THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — February 17, 2026

96 CVEs tracked today. 7 Critical, 32 High, 48 Medium, 6 Low.

CVE-2026-23647 CRITICAL CVSS 9.8
Hardcoded OS credentials in Glory RBG-100 cash recycler systems using ISPK-08 software component. Physical cash handling equipment ships with known default credentials enabling complete system takeover.

Linux Ssh
CVE-2026-22769 CRITICAL CVSS 10.0
Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contains hardcoded credentials (CVE-2026-22769, CVSS 10.0) that allow unauthenticated remote attackers with knowledge of the credentials to gain root-level access to the underlying operating system. KEV-listed, this vulnerability exposes disaster recovery infrastructure to complete compromise, potentially affecting the integrity of backup and replication data.

Dell Authentication Bypass Privilege Escalation RCE Remote Code Execution
CVE-2026-22208 CRITICAL CVSS 9.6
Remote code execution in OpenS100 (S-100 viewer reference implementation) prior to commit 753cf29. Malicious S-100 dataset files can trigger code execution when opened. CVSS 9.6.

RCE
CVE-2026-1670 CRITICAL CVSS 9.8
Unauthenticated API exposure in industrial control products allows remote attackers to access critical functions without authentication.

Authentication Bypass
CVE-2025-70830 CRITICAL CVSS 9.9
Server-Side Template Injection (SSTI) in Datart v1.0.0-rc.3 via Freemarker template engine allows authenticated users to execute arbitrary code on the server.

Code Injection RCE
CVE-2025-66614 CRITICAL CVSS 9.1
Input validation vulnerability in Apache Tomcat affecting versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Critical severity issue in one of the most widely deployed Java application servers.

Apache Tomcat Redhat Suse
CVE-2025-59793 CRITICAL CVSS 9.4
Path traversal in Rocket TRUfusion Enterprise through 7.10.5 via /axis2/services endpoint allows authenticated attackers to read and write arbitrary files on the host. EPSS 0.32%.

RCE Path Traversal
CVE-2026-26736 HIGH CVSS 8.8
Stack-based buffer overflow in TOTOLIK A3002RU firmware versions up to V3.0.0-B20220304.1804 allows authenticated attackers to achieve remote code execution through a malicious static_ipv6 parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The high CVSS score of 8.8 reflects the complete compromise of system confidentiality, integrity, and availability for affected devices.

Buffer Overflow Stack Overflow A3002ru Firmware
CVE-2026-26732 HIGH CVSS 8.8
Stack overflow vulnerabilities in TOTOLIK A3002RU V2.1.1 router firmware allow authenticated attackers to achieve remote code execution through malformed vpnUser or vpnPassword parameters. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected devices at risk of complete compromise.

Buffer Overflow Stack Overflow A3002ru Firmware
CVE-2026-26731 HIGH CVSS 8.8
Remote code execution in TOTOLIK A3002RU V2.1.1 firmware results from a stack-based buffer overflow in the DNS configuration function that can be exploited by authenticated network users. Public exploit code exists for this vulnerability, and attackers with valid credentials can achieve full system compromise including code execution and data manipulation. No patch is currently available.

Buffer Overflow Memory Corruption A3002ru Firmware
CVE-2026-26119 HIGH CVSS 8.8
Windows Admin Center's authentication mechanism can be bypassed by authenticated network users to gain elevated privileges on affected Windows systems. An attacker with valid credentials could exploit this weakness to escalate their access level without additional user interaction. A patch is available to remediate this high-severity vulnerability.

Windows Windows Admin Center Microsoft
CVE-2026-25903 HIGH CVSS 8.7
Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation.

Apache Authentication Bypass
CVE-2026-25087 HIGH CVSS 7.0
Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. [CVSS 7.0 HIGH]

Apache Python Ruby Use After Free Memory Corruption
CVE-2026-24734 HIGH CVSS 7.5
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. [CVSS 7.5 HIGH]

Apache Tomcat Tomcat Native Redhat Suse
CVE-2026-23648 HIGH CVSS 7.8
Improper file permissions on system binaries in Glory RBG-100 recycler systems running ISPK-08 software allow local attackers to overwrite root-owned executables and achieve privilege escalation. An unprivileged user with local access can modify these world-writable binaries to execute arbitrary commands with root privileges. No patch is currently available for this vulnerability.

Privilege Escalation
CVE-2026-23595 HIGH CVSS 8.8
Unauthenticated attackers can bypass API authentication in Aruba Networking Private 5G Core to create unauthorized administrative accounts, enabling full system compromise. Successful exploitation grants attackers administrative privileges to modify configurations and access sensitive data within affected deployments.

