Skip to main content
CVE-2026-23718 HIGH This Week

Out-of-bounds read in Simcenter Femap and Nastran versions prior to V2512 during NDB file parsing enables local code execution under the current process context. An attacker can exploit this vulnerability through specially crafted NDB files to achieve arbitrary code execution. No patch is currently available for this high-severity vulnerability affecting both products.

Buffer Overflow Information Disclosure Simcenter Femap Simcenter Nastran
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23717 HIGH This Week

Simcenter Femap and Nastran versions prior to 2512 are vulnerable to out-of-bounds memory reads when processing maliciously crafted XDB files, enabling arbitrary code execution with the privileges of the affected application. Local attackers can exploit this vulnerability through specially designed files to achieve full system compromise. No patch is currently available for this high-severity flaw.

Buffer Overflow Information Disclosure Simcenter Nastran Simcenter Femap
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23716 HIGH This Week

Arbitrary code execution in Simcenter Femap and Nastran versions prior to 2512 results from an out-of-bounds read when processing malicious XDB files, enabling local attackers to achieve process-level code execution. An attacker with local access can craft a specially designed XDB file to trigger the memory vulnerability and execute arbitrary code with the privileges of the affected application. No patch is currently available for this vulnerability.

Buffer Overflow Information Disclosure Simcenter Femap Simcenter Nastran
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23689 HIGH This Week

Denial-of-service vulnerability in SAP Advanced Planning And Optimization and Supply Chain Management allows authenticated users to exhaust system resources by repeatedly calling a remote function module with oversized parameters, causing service unavailability. An attacker with standard user credentials and network access can trigger prolonged resource consumption that may render the affected system unresponsive. No patch is currently available.

Denial Of Service Advanced Planning And Optimization Supply Chain Management
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-24322 HIGH This Week

Authenticated users in SAP Solution Tools Plug-In (ST-PI) can access sensitive information through a function module that lacks proper authorization controls, allowing disclosure of confidential data without requiring additional privileges. The vulnerability affects all users with basic authentication to the affected SAP systems, as the missing checks permit lateral data exposure across the application.

SAP Solution Tools Plug In
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-40587 HIGH This Week

A vulnerability has been identified in Polarion V2404 (All versions < V2404.5), Polarion V2410 (All versions < V2410.2). The affected application allows arbitrary JavaScript code be included in document titles. [CVSS 7.6 HIGH]

XSS
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-21511 HIGH PATCH This Week

Microsoft Outlook's unsafe deserialization of untrusted data enables remote attackers to spoof messages and identities without authentication over the network. This vulnerability affects Outlook, Word, and Microsoft 365 Apps, allowing attackers to impersonate legitimate senders and deceive users. No patch is currently available, making this a high-risk threat requiring immediate defensive measures.

Microsoft Outlook Deserialization 365 Apps Word +3
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-0490 HIGH This Week

Businessobjects Business Intelligence Platform versions up to 430 is affected by missing authorization (CVSS 7.5).

SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2268 HIGH This Week

Unauthenticated attackers can extract arbitrary post metadata from WordPress sites running Ninja Forms plugin versions up to 3.14.0 through improper merge tag filtering in repeater fields, potentially exposing sensitive data like API keys, billing information, and customer details. The vulnerability is exploitable remotely without authentication via the nf_ajax_submit AJAX action and currently lacks a patch.

WordPress Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1507 HIGH This Week

Unauthenticated attackers can crash core PI services through an unhandled exception vulnerability accessible over the network, causing denial-of-service without authentication or user interaction required. This high-severity flaw (CVSS 7.5) impacts availability of affected PI deployments with no patch currently available.

Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25577 HIGH PATCH This Week

Emmett is a framework designed to simplify your development process. versions up to 1.3.11 contains a vulnerability that allows attackers to trigger HTTP 500 errors and cause denial of service (CVSS 7.5).

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21243 HIGH PATCH This Week

Windows LDAP service in Server 2022 and 2022 23H2 is vulnerable to denial of service through a null pointer dereference that can be triggered remotely without authentication. An attacker can exploit this flaw over the network to crash the LDAP service and disrupt directory access functionality. No patch is currently available for this vulnerability.

