0 can redirect users to attacker-controlled sites or execute reflected XSS payloads during the registration process. An attacker can craft a crafted signup link to trick users into visiting malicious destinations or having malicious scripts executed in their browsers. A patch is available in the fixed versions.

Open Redirect Frappe
CVE-2026-25872 MEDIUM CVSS 5.3
Unauthenticated path traversal in JUNG Smart Panel KNX firmware L1.12.22 and earlier allows remote attackers to read arbitrary files from the device's filesystem through the web interface. An attacker can leverage insufficient input validation to access sensitive system configuration and other confidential data without requiring authentication. No patch is currently available for this vulnerability.

Path Traversal
CVE-2026-25870 MEDIUM CVSS 5.8
DoraCMS 3.1 and earlier allows unauthenticated attackers to perform server-side request forgery through the UEditor remote image fetch feature, which fails to validate or restrict destination URLs. An attacker can exploit this to force the server to make arbitrary HTTP/HTTPS requests to internal network resources, enabling internal reconnaissance and potential denial of service attacks.

SSRF Denial Of Service
CVE-2026-25805 MEDIUM CVSS 6.4
Zed Editor versions prior to 0.219.4 fail to display tool invocation parameters during permission prompts or after execution, allowing attackers with high privileges to execute tools with malicious or unintended parameters without user awareness. Public exploit code exists for this vulnerability. The issue is resolved in version 0.219.4, which adds expandable tool call details for transparency.

Information Disclosure Zed
CVE-2026-25613 MEDIUM CVSS 6.5
MongoDB server denial of service can be triggered by authenticated users querying collections with malformed compound wildcard indexes. An attacker with valid credentials can crash the MongoDB instance, disrupting availability for all users. No patch is currently available.

MongoDB
CVE-2026-25612 MEDIUM CVSS 6.5
MongoDB server's resource locking mechanism can cause unintended collisions between collections due to improper internal encoding, leading to service denial of availability. Authenticated users can trigger this condition to disrupt database operations across affected collections without requiring user interaction. No patch is currently available to remediate this vulnerability.

MongoDB
CVE-2026-25610 MEDIUM CVSS 6.5
MongoDB server crashes when an authenticated user executes a $geoNear aggregation pipeline with malformed index hints, enabling denial of service attacks by any user with database access. This medium-severity vulnerability requires valid credentials and does not affect confidentiality or integrity, only availability. No patch is currently available.

Denial Of Service MongoDB
CVE-2026-25609 MEDIUM CVSS 5.4
MongoDB's profile command fails to properly validate requests that modify the 'filter' parameter, incorrectly classifying write operations as read-only and bypassing authorization controls. An authenticated attacker could exploit this to modify database filters without proper access restrictions, potentially altering query behavior and data visibility. No patch is currently available.

Authentication Bypass MongoDB
CVE-2026-25530 MEDIUM CVSS 4.3
Kanboard versions up to 1.2.50 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Authentication Bypass Kanboard
CVE-2026-24885 MEDIUM CVSS 5.7
Kanboard versions prior to 1.2.50 contain a CSRF vulnerability in the ProjectPermissionController that accepts text/plain content instead of enforcing application/json, enabling attackers to modify project user roles through malicious forms. An authenticated admin visiting a malicious website could be tricked into unknowingly changing role assignments, potentially granting unauthorized access to projects. Public exploit code exists for this vulnerability, though a patch is available in version 1.2.50 and later.

CSRF Kanboard
CVE-2026-24328 MEDIUM CVSS 6.1
Business Server Pages versions up to 740 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Sap Business Server Pages
CVE-2026-24327 MEDIUM CVSS 4.3
Insufficient authorization validation in SAP Strategic Enterprise Management's Balanced Scorecard component allows authenticated users to view restricted information they should not have access to. This authenticated-only vulnerability has low confidentiality impact and requires no user interaction, affecting organizations running affected SAP SEM instances. Currently no patch is available to remediate this authorization bypass.

Sap Strategic Enterprise Management
CVE-2026-24326 MEDIUM CVSS 4.3
Unauthorized database modifications in SAP S/4HANA Defense & Security occur due to missing authorization checks in Disconnected Operations, allowing authenticated users to invoke remote-enabled function modules and directly alter standard SAP database tables. The vulnerability has limited impact, affecting only data integrity without compromising confidentiality or system availability. No patch is currently available.

Sap
CVE-2026-24325 MEDIUM CVSS 4.8
Stored XSS in SAP BusinessObjects Enterprise results from insufficient input encoding, allowing high-privileged administrators to inject malicious JavaScript that executes in other users' browsers. This vulnerability affects confidentiality and integrity with medium severity, though no patch is currently available. Exploitation requires administrative access and user interaction to trigger the malicious payload.

Sap XSS Businessobjects Enterprise
CVE-2026-24324 MEDIUM CVSS 6.5
Businessobjects Business Intelligence Platform versions up to 430 contains a security vulnerability (CVSS 6.5).

Sap Denial Of Service Businessobjects Business Intelligence Platform
CVE-2026-24323 MEDIUM CVSS 6.1
Document Management System versions up to 600 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Open Redirect S4core Document Management System Erp
CVE-2026-24321 MEDIUM CVSS 5.3
SAP Commerce Cloud contains unauthenticated API endpoints that expose sensitive information not intended for public access, enabling remote attackers to retrieve confidential data without authentication. The vulnerability has limited impact on confidentiality with no effect on system integrity or availability. No patch is currently available for affected Commerce Cloud deployments.