Authentication Bypass Aruba Networking Private 5g Core
CVE-2026-2630 HIGH CVSS 8.8
Tenable Security Center is vulnerable to command injection that allows authenticated remote attackers to execute arbitrary code on the hosting server. With no patch currently available and an 8.8 CVSS score, this vulnerability poses a significant risk to organizations relying on this security platform for vulnerability management. Attackers with valid credentials can achieve full system compromise without user interaction.

Command Injection
CVE-2026-2629 HIGH CVSS 7.3
A weakness has been identified in jishi node-sonos-http-ap versions up to 3776 is affected by command injection (CVSS 7.3).

Command Injection
CVE-2026-2627 HIGH CVSS 7.8
Softland FBackup versions up to 9.9 contain a symlink following vulnerability in the HID.dll component that allows local attackers with user privileges to read, modify, or delete arbitrary files with elevated permissions. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.
CVE-2026-2621 HIGH CVSS 7.3
SQL injection in Sciyon Koyuan Thermoelectricity Heat Network Management System 3.0 via the PGUID parameter in AsyncTreeProxy.aspx allows unauthenticated remote attackers to read, modify, and delete database contents. Public exploit code exists for this vulnerability and no patch is currently available from the vendor.

SQLi
CVE-2026-2620 HIGH CVSS 7.3
SQL injection in Huace Monitoring and Early Warning System 2.2 via the ID parameter in /Web/SysManage/ProjectRole.aspx allows unauthenticated remote attackers to manipulate database queries. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response. An attacker can exploit this to read, modify, or delete sensitive data from the affected system.

SQLi
CVE-2026-2616 HIGH CVSS 8.8
Hard-coded credentials in the Beetel 777VR1 Web Management Interface allow unauthenticated attackers on the local network to gain full administrative access with high integrity and confidentiality impact. Public exploit code is available and actively used, with no patch currently available from the vendor. Affected organizations should immediately implement network segmentation and access controls to restrict management interface exposure.

Authentication Bypass 777vr1 Firmware
CVE-2026-2615 HIGH CVSS 7.2
Wl-Nu516U1 Firmware versions up to 20251208. contains a vulnerability that allows attackers to command injection (CVSS 7.2).

Command Injection Wl Nu516u1 Firmware
CVE-2026-2592 HIGH CVSS 7.7
Unauthenticated attackers can mark WooCommerce orders as paid in the Zarinpal Gateway plugin (versions up to 5.0.16) by reusing valid payment tokens from other transactions, exploiting insufficient validation of callback handlers. This allows fraudulent order fulfillment without actual payment completion. No patch is currently available and the vulnerability affects all WordPress installations using this payment gateway plugin.

WordPress
CVE-2026-1216 HIGH CVSS 7.2
Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
CVE-2025-70846 HIGH CVSS 7.1
lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. [CVSS 7.1 HIGH]

XSS
CVE-2025-70828 HIGH CVSS 8.8
An issue in Datart v1.0.0-rc.3 allows attackers to execute arbitrary code via the url parameter in the JDBC configuration [CVSS 8.8 HIGH]

Command Injection RCE
CVE-2025-70397 HIGH CVSS 7.2
jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter. [CVSS 7.2 HIGH]

SQLi Jizhicms
CVE-2025-67905 HIGH CVSS 8.7
Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link, a related issue to CVE-2023-28892. [CVSS 8.7 HIGH]

Privilege Escalation
CVE-2025-67102 HIGH CVSS 7.6
A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. [CVSS 7.6 HIGH]

SQLi
CVE-2025-65753 HIGH CVSS 7.5
TLS certification mechanism of Guardian Gryphon v01.06.0006.22 is affected by improper certificate validation (CVSS 7.5).

Tls
CVE-2025-36247 HIGH CVSS 7.1
Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM Linux Windows XXE Db2
CVE-2025-33088 HIGH CVSS 7.4
Concert versions up to 2.1.0 is affected by incorrect permission assignment for critical resource (CVSS 7.4).

IBM Concert
CVE-2025-32355 HIGH CVSS 7.9
Rocket TRUfusion Enterprise versions up to 7.10.4.0 is affected by server-side request forgery (ssrf) (CVSS 7.3).

SSRF
CVE-2025-13691 HIGH CVSS 8.1
IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system. [CVSS 8.1 HIGH]

IBM Datastage On Cloud Pak For Data
CVE-2025-13689 HIGH CVSS 8.8
Datastage On Cloud Pak For Data is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

IBM Datastage On Cloud Pak For Data
CVE-2025-12062 HIGH CVSS 8.8
The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]

WordPress PHP Lfi
CVE-2025-7631 HIGH CVSS 8.6
Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software is affected by sql injection (CVSS 8.6).

SQLi
CVE-2024-55270 HIGH CVSS 8.8
phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. [CVSS 8.8 HIGH]

PHP SQLi Student Management System
CVE-2026-26357 MEDIUM CVSS 5.4
Stored cross-site scripting in Dell Unisphere for PowerMax 9.2.4.x allows authenticated remote attackers to inject malicious scripts that execute in users' browsers, potentially enabling session hijacking or credential theft. The vulnerability requires user interaction and carries a medium severity rating with no patch currently available.

XSS Information Disclosure
CVE-2026-23861 MEDIUM CVSS 5.4
Cross-site scripting in Dell Unisphere for PowerMax vApp 9.2.4.x enables authenticated remote attackers to inject malicious scripts that execute in victim browsers, potentially compromising session tokens or stealing sensitive information. The vulnerability requires user interaction and low-level privileges, but no patch is currently available to address it.

XSS Information Disclosure
CVE-2026-23598 MEDIUM CVSS 6.5
HPE Aruba Networking 5G Core API error handling exposes sensitive information including user accounts, roles, and system configuration to unauthenticated remote attackers. Successful exploitation enables attackers to gather intelligence on internal services and workflows, creating a foundation for further attacks targeting unauthorized access and privilege escalation. A patch is available.

Information Disclosure Authentication Bypass Aruba Networking Private 5g Core
CVE-2026-23597 MEDIUM CVSS 6.5
HPE Aruba Networking 5G Core API error handling leaks sensitive information including user accounts, roles, and system configuration to unauthenticated remote attackers. Exposed internal service details can be leveraged to identify attack vectors for privilege escalation and unauthorized access. A patch is available.

Information Disclosure Authentication Bypass Aruba Networking Private 5g Core
CVE-2026-23596 MEDIUM CVSS 6.5
Unauthenticated attackers can trigger service restarts through the management API in Aruba Networking Private 5G Core, causing denial of service and disrupting system availability. This network-adjacent vulnerability requires no authentication or user interaction and has a publicly available patch to remediate the issue.

Denial Of Service Aruba Networking Private 5g Core
CVE-2026-22762 MEDIUM CVSS 6.5
Arbitrary file deletion in Dell Avamar Server and Virtual Edition versions before 19.10 SP1 with CHF338912 stems from improper path traversal validation in the security module. High-privileged remote attackers can exploit this vulnerability to delete files on affected systems, though no patch is currently available.

Path Traversal
CVE-2026-22284 MEDIUM CVSS 6.6
Unauthenticated command injection in Dell SmartFabric OS10 versions before 10.5.6.12 allows high-privileged remote attackers to execute arbitrary commands on affected network devices. The vulnerability stems from improper sanitization of user-supplied input in command processing, requiring attacker knowledge of administrative credentials to trigger. A patch is available and administrators should prioritize updating affected systems given the severity of potential command execution impact.

Command Injection Smartfabric Os10
CVE-2026-2623 MEDIUM CVSS 6.3
Path traversal in Blossom up to version 1.17.1 file upload functionality allows authenticated remote attackers to access arbitrary files on affected systems. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Java Path Traversal Blossom
CVE-2026-2617 MEDIUM CVSS 6.3
The Beetel 777VR1 router's SSH/Telnet service contains insecure default initialization that allows local network attackers to achieve partial compromise of confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not released patches despite early notification. Affected devices running firmware version 01.00.09 and earlier require isolation from untrusted local networks until a security update becomes available.

Ssh Information Disclosure 777vr1 Firmware
CVE-2026-2608 MEDIUM CVSS 4.3
Page Builder Toolkit for Gutenberg Editor versions up to 3.5.32. is affected by missing authorization (CVSS 4.3).

WordPress
CVE-2026-2002 MEDIUM CVSS 4.4
Stored XSS in Forminator Forms plugin for WordPress (versions up to 1.50.2) allows authenticated administrators and delegated form managers to inject malicious scripts through the form_name parameter due to inadequate input sanitization. When users access pages containing injected forms, the scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.

WordPress XSS
CVE-2026-1657 MEDIUM CVSS 5.3
Unauthenticated attackers can upload arbitrary image files to WordPress sites running EventPrime plugin versions up to 4.2.8.4 through an unprotected AJAX endpoint that lacks proper authentication checks. This vulnerability allows unauthorized file uploads to the media library, potentially enabling further attacks such as stored XSS or malicious file distribution. No patch is currently available.

WordPress
CVE-2026-0829 MEDIUM CVSS 5.8
Frontend File Manager Plugin WordPre versions up to 23.5 is affected by missing authorization (CVSS 5.8).

WordPress
CVE-2025-70829 MEDIUM CVSS 5.7
An information exposure vulnerability in Datart v1.0.0-rc.3 allows authenticated attackers to access sensitive data via a custom H2 JDBC connection string. [CVSS 5.7 MEDIUM]

Information Disclosure Datart
CVE-2025-36598 MEDIUM CVSS 6.5
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 6.5 MEDIUM]

Path Traversal
CVE-2025-36597 MEDIUM CVSS 4.7
Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 4.7 MEDIUM]

Path Traversal Information Disclosure
CVE-2025-36425 MEDIUM CVSS 5.3
Db2 versions up to 12.1.3 contains a vulnerability that allows attackers to an authenticated user to obtain sensitive information under specific HADR config (CVSS 5.3).

IBM Linux Windows Db2
CVE-2025-36379 MEDIUM CVSS 5.9
IBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. [CVSS 5.9 MEDIUM]

Qradar Edr
CVE-2025-36377 MEDIUM CVSS 6.3
IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system. [CVSS 6.3 MEDIUM]

IBM Qradar Edr
CVE-2025-36376 MEDIUM CVSS 6.3
Security Qradar Edr versions up to 3.12.23 is affected by insufficient session expiration (CVSS 6.3).

IBM Security Qradar Edr
CVE-2025-36348 MEDIUM CVSS 4.9
Sterling B2B Integrator versions up to 6.1.2.7 is affected by error message information leak (CVSS 4.9).

IBM Sterling B2b Integrator Sterling File Gateway
CVE-2025-36243 MEDIUM CVSS 5.4
IBM Concert 1.0.0 through 2.1.0 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. [CVSS 5.4 MEDIUM]

IBM SSRF Concert
CVE-2025-36019 MEDIUM CVSS 6.1
IBM Concert 1.0.0 through 2.1.0 for Z hub framework is vulnerable to cross-site scripting. [CVSS 6.1 MEDIUM]

IBM XSS Concert
CVE-2025-36018 MEDIUM CVSS 6.5
IBM Concert 1.0.0 through 2.1.0 for Z hub component is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. [CVSS 6.5 MEDIUM]

IBM CSRF Concert
CVE-2025-33135 MEDIUM CVSS 6.1
IBM Financial Transaction Manager for ACH Services and Check Services for Multi-Platform 3.0.0.0 versions up to 3.0.5.4 is affected by cross-site scripting (xss) (CVSS 6.1).

IBM XSS
CVE-2025-33130 MEDIUM CVSS 6.5
IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack. [CVSS 6.5 MEDIUM]

IBM Linux Windows Denial Of Service Db2 Merge Backup
CVE-2025-33124 MEDIUM CVSS 6.5
Db2 Merge Backup versions up to 12.1.0.0 is affected by incorrect calculation of buffer size (CVSS 6.5).

IBM Linux Windows Denial Of Service Db2 Merge Backup
CVE-2025-33101 MEDIUM CVSS 5.9
Concert versions up to 2.1.0 contains a vulnerability that allows attackers to obtain sensitive information using man in the middle techniques due to improper (CVSS 5.9).

IBM Concert
CVE-2025-33089 MEDIUM CVSS 6.5
IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information or perform unauthorized actions due to the use of hard coded user credentials. [CVSS 6.5 MEDIUM]

IBM Concert
CVE-2025-27904 MEDIUM CVSS 6.5
Db2 Recovery Expert versions up to 5.5.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

IBM Linux Windows CSRF Db2 Recovery Expert
CVE-2025-27903 MEDIUM CVSS 5.9
Db2 Recovery Expert versions up to 5.5.0 is affected by cleartext transmission of sensitive information (CVSS 5.9).

IBM Linux Windows Db2 Recovery Expert
CVE-2025-27901 MEDIUM CVSS 6.5
Db2 Recovery Expert versions up to 5.5.0 contains a vulnerability that allows attackers to conduct various attacks against the vulnerable system, including cross-site scri (CVSS 6.5).

IBM Linux Windows XSS Db2 Recovery Expert
CVE-2025-27900 MEDIUM CVSS 6.8
Db2 Recovery Expert versions up to 5.5.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.8).

IBM Open Redirect Db2 Recovery Expert
CVE-2025-27899 MEDIUM CVSS 5.3
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 discloses sensitive information in an environment variable that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]

IBM Db2 Recovery Expert
CVE-2025-27898 MEDIUM CVSS 6.3
IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system. [CVSS 6.3 MEDIUM]

IBM Db2 Recovery Expert
CVE-2025-14689 MEDIUM CVSS 6.5
Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 6.5).

IBM Linux Windows Denial Of Service Db2
CVE-2025-14289 MEDIUM CVSS 5.4
IBM webMethods Integration Server 12.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. [CVSS 5.4 MEDIUM]

IBM Webmethods Integration Server
CVE-2025-13867 MEDIUM CVSS 6.5
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic

IBM Linux Windows Denial Of Service Db2
CVE-2025-13333 MEDIUM CVSS 4.4
IBM WebSphere Application Server 9.0, and 8.5 could provide weaker than expected security during system administration of security settings. [CVSS 4.4 MEDIUM]

IBM Websphere Application Server
CVE-2025-13108 MEDIUM CVSS 5.5
Db2 Merge Backup versions up to 12.1.0.0 contains a vulnerability that allows attackers to access sensitive information in memory due to the buffer not properly clearing r (CVSS 5.5).

IBM Linux Windows Db2 Merge Backup
CVE-2025-12755 MEDIUM CVSS 4.0
IBM MQ Operator (SC2 v3.2.0-3.8.1, LTS v2.0.0-2.0.29) and IBM‑supplied MQ Advanced container images (across affected SC2, CD, and LTS 9.3.x-9.4.x releases) contain a vulnerability where log messages are not properly neutralized before being written to log files. [CVSS 4.0 MEDIUM]

IBM
CVE-2025-8303 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in EKA Software Computer Information Advertising Services Ltd. [CVSS 6.5 MEDIUM]

XSS
CVE-2025-7706 MEDIUM CVSS 6.1
from 3.0.0 to 3.3.1 versions up to 3.5.0. is affected by missing authentication for critical function (CVSS 6.1).

Authentication Bypass
CVE-2024-43178 MEDIUM CVSS 5.9
Concert versions up to 2.1.0 is affected by use of a broken or risky cryptographic algorithm (CVSS 5.9).

IBM Concert
CVE-2024-31118 MEDIUM CVSS 6.5
Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70. [CVSS 6.5 MEDIUM]

Authentication Bypass
CVE-2023-38265 MEDIUM CVSS 5.3
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could disclose folder location information to an unauthenticated attacker that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]

IBM Cloud Pak System
CVE-2023-38005 MEDIUM CVSS 4.3
IBM Cloud Pak System 2.3.3.6, 2.3.3.7, 2.3.4.0, 2.3.4.1, and 2.3.5.0 could allow an authenticated user to perform unauthorized tasks due to improper access controls. [CVSS 4.3 MEDIUM]

IBM Cloud Pak System
CVE-2022-41650 MEDIUM CVSS 6.5
Missing Authorization vulnerability in Paul Custom Content by Country (by Shield Security) custom-content-by-country.This issue affects Custom Content by Country (by Shield Security): from n/a through 3.1.2. [CVSS 6.5 MEDIUM]

Authentication Bypass
CVE-2026-26220 None
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads() without authentication or validation.

RCE Deserialization
CVE-2026-24733 LOW CVSS 3.7
Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. [CVSS 3.7 LOW]

Apache Tomcat
CVE-2026-2622 LOW CVSS 3.5
A vulnerability was detected in Blossom up to 1.17.1. This vulnerability affects the function content of the file blossom-backend/backend/src/main/java/com/blossom/backend/server/article/draft/ArticleController.java of the component Article Title Handler. [CVSS 3.5 LOW]

Java XSS
CVE-2026-2618 LOW CVSS 3.7
A vulnerability was determined in Beetel 777VR1 up to 01.00.09. This impacts an unknown function of the component SSH Service. [CVSS 3.7 LOW]

Ssh
CVE-2026-2247 None
SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application.

SQLi
CVE-2026-0102 LOW CVSS 3.1
Edge Chromium contains a vulnerability that allows attackers to disclosure of stored autofill data such as addresses, email, or phone number met (CVSS 3.1).

Information Disclosure
CVE-2025-62183 None
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low.

XSS
CVE-2025-36183 LOW CVSS 3.8
Watsonx.Data versions up to 2.2.1 is affected by unrestricted upload of file with dangerous type (CVSS 3.8).

IBM
CVE-2024-55271 LOW CVSS 3.5
Gym Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 3.5).

PHP CSRF

Today's Vulnerabilities Vulnerabilities