Windows LDAP Null Pointer Dereference Windows Server 2022 Windows Server 2022 23h2 +3
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-1848 HIGH This Week

MongoDB proxy port connections bypass connection accounting mechanisms, allowing unauthenticated remote attackers to exhaust server resources and trigger denial of service without authentication. Servers relying on connection limits for resource management are vulnerable to crashes when connection counts are artificially inflated through the proxy protocol. No patch is currently available for this high-severity issue affecting MongoDB deployments.

Denial Of Service MongoDB
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0485 HIGH This Week

Businessobjects Business Intelligence Platform versions up to 430 contains a security vulnerability (CVSS 7.5).

SAP Denial Of Service Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25611 HIGH This Week

MongoDB instances are vulnerable to denial of service attacks when processing specially crafted unauthenticated messages that trigger memory exhaustion and server crashes. An unauthenticated remote attacker can exploit this vulnerability to disable MongoDB availability without requiring valid credentials or user interaction. No patch is currently available for this vulnerability.

MongoDB Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20846 HIGH PATCH This Week

Buffer over-read in Windows GDI+ allows an unauthorized attacker to deny service over a network. [CVSS 7.5 HIGH]

Windows Buffer Overflow Windows 11 23h2 Windows 11 24h2 Windows Server 2012 +11
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21260 HIGH PATCH This Week

Information disclosure in Microsoft Outlook, SharePoint Server, Office, and 365 Apps enables remote attackers to conduct email spoofing attacks without authentication or user interaction. The vulnerability affects multiple Microsoft collaboration products and could allow threat actors to impersonate legitimate senders to compromise organizational security. No patch is currently available for this high-severity issue.

Microsoft Outlook Sharepoint Server Office 365 Apps +1
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21218 HIGH PATCH This Week

.NET applications are vulnerable to spoofing attacks due to improper validation of a required security element, allowing unauthenticated remote attackers to forge or manipulate application data over the network. This vulnerability affects multiple .NET versions and currently has no available patch, exposing organizations to authentication bypass and data integrity risks. The attack requires no user interaction and can be exploited directly from the network.

.NET .Net
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-22453 HIGH This Week

Improper input validation for some Server Firmware Update Utility(SysFwUpdt) before version 16.0.12 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable local code execution. [CVSS 7.5 HIGH]

Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2093 HIGH This Week

Unauthenticated attackers can exploit SQL injection in Flowring's Docpedia to execute arbitrary database queries and extract sensitive information without authentication. The vulnerability requires no user interaction and is remotely accessible over the network, presenting a critical risk to all deployments. No patch is currently available to remediate this issue.

SQLi
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21247 HIGH PATCH This Week

Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally. [CVSS 7.3 HIGH]

Windows Hyper-V Windows 11 24h2 Windows 10 22h2 Windows Server 2022 +10
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21235 HIGH PATCH This Week

Privilege escalation in Microsoft Graphics Component via use-after-free memory corruption affects Windows Server 2019 and 2012, allowing authenticated local attackers to gain elevated system privileges with user interaction. The vulnerability poses a significant risk in industrial environments where Windows Server hosts critical infrastructure. No patch is currently available for this high-severity issue.

Microsoft Industrial Use After Free Windows Server 2019 Windows Server 2012 +7
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21248 HIGH POC PATCH This Week

Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges on affected Windows and Windows Server systems. An attacker with local access and user-level permissions can trigger memory corruption through user interaction to compromise system integrity and confidentiality. This vulnerability affects Windows 10 1809, Windows Server 2025, and related Hyper-V implementations with no patch currently available.

Windows Hyper-V Buffer Overflow Heap Overflow Windows Server 2025 +12
NVD Exploit-DB VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-21244 HIGH POC PATCH This Week

Heap overflow in Windows Hyper-V enables authenticated local users to achieve arbitrary code execution with high privileges (CVSS 7.3). Exploitation requires user interaction and local system access, affecting Windows 10 1809 and Windows Server 2025. No patch is currently available.