Sap Commerce Cloud
CVE-2026-24319 MEDIUM CVSS 5.8
SAP Business One stores sensitive data unencrypted in memory dump files, allowing high-privileged local users with user interaction to extract credentials and other confidential information. An attacker with access to these dumps could leverage the exposed data to perform unauthorized operations and modify company data within the B1 environment. No patch is currently available for this medium-severity vulnerability.

Sap Business One
CVE-2026-24312 MEDIUM CVSS 5.2
SAP Business Workflow contains an authorization bypass that allows authenticated administrators to escalate privileges by misusing permissions from lower-sensitivity functions to perform unauthorized high-privilege operations. An attacker with admin credentials can exploit this flaw to compromise data integrity, though confidentiality and availability impacts are limited. No patch is currently available for this vulnerability.

Sap Privilege Escalation Sap Basis
CVE-2026-23688 MEDIUM CVSS 4.3
Insufficient authorization checks in SAP Fiori App Manage Service Entry Sheets allow authenticated users to escalate privileges and modify data they should not have access to. The vulnerability affects SAP S/4HANA Core installations and requires user authentication to exploit, limiting the immediate risk but potentially enabling insider threats or account compromise scenarios.

Sap Privilege Escalation S4core
CVE-2026-23685 MEDIUM CVSS 4.4
Denial of service in SAP NetWeaver's JMS service stems from unsafe deserialization of malicious objects, allowing authenticated administrators with local access to crash the application. The vulnerability requires high privileges and local access but carries no risk to confidentiality or integrity. No patch is currently available.

Sap Denial Of Service Deserialization Netweaver
CVE-2026-23684 MEDIUM CVSS 5.9
Commerce Cloud versions up to 2205 contains a vulnerability that allows attackers to a cart entry being created with erroneous product value which could be checked o (CVSS 5.9).

Sap Race Condition Commerce Cloud
CVE-2026-23681 MEDIUM CVSS 4.3
Authenticated users of SAP Solution Tools Plug-In can bypass authorization checks to invoke function modules and extract sensitive system configuration details without proper access controls. This information disclosure could enable attackers to gather intelligence for planning targeted follow-up attacks, though the vulnerability carries low confidentiality impact with no effect on system integrity or availability. Currently no patch is available.

Sap Solution Tools Plug In
CVE-2026-23655 MEDIUM CVSS 6.5
Confidential Sidecar Containers is affected by cleartext storage of sensitive information (CVSS 6.5).

Azure Confidential Sidecar Containers
CVE-2026-21529 MEDIUM CVSS 5.7
Azure HDInsight contains a cross-site scripting (XSS) vulnerability in web page generation that allows authenticated attackers to conduct spoofing attacks over the network. An attacker with valid credentials and user interaction can exploit this weakness to manipulate web content and deceive users. No patch is currently available for this issue.

Azure XSS Azure Hdinsight
CVE-2026-21528 MEDIUM CVSS 6.5
Azure IoT Explorer binds to unrestricted IP addresses, enabling unauthenticated remote attackers to intercept and disclose sensitive information over the network. This vulnerability affects Azure IoT deployments where the Explorer tool is exposed without proper network segmentation. No patch is currently available, making network isolation the primary mitigation strategy.

Azure IoT Azure Iot Explorer
CVE-2026-21527 MEDIUM CVSS 6.5
Microsoft Exchange Server is vulnerable to UI spoofing attacks that allow unauthenticated remote attackers to misrepresent critical information and deceive users. The vulnerability has a CVSS score of 6.5 and currently lacks an available patch, leaving affected systems exposed to social engineering and impersonation attacks. Organizations running Exchange Server should implement network-level protections and monitor for suspicious activity until a fix is released.

Microsoft Exchange Exchange Server
CVE-2026-21525 MEDIUM CVSS 6.2
Windows Remote Access Connection Manager contains a null pointer dereference flaw affecting Windows 10 (versions 1809 and 21h2) and Windows 11 (version 23h2) that has been confirmed as actively exploited. A local attacker can trigger a denial of service condition without requiring authentication or user interaction. No patch is currently available for this vulnerability.

Null Pointer Dereference Denial Of Service Microsoft
CVE-2026-21522 MEDIUM CVSS 6.7
Azure Compute Gallery contains a command injection vulnerability that enables authorized users to execute arbitrary commands with elevated privileges on local systems. The flaw requires high-level privileges to exploit and affects confidentiality, integrity, and availability of the target system. No patch is currently available.

Azure Command Injection Confcom
CVE-2026-21517 MEDIUM CVSS 4.7
Windows App for Mac is susceptible to privilege escalation through improper symbolic link resolution, enabling authenticated local attackers to bypass access controls and gain elevated privileges. The vulnerability stems from insufficient validation during file operations and requires low-level user privileges and specific system conditions to exploit. No patch is currently available.

Windows Windows App Microsoft
CVE-2026-21512 MEDIUM CVSS 6.5
Authenticated users of Azure and Azure DevOps Server can exploit a server-side request forgery vulnerability to perform network-based spoofing attacks. This MEDIUM severity issue (CVSS 6.5) requires valid credentials but allows attackers to manipulate the server into making unauthorized requests, potentially compromising confidentiality. No patch is currently available.

Azure SSRF Azure Devops Server
CVE-2026-21358 MEDIUM CVSS 5.5
InDesign versions 21.1, 20.5.1 and earlier contain a heap buffer overflow that enables local denial-of-service attacks when users open malicious files. An attacker can crash the application to disrupt workflow, though no patch is currently available. User interaction is required for exploitation.

Adobe Buffer Overflow Heap Overflow Denial Of Service Indesign
CVE-2026-21355 MEDIUM CVSS 5.5
Out-of-bounds memory read in DNG SDK 1.7.1 (2410) and earlier enables attackers to extract sensitive information from process memory when a user opens a specially crafted file. The vulnerability requires local user interaction but poses a direct confidentiality risk to applications processing untrusted DNG image files. No patch is currently available for affected versions.