Windows Hyper-V Buffer Overflow Heap Overflow Windows 10 1809 +12
NVD Exploit-DB VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-0508 HIGH This Week

Businessobjects Business Intelligence Platform versions up to 430 is affected by url redirection to untrusted site (open redirect) (CVSS 7.3).

SAP Businessobjects Business Intelligence Platform
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-1866 HIGH This Week

The Name Directory WordPress plugin through version 1.32.0 contains a stored cross-site scripting vulnerability in its sanitization logic that allows unauthenticated attackers to inject malicious scripts through the public submission form. Attackers can exploit this by submitting content with double-encoded HTML entities that bypass security filters, and the injected scripts will execute when administrators or users view the affected pages if the submission is approved or auto-publish is enabled. This affects all installations of the vulnerable plugin versions with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-21743 HIGH This Week

FortiAuthenticator 6.3 through 6.6.6 allows read-only users to modify local user accounts by uploading files to an unprotected endpoint, bypassing authorization controls. This vulnerability requires high privileges to initiate but could enable unauthorized account modifications in affected deployments. No patch is currently available for this high-severity flaw.

Fortinet Fortiauthenticator
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-0845 HIGH This Week

Unauthorized option modification in WCFM - Frontend Manager for WooCommerce up to version 6.7.24 allows authenticated Shop Manager-level users to bypass capability checks and alter arbitrary WordPress settings. An attacker with these privileges can exploit this to change the default registration role to administrator and enable user registration, gaining full admin access to the site. No patch is currently available for this vulnerability.

WordPress Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-11142 HIGH This Week

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account. [CVSS 7.1 HIGH]

RCE Axis Os
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-62676 HIGH This Week

Forticlient versions up to 7.4.4 is affected by improper link resolution before file access (CVSS 7.1).

Fortinet Windows Forticlient
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-21508 HIGH PATCH This Week

Windows Storage component contains an authentication bypass that enables authenticated local users to escalate privileges on Windows 10, Windows 11, and Windows Server 2016/2019 systems. An attacker with valid local credentials can exploit this vulnerability to gain elevated system access without user interaction. No patch is currently available for this HIGH severity issue affecting multiple Windows versions.

Windows Windows 10 1809 Windows Server 2016 Windows 11 24h2 Windows 10 1607 +10
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21253 HIGH PATCH This Week

Use after free in Mailslot File System allows an authorized attacker to elevate privileges locally. [CVSS 7.0 HIGH]

Use After Free Denial Of Service Memory Corruption
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21242 HIGH PATCH This Week

Windows Subsystem for Linux contains a use-after-free vulnerability that enables local privilege escalation for authenticated users. An attacker with valid local access could exploit this memory safety flaw to gain elevated system privileges on affected Windows Server 2022 systems.

Linux Windows Use After Free Windows Server 2022 Windows Server 2022 23h2 +7
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21237 HIGH PATCH This Week

Local privilege escalation in Windows Subsystem for Linux affects Windows 11 23h2 and Windows 10 22h2 through a race condition in shared resource synchronization. An authenticated local attacker can exploit this vulnerability to gain elevated privileges on the system. No patch is currently available for this vulnerability.

Linux Windows Race Condition Windows 11 23h2 Windows 10 22h2 +7
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21234 HIGH PATCH This Week

Local privilege escalation in Windows Connected Devices Platform Service exploits a race condition in resource synchronization, allowing authenticated attackers to gain elevated privileges on affected Windows systems including Server 2022, Windows 11 25h2, and Windows 10 21h2. The vulnerability requires local access and user interaction is not needed, making it a practical attack vector for users with standard privileges. No patch is currently available.

Windows Race Condition Windows Server 2022 Windows 11 25h2 Windows 10 21h2 +8
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21241 HIGH PATCH This Week

Windows Ancillary Function Driver for WinSock in Windows 11 23h2 and Windows Server 2022 23h2 contains a use-after-free vulnerability that allows authenticated local users to achieve privilege escalation. An attacker with local access and valid credentials can trigger the memory safety flaw to gain elevated system privileges. No patch is currently available for this HIGH severity vulnerability.