Buffer Overflow Information Disclosure Dng Software Development Kit
CVE-2026-21354 MEDIUM CVSS 5.5
DNG SDK 1.7.1 (build 2410) and earlier contain an integer overflow vulnerability that causes application denial-of-service when processing malicious files. Local attackers can exploit this flaw by tricking users into opening a specially crafted file, resulting in application crashes or hangs. No patch is currently available.

Integer Overflow Denial Of Service Dng Software Development Kit
CVE-2026-21350 MEDIUM CVSS 5.5
Adobe After Effects 25.6 and earlier suffers from a null pointer dereference that allows attackers to trigger application crashes by convincing users to open a specially crafted file. This local denial-of-service vulnerability requires user interaction but requires no special privileges, potentially disrupting creative workflows. No patch is currently available.

Null Pointer Dereference Denial Of Service After Effects
CVE-2026-21348 MEDIUM CVSS 5.5
Memory disclosure in Substance 3D Modeler 1.22.5 and earlier through an out-of-bounds read allows attackers to expose sensitive information when victims open specially crafted files. The vulnerability requires user interaction but no special privileges, making it accessible to local attackers with access to craft malicious documents. Currently no patch is available, and exploitation could reveal confidential data stored in process memory.

Buffer Overflow Information Disclosure Substance 3d Modeler
CVE-2026-21340 MEDIUM CVSS 5.5
Out-of-bounds memory read in Substance 3D Designer 15.1.0 and earlier allows attackers to extract sensitive data from process memory when a victim opens a specially crafted file. The vulnerability requires user interaction but can bypass existing protections to leak confidential information. No patch is currently available for this local attack vector.

Buffer Overflow Information Disclosure Substance 3d Designer
CVE-2026-21339 MEDIUM CVSS 5.5
Out-of-bounds memory reads in Substance 3D Designer 15.1.0 and earlier allow attackers to extract sensitive data from process memory when a victim opens a specially crafted file. This local vulnerability requires user interaction and affects systems running the vulnerable Designer versions. No patch is currently available for this issue.

Buffer Overflow Information Disclosure Substance 3d Designer
CVE-2026-21338 MEDIUM CVSS 5.5
Substance 3D Designer 15.1.0 and earlier contains a null pointer dereference vulnerability that allows local attackers to crash the application by tricking users into opening malicious files. This denial-of-service attack requires user interaction but causes service disruption with no mitigation patch currently available.

Null Pointer Dereference Denial Of Service Substance 3d Designer
CVE-2026-21337 MEDIUM CVSS 5.5
Memory disclosure in Substance 3D Designer 15.1.0 and earlier stems from an out-of-bounds read flaw that exposes sensitive data from application memory. An attacker can exploit this vulnerability by crafting a malicious file and tricking a user into opening it, requiring no special privileges. Currently, no patch is available for affected users.

Buffer Overflow Information Disclosure Substance 3d Designer
CVE-2026-21336 MEDIUM CVSS 5.5
Denial-of-service in Adobe Substance 3D Designer version 15.1.0 and earlier stems from a null pointer dereference vulnerability that crashes the application when a user opens a malicious file. The attack requires no special privileges and relies solely on user interaction to trigger the crash. No patch is currently available for this vulnerability.

Null Pointer Dereference Denial Of Service Substance 3d Designer
CVE-2026-21332 MEDIUM CVSS 5.5
Out-of-bounds memory read in Adobe InDesign versions 21.1, 20.5.1 and earlier enables disclosure of sensitive information residing in application memory. Exploitation requires a victim to open a specially crafted malicious file, making this a user-interaction dependent attack vector. No patch is currently available for affected users.

Adobe Indesign
CVE-2026-21319 MEDIUM CVSS 5.5
Out-of-bounds memory read in Adobe After Effects 25.6 and earlier allows attackers to disclose sensitive information from process memory by tricking users into opening specially crafted files. This local vulnerability requires user interaction but carries no patch availability, leaving affected systems exposed until an update is released.

Buffer Overflow Information Disclosure After Effects
CVE-2026-21317 MEDIUM CVSS 5.5
Adobe Audition versions 25.3 and earlier contain an out-of-bounds read vulnerability that exposes sensitive data from application memory when a user opens a crafted file. This local attack requires user interaction but carries no patch availability, leaving affected users vulnerable to information disclosure. The vulnerability affects confidentiality with medium severity (CVSS 5.5) and currently has no evidence of active exploitation.

Buffer Overflow Information Disclosure Audition
CVE-2026-21316 MEDIUM CVSS 5.5
Adobe Audition 25.3 and earlier contains a buffer over-read vulnerability that allows local attackers to crash the application by tricking users into opening specially crafted files. Exploitation requires user interaction but requires no elevated privileges, making it accessible to any local attacker who can deliver a malicious file. While no patch is currently available, the impact is limited to denial-of-service conditions.

Denial Of Service Audition
CVE-2026-21315 MEDIUM CVSS 5.5
Memory disclosure in Adobe Audition 25.3 and earlier through an out-of-bounds read vulnerability allows attackers to access sensitive information from process memory when a user opens a specially crafted file. Exploitation requires user interaction and does not enable code execution or system availability impact. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure Audition
CVE-2026-21314 MEDIUM CVSS 5.5
Memory disclosure in Adobe Audition 25.3 and earlier stems from an out-of-bounds read flaw that could expose sensitive data from process memory. An attacker must trick a user into opening a specially crafted file to trigger the vulnerability, which requires no elevated privileges but offers no path to code execution or system availability impact.

Buffer Overflow Information Disclosure Audition
CVE-2026-21313 MEDIUM CVSS 5.5
Out-of-bounds memory read in Adobe Audition 25.3 and earlier enables attackers to extract sensitive data from process memory when a user opens a specially crafted file. No patch is currently available for this vulnerability, which requires user interaction to trigger but poses a confirmed risk to confidentiality. Local attackers can exploit this to disclose information without requiring elevated privileges or additional user actions beyond opening the malicious file.

Buffer Overflow Information Disclosure Audition
CVE-2026-21261 MEDIUM CVSS 5.5
Information disclosure in Microsoft Office Excel and related products results from an out-of-bounds read vulnerability that requires local access and user interaction to exploit. An attacker can leverage this flaw to read sensitive data from memory on an affected system. No patch is currently available for this vulnerability affecting Office Long Term Servicing Channel, 365 Apps, and Office Online Server.

Microsoft Office Long Term Servicing Channel 365 Apps Office Online Server Office
CVE-2026-21258 MEDIUM CVSS 5.5
Information disclosure in Microsoft Excel allows local attackers with user interaction to read sensitive data through improper input validation in Office 365 Apps and Long Term Servicing Channel. An attacker must socially engineer a user into opening a specially crafted file to trigger the vulnerability. No patch is currently available for this medium-severity issue.

Microsoft Office 365 Apps Office Long Term Servicing Channel Excel
CVE-2026-21222 MEDIUM CVSS 5.5
Windows Kernel inadvertently logs sensitive information accessible to authenticated local users, enabling information disclosure attacks. This medium-severity vulnerability affects Windows 10 22H2, Windows 11 23H2, and 24H2, as well as Linux systems, allowing authorized attackers with local access to retrieve confidential data. No patch is currently available for this issue.

Linux Windows Windows 10 22h2 Windows 11 24h2 Windows 11 23h2
CVE-2026-2303 MEDIUM CVSS 6.5
The mongo-go-driver's GSSAPI authentication wrapper on Linux and macOS contains a heap buffer over-read vulnerability stemming from improper handling of non-null-terminated GSSAPI buffers, allowing authenticated attackers to read sensitive memory content. This vulnerability affects applications using Go-based MongoDB drivers with Kerberos authentication enabled and could lead to information disclosure of heap memory. No patch is currently available.

Linux macOS Golang
CVE-2026-2302 MEDIUM CVSS 6.5
Mongoid's Criteria.from_hash method in Ruby can execute arbitrary code when processing specially crafted Hash objects, allowing authenticated attackers to achieve remote code execution on systems using vulnerable versions. The vulnerability requires valid credentials and network access but no user interaction, making it exploitable in environments where untrusted users have application access. No patch is currently available.

Ruby
CVE-2026-2099 MEDIUM CVSS 5.4
Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.

XSS AI / ML Agentflow
CVE-2026-2098 MEDIUM CVSS 6.1
Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.

XSS AI / ML Agentflow
CVE-2026-1997 MEDIUM CVSS 5.3
HP OfficeJet Pro printers (D9l18a, D9l20a, D9l21a, D9l63a firmware) are vulnerable to information disclosure through CORS misconfiguration when administrators enable the feature on the Embedded Web Server. An unauthenticated remote attacker can exploit this to access sensitive device resources from untrusted web origins. CORS remains disabled by default as a mitigation, but organizations that have explicitly enabled it should apply patches when available.

CSRF Hp J3p68a Firmware J6x78a Firmware T0g56a Firmware
CVE-2026-1996 MEDIUM CVSS 5.3
HP OfficeJet Pro printers running affected firmware versions are susceptible to denial of service attacks through malformed Internet Printing Protocol (IPP) requests that prevent proper TCP connection establishment. An unauthenticated remote attacker can trigger this condition to disrupt printer availability, though no patch is currently available to mitigate the vulnerability.

Denial Of Service M9l70a Firmware J6x77a Firmware T0g47a Firmware J6x76a Firmware
CVE-2026-1922 MEDIUM CVSS 6.4
Stored cross-site scripting in The Events Calendar Shortcode & Block plugin for WordPress up to version 3.1.2 allows authenticated users with contributor-level access to inject malicious scripts through the `ecs-list-events` shortcode's `message` attribute due to inadequate input sanitization. When injected pages are accessed by other users, the malicious scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. A patch is not currently available.

WordPress XSS
CVE-2026-1850 MEDIUM CVSS 6.5
MongoDB's Query Planner can be exhausted of available memory when processing specially crafted complex queries, leading to service denial through out-of-memory crashes. Authenticated users can trigger this condition without user interaction, affecting availability of MongoDB instances. No patch is currently available to address this vulnerability.

MongoDB Denial Of Service
CVE-2026-1849 MEDIUM CVSS 6.5
MongoDB Server can be crashed via denial of service by authenticated users who craft expressions that generate deeply nested documents, exploiting missing recursion depth validation that causes out-of-memory failures. This vulnerability affects deployments where database access is granted to untrusted users and requires valid credentials to exploit. No patch is currently available.

MongoDB
CVE-2026-1847 MEDIUM CVSS 6.5
MongoDB replica set replication can be disrupted when oversized documents are inserted, preventing secondaries from synchronizing oplog entries with the primary and potentially causing server crashes. Authenticated users with write access can trigger this denial of service condition to destabilize replica set availability. No patch is currently available for this vulnerability.

Denial Of Service MongoDB
CVE-2026-1763 MEDIUM CVSS 4.6
GE Vernova Enervista UR Setup version 8.6 and earlier on Windows contains a vulnerability allowing high-privileged local attackers to modify system integrity without user interaction. An attacker with administrative privileges could exploit this flaw to alter critical configuration or data, though no patch is currently available.

Windows
CVE-2026-1722 MEDIUM CVSS 5.3
Unauthenticated attackers can exploit an authorization bypass in the WCFM Marketplace plugin for WordPress (versions up to 3.7.0) to create arbitrary refund requests via the wcfm-refund-requests-form AJAX endpoint. This IDOR vulnerability allows unauthorized refund submissions for any order, potentially resulting in financial losses if automatic refund processing is enabled. No patch is currently available.

WordPress
CVE-2026-1602 MEDIUM CVSS 6.5
Authenticated attackers can exploit SQL injection in Ivanti Endpoint Manager prior to version 2024 SU5 to extract sensitive data from the underlying database. This network-accessible vulnerability requires valid credentials but allows unauthorized information disclosure with no user interaction needed. No patch is currently available for affected systems.

Ivanti SQLi Endpoint Manager
CVE-2026-1495 MEDIUM CVSS 6.5
Unprivileged users with Event Log Reader privileges can extract proxy server credentials and URLs from PI to CONNECT event logs, potentially enabling unauthorized proxy access. This local information disclosure affects systems where such log access is granted to low-privileged accounts. No patch is currently available.

Authentication Bypass Information Disclosure
CVE-2026-0996 MEDIUM CVSS 6.4
Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.

WordPress XSS AI / ML
CVE-2026-0653 MEDIUM CVSS 6.5
Guest users on TP-Link Tapo C260 v1 cameras can modify protected device settings by exploiting inadequate access controls on synchronization endpoints. Authenticated attackers with limited privileges can bypass restrictions to change sensitive configuration parameters without authorization. No patch is currently available for this vulnerability.

TP-Link Authentication Bypass RCE Tapo C260 Firmware
CVE-2026-0651 MEDIUM CVSS 6.9
TP-Link Tapo C260 v1 firmware contains a path traversal vulnerability in HTTPS GET request handling that allows local network attackers to probe filesystem paths and determine file existence without authentication. While the vulnerability does not permit file read, write, or code execution, it enables information disclosure about the device's filesystem structure to unauthenticated local users. No patch is currently available.

TP-Link Path Traversal RCE
CVE-2026-0505 MEDIUM CVSS 6.1
Unauthenticated attackers can manipulate unvalidated URL parameters in S4core, Document Management System, and ERP applications to redirect users to malicious websites, potentially compromising user credentials or distributing malware. The vulnerability requires user interaction to exploit and has limited impact on confidentiality and integrity, with no availability impact. No patch is currently available.

XSS S4core Document Management System Erp
CVE-2026-0486 MEDIUM CVSS 5.0
SAP Solution Tools Plug In fails to enforce authorization checks in remote-enabled ABAP function modules, allowing authenticated users to access and disclose sensitive system information. An attacker with valid credentials can query protected data without proper access controls, though system integrity and availability remain unaffected. No patch is currently available for this medium-severity vulnerability.

Sap Solution Tools Plug In
CVE-2026-0484 MEDIUM CVSS 6.5
Sap Basis versions up to 700 is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).

Sap Sap Basis
CVE-2025-70347 MEDIUM CVSS 5.5
An issue in mquickjs before commit 74b7e (2026-01-15) allows a local attacker to cause a denial of service via a crafted file to the get_mblock_size function at mquickjs.c. [CVSS 5.5 MEDIUM]

Denial Of Service
CVE-2025-68686 MEDIUM CVSS 5.9
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability [CWE-200] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.1, FortiOS 7.4.0 through 7.4.6, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions may allow a remote unauthenticated attacker to bypass the patch developed for the symbolic link persistency mechanism observed in some post-exploit cases, via crafted HTTP requests. [CVSS 5.9 MEDIUM]

Fortinet Fortigate Fortios
CVE-2025-64157 MEDIUM CVSS 6.7
A use of externally-controlled format string vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0 all versions allows an authenticated admin to execute unauthorized code or commands via specifically crafted configuration. [CVSS 6.7 MEDIUM]

Fortinet Fortigate Fortios
CVE-2025-62439 MEDIUM CVSS 4.2
vulnerability in Fortinet FortiOS 7.6.0 versions up to 7.6.4 contains a vulnerability that allows attackers to an authenticated user with knowledge of FSSO policy configurations to gain unaut (CVSS 4.2).

Fortinet Fortigate
CVE-2025-55018 MEDIUM CVSS 5.8
An inconsistent interpretation of http requests ('http request smuggling') vulnerability in Fortinet FortiOS 7.6.0, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4.3 through 6.4.16 may allow an unauthenticated attacker to smuggle an unlogged http request through the firewall policies via a specially crafted header [CVSS 5.8 MEDIUM]

Fortinet Fortigate Fortios
CVE-2025-36522 MEDIUM CVSS 6.7
Incorrect default permissions for some Intel(R) Chipset Software before version 10.1.20266.8668 or later. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with...

Privilege Escalation
CVE-2025-36511 MEDIUM CVSS 6.7
Incorrect default permissions for some Intel(R) Memory and Storage Tool before version 2.5.2 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special i...

Privilege Escalation
CVE-2025-35999 MEDIUM CVSS 6.7
Incorrect permission assignment for critical resource for some System Firmware Update Utility (SysFwUpdt) for Intel(R) Server Boards and Intel(R) Server Systems Based before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result ...

Privilege Escalation
CVE-2025-35992 MEDIUM CVSS 4.7
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable denial of service. [CVSS 4.7 MEDIUM]

Denial Of Service
CVE-2025-32735 MEDIUM CVSS 5.5
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. [CVSS 5.5 MEDIUM]

Denial Of Service
CVE-2025-32467 MEDIUM CVSS 4.1
Use of uninitialized variable for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow an information disclosure. Authorized adversary with a privileged user combined with a high complexity attack may enable data exposure. [CVSS 4.1 MEDIUM]

Information Disclosure
CVE-2025-32453 MEDIUM CVSS 6.7
Incorrect default permissions for some Intel(R) Graphics Driver software within Ring 2: Privileged Process may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. [CVSS 6.7 MEDIUM]

Industrial Privilege Escalation
CVE-2025-32452 MEDIUM CVSS 6.7
Uncontrolled search path for some AI Playground before version 2.6.1 beta within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowl...

Privilege Escalation AI / ML
CVE-2025-32092 MEDIUM CVSS 6.7
Graphics Software versions up to 25.30.1702.0 contains a vulnerability that allows attackers to an escalation of privilege (CVSS 6.7).

Industrial Privilege Escalation
CVE-2025-32007 MEDIUM CVSS 4.4
Out-of-bounds read for some TDX before version tdx module 1.5.24 within Ring 0: Hypervisor may allow an information disclosure. Authorized adversary with a privileged user combined with a low complexity attack may enable data exposure. [CVSS 4.4 MEDIUM]

Information Disclosure
CVE-2025-32003 MEDIUM CVSS 6.5
Out-of-bounds read in the firmware for some 100GbE Intel(R) Ethernet Network Adapter E810 before version cvl fw 1.7.6, cpk 1.3.7 within Ring 0: Bare Metal OS may allow a denial of service. [CVSS 6.5 MEDIUM]

Denial Of Service Intel Information Disclosure Buffer Overflow Ethernet Controller
CVE-2025-31944 MEDIUM CVSS 5.3
Race condition for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow a denial of service. Authorized adversary with a privileged user combined with a high complexity attack may enable denial of service. [CVSS 5.3 MEDIUM]

Denial Of Service Race Condition
CVE-2025-31655 MEDIUM CVSS 6.7
Incorrect default permissions for some Intel(R) Battery Life Diagnostic Tool within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. [CVSS 6.7 MEDIUM]

Privilege Escalation
CVE-2025-30508 MEDIUM CVSS 6.5
Improper authorization in the Intel(R) Quick Assist Technology for some Intel(R) Platforms within Ring 0: Kernel may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable denial of service. [CVSS 6.5 MEDIUM]

Linux Denial Of Service
CVE-2025-27940 MEDIUM CVSS 4.1
Out-of-bounds read for some TDX Module before version tdx1.5 within Ring 0: Hypervisor may allow an information disclosure. Software side channel adversary with a privileged user combined with a high complexity attack may enable data exposure. [CVSS 4.1 MEDIUM]

Information Disclosure
CVE-2025-27708 MEDIUM CVSS 4.1
Out-of-bounds read in the firmware for some Intel(R) Converged Security and Management Engine (CSME) Firmware (FW) within Ring 0: Kernel may allow an information disclosure. System software adversary with a privileged user combined with a low complexity attack may enable data exposure. [CVSS 4.1 MEDIUM]

Linux Information Disclosure
CVE-2025-27572 MEDIUM CVSS 4.1
Exposure of sensitive information during transient execution for some TDX within Ring 0: Hypervisor may allow an information disclosure. Authorized adversary with a privileged user combined with a high complexity attack may enable data exposure. [CVSS 4.1 MEDIUM]

Information Disclosure
CVE-2025-27560 MEDIUM CVSS 6.0
Loop with unreachable exit condition ('infinite loop') for some Intel(R) Platform within Ring 0: Kernel may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. [CVSS 6.0 MEDIUM]

Linux Denial Of Service
CVE-2025-27535 MEDIUM CVSS 5.3
Exposed ioctl with insufficient access control in the firmware for some Intel(R) Ethernet Connection E825-C. before version NVM ver. [CVSS 5.3 MEDIUM]

Denial Of Service Intel Ethernet Controller
CVE-2025-27243 MEDIUM CVSS 6.0
Out-of-bounds write in the firmware for some Intel(R) Ethernet Controller E810 before version cvl fw 1.7.8.x within Ring 0: Bare Metal OS may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. [CVSS 6.0 MEDIUM]

Denial Of Service Intel Memory Corruption Buffer Overflow Ethernet Controller
CVE-2025-24851 MEDIUM CVSS 6.0
Uncaught exception in the firmware for some 100GbE Intel(R) Ethernet Controller E810 before version cvl fw 1.7.8.x within Ring 0: Bare Metal OS may allow a denial of service. System software adversary with a privileged user combined with a low complexity attack may enable denial of service. [CVSS 6.0 MEDIUM]

Denial Of Service Intel Ethernet Controller
CVE-2025-22885 MEDIUM CVSS 4.7
Improper buffer restrictions in the firmware for the TDX Module may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. [CVSS 4.7 MEDIUM]

Privilege Escalation
CVE-2025-22849 MEDIUM CVSS 6.7
Incorrect default permissions for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_01.00.00.3584, CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]

Privilege Escalation
CVE-2025-20106 MEDIUM CVSS 6.7
Uncontrolled search path in some software installer for some VTune(TM) Profiler software and Intel(R) oneAPI Base Toolkits before version 2025.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access w...

Privilege Escalation
CVE-2025-20080 MEDIUM CVSS 6.8
Null pointer dereference in the firmware for some Intel(R) AMT and Intel(R) Standard Manageability within Ring 0: Kernel may allow a denial of service. Network adversary with an unauthenticated user combined with a high complexity attack may enable denial of service. [CVSS 6.8 MEDIUM]

Linux Null Pointer Dereference Denial Of Service
CVE-2025-20070 MEDIUM CVSS 6.7
Improper conditions check for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]

Privilege Escalation
CVE-2025-15570 MEDIUM CVSS 5.3
A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. [CVSS 5.3 MEDIUM]

Use After Free Lrzip Suse
CVE-2025-15314 MEDIUM CVSS 5.5
Tanium addressed an arbitrary file deletion vulnerability in end-user-cx. [CVSS 5.5 MEDIUM]

Path Traversal End User Cx
CVE-2025-15313 MEDIUM CVSS 5.5
Tanium addressed an arbitrary file deletion vulnerability in Tanium EUSS. [CVSS 5.5 MEDIUM]

Path Traversal Euss
CVE-2025-15147 MEDIUM CVSS 4.3
WooCommerce Memberships for Multivendor Marketplace versions up to 2.11.8 is affected by authorization bypass through user-controlled key (CVSS 4.3).

WordPress PHP
CVE-2025-14895 MEDIUM CVSS 5.4
The PopupKit plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.0. This is due to the plugin not properly verifying that a user is authorized to access the /popup/logs REST API endpoint. [CVSS 5.4 MEDIUM]

WordPress Industrial PHP
CVE-2025-13064 MEDIUM CVSS 4.5
A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with. [CVSS 4.5 MEDIUM]

Code Injection Camera Station Pro
CVE-2025-12757 MEDIUM CVSS 4.6
An AXIS Camera Station Pro feature can be exploited in a way that allows a non-admin user to view information they are not permitted to. [CVSS 4.6 MEDIUM]

Path Traversal Camera Station Pro
CVE-2025-12699 MEDIUM CVSS 5.5
The ZOLL ePCR IOS application reflects unsanitized user input into a WebView. Attacker-controlled strings placed into PCR fields (run number, incident, call sign, notes) are interpreted as HTML/JS when the app prints or renders that content. [CVSS 5.5 MEDIUM]

XSS iOS
CVE-2025-12063 MEDIUM CVSS 5.7
An insecure direct object reference allowed a non-admin user to modify or remove certain data objects without having the appropriate permissions. [CVSS 5.7 MEDIUM]

Authentication Bypass Camera Station Pro
CVE-2025-11537 MEDIUM CVSS 5.0
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. [CVSS 5.0 MEDIUM]

Information Disclosure Redhat
CVE-2024-54192 MEDIUM CVSS 5.5
An issue inTcpreplay v4.5.1 allows a local attacker to cause a denial of service via a crafted file to the tcpedit_dlt_getplugin function at src/tcpedit/plugins/dlt_utils.c. [CVSS 5.5 MEDIUM]

Denial Of Service Suse
CVE-2024-52334 MEDIUM CVSS 5.3
A vulnerability has been identified in syngo.plaza VB30E (All versions < VB30E_HF07). The affected application does not encrypt the passwords properly. [CVSS 5.3 MEDIUM]

Authentication Bypass
CVE-2026-26013 LOW CVSS 3.7
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability...

SSRF Langchain AI / ML
CVE-2026-24320 LOW CVSS 3.1
Due to improper memory management in SAP NetWeaver and ABAP Platform (Application Server ABAP), an authenticated attacker could exploit logical errors in memory management by supplying specially crafted input containing unique characters, which are improperly converted. [CVSS 3.1 LOW]

Sap Memory Corruption
CVE-2026-23901 LOW CVSS 2.5
Observable Timing Discrepancy vulnerability in Apache Shiro. This issue affects Apache Shiro: from 1.*, 2.* before 2.0.7. [CVSS 2.5 LOW]

Apache
CVE-2026-23686 LOW CVSS 3.4
Netweaver Application Server Java versions up to 7.50 is affected by http response splitting (CVSS 3.4).

Sap
CVE-2026-21249 LOW CVSS 3.3
External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing locally. [CVSS 3.3 LOW]

Windows Microsoft
CVE-2026-2259 LOW CVSS 3.3
A vulnerability has been found in aardappel lobster up to 2025.4. Affected by this issue is the function lobster::Parser::ParseStatements in the library dev/src/lobster/parser.h of the component Parsing. [CVSS 3.3 LOW]

Memory Corruption
CVE-2026-2258 LOW CVSS 3.3
A flaw has been found in aardappel lobster up to 2025.4. Affected by this vulnerability is the function WaveFunctionCollapse in the library dev/src/lobster/wfc.h. [CVSS 3.3 LOW]

Memory Corruption
CVE-2026-1762 LOW CVSS 2.9
A vulnerability in GE Vernova Enervista UR Setup on Windows allows File Manipulation.This issue affects Enervista: 8.6 and prior versions. [CVSS 2.9 LOW]

Windows
CVE-2025-54514 None
Improper isolation of shared resources on a system on a chip by a malicious local attacker with high privileges could potentially lead to a partial loss of integrity.

Information Disclosure
CVE-2025-52536 None
Improper Prevention of Lock Bit Modification in SEV firmware could allow a privileged attacker to downgrade firmware potentially resulting in a loss of integrity.

Information Disclosure
CVE-2025-52534 None
Improper bound check within AMD CPU microcode can allow a malicious guest to write to host memory, potentially resulting in loss of integrity.

Information Disclosure
CVE-2025-48517 None
Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.

Authentication Bypass
CVE-2025-48515 None
Insufficient parameter sanitization in AMD Secure Processor (ASP) Boot Loader could allow an attacker with access to SPIROM upgrade to overwrite the memory, potentially resulting in arbitrary code execution.

Integer Overflow RCE
CVE-2025-48514 None
Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.

Authentication Bypass
CVE-2025-48509 None
Missing Checks in certain functions related to RMP initialization can allow a local admin privileged attacker to cause misidentification of I/O memory, potentially resulting in a loss of guest memory integrity

Information Disclosure
CVE-2025-33030 LOW CVSS 3.3
Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a low complexity attack may enable data corruption. [CVSS 3.3 LOW]

Privilege Escalation
CVE-2025-32739 LOW CVSS 2.8
Improper conditions check in some firmware for some Intel(R) Graphics Drivers and Intel LTS kernels within Ring 1: Device Drivers may allow a denial of service. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable denial of service. [CVSS 2.8 LOW]

Linux Industrial Denial Of Service
CVE-2025-31648 LOW CVSS 3.9
Improper handling of values in the microcode flow for some Intel(R) Processor Family may allow an escalation of privilege. Startup code and smm adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. [CVSS 3.9 LOW]

Privilege Escalation
CVE-2025-29952 None
Improper Initialization within the AMD Secure Encrypted Virtualization (SEV) firmware can allow an admin privileged attacker to corrupt RMP covered memory, potentially resulting in loss of guest memory integrity

Information Disclosure
CVE-2025-29951 None
A buffer overflow in the AMD Secure Processor (ASP) bootloader could allow an attacker to overwrite memory, potentially resulting in privilege escalation and arbitrary code execution.

Buffer Overflow Privilege Escalation RCE
CVE-2025-29950 None
Improper input validation in system management mode (SMM) could allow a privileged attacker to overwrite stack memory leading to arbitrary code execution.

RCE
CVE-2025-29949 None
Insufficient input parameter sanitization in AMD Secure Processor (ASP) Boot Loader (legacy recovery mode only) could allow an attacker to write out-of-bounds to corrupt Secure DRAM potentially resulting in denial of service.

Denial Of Service
CVE-2025-29948 None
Improper access control in AMD Secure Encrypted Virtualization (SEV) firmware could allow a malicious hypervisor to bypass RMP protections, potentially resulting in a loss of SEV-SNP guest memory integrity.

Authentication Bypass
CVE-2025-29946 None
Insufficient or Incomplete Data Removal in Hardware Component in SEV firmware doesn't fully flush IOMMU. This can potentially lead to a loss of confidentiality and integrity in guest memory.

Information Disclosure
CVE-2025-29939 None
Improper access control in secure encrypted virtualization (SEV) could allow a privileged attacker to write to the reverse map page (RMP) during secure nested paging (SNP) initialization, potentially resulting in a loss of guest memory confidentiality and integrity.

Authentication Bypass
CVE-2025-25058 LOW CVSS 3.3
Ethernet 800-Serie versions up to 2.2.2.0 contains a vulnerability that allows attackers to an information disclosure (CVSS 3.3).

Linux Esxi Information Disclosure
CVE-2025-15572 LOW CVSS 3.3
A vulnerability has been found in wasm3 up to 0.5.0. The affected element is the function NewCodePage. [CVSS 3.3 LOW]

Denial Of Service
CVE-2025-15571 LOW CVSS 3.3
A security vulnerability has been detected in ckolivas lrzip up to 0.651. This vulnerability affects the function ucompthread of the file stream.c. [CVSS 3.3 LOW]

Null Pointer Dereference
CVE-2025-11004 None
The Simplicity Device Manager Tool has a Reflected XSS (Cross-site-scripting) vulnerability in several API endpoints. The attacker needs to be on the same network to execute this attack.

XSS
CVE-2025-6010 None
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
CVE-2025-0031 None
A use after free in the SEV firmware could allow a malicous hypervisor to activate a migrated guest with the SINGLE_SOCKET policy on a different socket than the migration agent potentially resulting in loss of integrity.

Use After Free
CVE-2025-0029 None
Improper handling of error condition during host-induced faults can allow a local high-privileged attack to selectively drop guest DMA writes, potentially resulting in a loss of SEV-SNP guest memory integrity

Information Disclosure
CVE-2025-0012 None
Improper handling of overlap between the segmented reverse map table (RMP) and system management mode (SMM) memory could allow a privileged attacker corrupt or partially infer SMM memory resulting in loss of integrity or confidentiality.

Information Disclosure
CVE-2024-36355 None
Improper input validation in the SMM handler could allow an attacker with Ring0 access to write to SMRAM and modify execution flow for S3 (sleep) wake up, potentially resulting in arbitrary code execution.

Buffer Overflow RCE
CVE-2024-36311 None
A Time-of-check time-of-use (TOCTOU) race condition in the SMM communications buffer could allow a privileged attacker to bypass input validation and perform an out of bounds read or write, potentially resulting in loss of confidentiality, integrity, or availability.

Race Condition
CVE-2024-36310 None
Improper input validation in the SMM communications buffer could allow a privileged attacker to perform an out of bounds read or write to SMRAM potentially resulting in loss of confidentiality or integrity.

Buffer Overflow
CVE-2024-21953 None
Improper input validation in IOMMU could allow a malicious hypervisor to reconfigure IOMMU registers resulting in loss of guest data integrity.

Information Disclosure
CVE-2021-26410 None
Improper syscall input validation in ASP (AMD Secure Processor) may force the kernel into reading syscall parameter values from its own memory space allowing an attacker to infer the contents of the kernel memory leading to potential information disclosure.

Linux Information Disclosure
CVE-2021-26381 None
Improper system call parameter validation in the Trusted OS may allow a malicious driver to perform mapping or unmapping operations on a large number of pages, potentially resulting in kernel memory corruption.

Linux Memory Corruption

Today's Vulnerabilities Vulnerabilities