Windows Use After Free Windows Server 2022 23h2 Windows 11 23h2 Windows Server 2022 +4
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-15569 HIGH This Week

A flaw has been found in Artifex MuPDF versions up to 1.26.1 is affected by untrusted search path (CVSS 7.0).

Windows
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-35998 HIGH This Week

Privilege escalation in Intel QuickAssist Technology (QAT) on certain Intel platforms allows a system-software adversary already holding privileged (Ring 0 / kernel-level) access to read and corrupt kernel state via an unprotected alternate hardware interface. The flaw stems from a missing protection mechanism on a secondary hardware control path, yielding high confidentiality and integrity impact but no availability loss. There is no public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not listed in CISA KEV.

Privilege Escalation Intel
NVD VulDB
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-0651 MEDIUM This Month

TP-Link Tapo C260 v1 firmware contains a path traversal vulnerability in HTTPS GET request handling that allows local network attackers to probe filesystem paths and determine file existence without authentication. While the vulnerability does not permit file read, write, or code execution, it enables information disclosure about the device's filesystem structure to unauthenticated local users. No patch is currently available.

TP-Link Path Traversal RCE
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-25870 MEDIUM This Month

DoraCMS 3.1 and earlier allows unauthenticated attackers to perform server-side request forgery through the UEditor remote image fetch feature, which fails to validate or restrict destination URLs. An attacker can exploit this to force the server to make arbitrary HTTP/HTTPS requests to internal network resources, enabling internal reconnaissance and potential denial of service attacks.

SSRF Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2025-20080 MEDIUM This Month

Null pointer dereference in the firmware for some Intel(R) AMT and Intel(R) Standard Manageability within Ring 0: Kernel may allow a denial of service. Network adversary with an unauthenticated user combined with a high complexity attack may enable denial of service. [CVSS 6.8 MEDIUM]

Linux Null Pointer Dereference Denial Of Service
NVD VulDB
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-21522 MEDIUM PATCH This Month

Azure Compute Gallery contains a command injection vulnerability that enables authorized users to execute arbitrary commands with elevated privileges on local systems. The flaw requires high-level privileges to exploit and affects confidentiality, integrity, and availability of the target system. No patch is currently available.

Azure Command Injection Confcom
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-32452 MEDIUM This Month

Uncontrolled search path for some AI Playground before version 2.6.1 beta within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowl...

Privilege Escalation AI / ML
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20070 MEDIUM This Month

Improper conditions check for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]

Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-36522 MEDIUM This Month

Incorrect default permissions for some Intel(R) Chipset Software before version 10.1.20266.8668 or later. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present with...

Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-31655 MEDIUM This Month

Incorrect default permissions for some Intel(R) Battery Life Diagnostic Tool within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. [CVSS 6.7 MEDIUM]

Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-35999 MEDIUM This Month

Incorrect permission assignment for critical resource for some System Firmware Update Utility (SysFwUpdt) for Intel(R) Server Boards and Intel(R) Server Systems Based before version 16.0.12. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with a privileged user combined with a low complexity attack may enable escalation of privilege. This result ...

Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-20106 MEDIUM This Month

Uncontrolled search path in some software installer for some VTune(TM) Profiler software and Intel(R) oneAPI Base Toolkits before version 2025.0. within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access w...

Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-36511 MEDIUM This Month

Incorrect default permissions for some Intel(R) Memory and Storage Tool before version 2.5.2 within Ring 3: User Applications may allow an escalation of privilege. System software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special i...

Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-22849 MEDIUM This Month

Incorrect default permissions for the Intel(R) Optane(TM) PMem management software before versions CR_MGMT_01.00.00.3584, CR_MGMT_02.00.00.4052, CR_MGMT_03.00.00.0538 within Ring 3: User Applications may allow an escalation of privilege. [CVSS 6.7 MEDIUM]

Privilege Escalation
NVD
CVSS 3.1
6.7
EPSS
0.0%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy