Skip to main content
CVE-2026-22769 CRITICAL KEV PATCH THREAT Act Now

Dell RecoverPoint for Virtual Machines prior to 6.0.3.1 HF1 contains hardcoded credentials (CVE-2026-22769, CVSS 10.0) that allow unauthenticated remote attackers with knowledge of the credentials to gain root-level access to the underlying operating system. KEV-listed, this vulnerability exposes disaster recovery infrastructure to complete compromise, potentially affecting the integrity of backup and replication data.

Dell Authentication Bypass Privilege Escalation RCE Recoverpoint For Virtual Machines
NVD
CVSS 3.1
10.0
EPSS
34.2%
Threat
4.5
CVE-2026-26736 HIGH POC This Week

Stack-based buffer overflow in TOTOLIK A3002RU firmware versions up to V3.0.0-B20220304.1804 allows authenticated attackers to achieve remote code execution through a malicious static_ipv6 parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The high CVSS score of 8.8 reflects the complete compromise of system confidentiality, integrity, and availability for affected devices.

Buffer Overflow Stack Overflow A3002ru Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-26732 HIGH POC This Week

Stack overflow vulnerabilities in TOTOLIK A3002RU V2.1.1 router firmware allow authenticated attackers to achieve remote code execution through malformed vpnUser or vpnPassword parameters. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected devices at risk of complete compromise.

Buffer Overflow Stack Overflow A3002ru Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26731 HIGH POC This Week

Remote code execution in TOTOLIK A3002RU V2.1.1 firmware results from a stack-based buffer overflow in the DNS configuration function that can be exploited by authenticated network users. Public exploit code exists for this vulnerability, and attackers with valid credentials can achieve full system compromise including code execution and data manipulation. No patch is currently available.

Buffer Overflow Memory Corruption A3002ru Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-55270 HIGH POC This Week

phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. [CVSS 8.8 HIGH]

PHP SQLi Student Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-32355 HIGH POC This Week

Rocket TRUfusion Enterprise versions up to 7.10.4.0 is affected by server-side request forgery (ssrf) (CVSS 7.3).

SSRF Trufusion Enterprise
NVD
CVSS 4.0
7.9
EPSS
2.4%
CVE-2026-2616 HIGH POC This Week

Hard-coded credentials in the Beetel 777VR1 router's web management interface allow adjacent network attackers to gain full administrative access without authentication. Affecting firmware versions up to and including 01.00.09, this vulnerability enables complete device compromise through documented default credentials that cannot be changed through normal configuration. Publicly available exploit code exists with detailed reproduction steps, and the vendor has not responded to disclosure attempts. EPSS score of 0.19% (40th percentile) suggests limited widespread exploitation despite public POC availability, likely due to the device's limited deployment footprint and adjacent network attack requirement.

Authentication Bypass 777vr1 Firmware
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.2%
CVE-2026-2615 HIGH POC This Week

Wl-Nu516U1 Firmware versions up to 20251208. contains a vulnerability that allows attackers to command injection (CVSS 7.2).

Command Injection Wl Nu516u1 Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-70397 HIGH POC This Week

jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter. [CVSS 7.2 HIGH]

SQLi Jizhicms
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-2627 HIGH POC This Week

Link following vulnerability in Softland FBackup 9.9 and earlier allows local authenticated attackers to escalate privileges by manipulating symbolic links processed by the HID.dll library during backup or restore operations. Public exploit code is available via GitHub, but EPSS score remains extremely low (0.01%) and no active exploitation has been reported. The vendor has not responded to disclosure attempts, leaving users without an official patch.

Information Disclosure Microsoft
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-0829 MEDIUM POC This Month

Frontend File Manager Plugin WordPre versions up to 23.5 is affected by missing authorization (CVSS 5.8).

WordPress
NVD WPScan
CVSS 3.1
5.8
EPSS
2.4%
CVE-2025-70830 CRITICAL Act Now

Server-Side Template Injection (SSTI) in Datart v1.0.0-rc.3 via Freemarker template engine allows authenticated users to execute arbitrary code on the server.

Code Injection RCE
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-23647 CRITICAL Act Now

Hardcoded OS credentials in Glory RBG-100 cash recycler systems using ISPK-08 software component. Physical cash handling equipment ships with known default credentials enabling complete system takeover.

Linux SSH
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-1670 CRITICAL Act Now

Unauthenticated API exposure in industrial control products allows remote attackers to access critical functions without authentication.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-70829 MEDIUM POC This Month

An information exposure vulnerability in Datart v1.0.0-rc.3 allows authenticated attackers to access sensitive data via a custom H2 JDBC connection string. [CVSS 5.7 MEDIUM]

Information Disclosure Datart
NVD GitHub
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-26220 CRITICAL Act Now

Remote code execution in LightLLM 1.1.0 and prior lets unauthenticated attackers run arbitrary code on the PD master node when the framework runs in prefill-decode (PD) disaggregation mode. The PD master exposes WebSocket endpoints that feed inbound binary frames straight into Python's pickle.loads(), so any attacker able to reach that socket can execute code in the serving process. No CISA KEV listing exists and EPSS is modest at 0.83% (74th percentile), but a public technical write-up (chocapikk.com) plus a VulnCheck advisory mean publicly available exploit code exists, so this should be treated as an urgent internal-exposure risk.

RCE Deserialization
NVD GitHub
CVSS 4.0
9.3
EPSS
0.8%
CVE-2025-59793 CRITICAL Act Now

Path traversal in Rocket TRUfusion Enterprise through 7.10.5 via /axis2/services endpoint allows authenticated attackers to read and write arbitrary files on the host. EPSS 0.32%.

RCE Path Traversal Trufusion Enterprise
NVD
CVSS 4.0
9.4
EPSS
0.3%
CVE-2026-22208 CRITICAL Act Now

Remote code execution in OpenS100 (S-100 viewer reference implementation) prior to commit 753cf29. Malicious S-100 dataset files can trigger code execution when opened. CVSS 9.6.

RCE
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2025-66614 CRITICAL PATCH Act Now

Input validation vulnerability in Apache Tomcat affecting versions 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98. Critical severity issue in one of the most widely deployed Java application servers.

Apache Tomcat Red Hat Suse
NVD HeroDevs VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-2630 HIGH This Week

Tenable Security Center is vulnerable to command injection that allows authenticated remote attackers to execute arbitrary code on the hosting server. With no patch currently available and an 8.8 CVSS score, this vulnerability poses a significant risk to organizations relying on this security platform for vulnerability management. Attackers with valid credentials can achieve full system compromise without user interaction.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-23595 HIGH PATCH This Week

Unauthenticated attackers can bypass API authentication in Aruba Networking Private 5G Core to create unauthorized administrative accounts, enabling full system compromise. Successful exploitation grants attackers administrative privileges to modify configurations and access sensitive data within affected deployments.

Authentication Bypass Aruba Networking Private 5g Core
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-70828 HIGH This Week

An issue in Datart v1.0.0-rc.3 allows attackers to execute arbitrary code via the url parameter in the JDBC configuration [CVSS 8.8 HIGH]

Command Injection RCE Datart
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26119 HIGH PATCH This Week

Windows Admin Center's authentication mechanism can be bypassed by authenticated network users to gain elevated privileges on affected Windows systems. An attacker with valid credentials could exploit this weakness to escalate their access level without additional user interaction. A patch is available to remediate this high-severity vulnerability.

Windows Windows Admin Center Microsoft
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12062 HIGH This Week

The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13689 HIGH This Week

Datastage On Cloud Pak For Data is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25903 HIGH PATCH This Week

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation.

Apache Authentication Bypass
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-67905 HIGH This Week

Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link, a related issue to CVE-2023-28892. [CVSS 8.7 HIGH]

Privilege Escalation
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-7631 HIGH This Week

Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software is affected by sql injection (CVSS 8.6).

SQLi
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-13691 HIGH This Week

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system. [CVSS 8.1 HIGH]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-23648 HIGH This Week

Improper file permissions on system binaries in Glory RBG-100 recycler systems running ISPK-08 software allow local attackers to overwrite root-owned executables and achieve privilege escalation. An unprivileged user with local access can modify these world-writable binaries to execute arbitrary commands with root privileges. No patch is currently available for this vulnerability.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2592 HIGH This Week

Unauthenticated attackers can mark WooCommerce orders as paid in the Zarinpal Gateway plugin (versions up to 5.0.16) by reusing valid payment tokens from other transactions, exploiting insufficient validation of callback handlers. This allows fraudulent order fulfillment without actual payment completion. No patch is currently available and the vulnerability affects all WordPress installations using this payment gateway plugin.

WordPress
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-67102 HIGH This Week

A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. [CVSS 7.6 HIGH]

SQLi Jorani
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-24734 HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. [CVSS 7.5 HIGH]

Apache Tomcat Tomcat Native Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-65753 HIGH This Week

TLS certification mechanism of Guardian Gryphon v01.06.0006.22 is affected by improper certificate validation (CVSS 7.5).

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-55271 LOW POC Monitor

Gym Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 3.5).

PHP CSRF
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-33088 HIGH This Week

Concert versions up to 2.1.0 is affected by incorrect permission assignment for critical resource (CVSS 7.4).

IBM Concert
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-1216 HIGH This Week

Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-36247 HIGH This Week

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM Linux Windows XXE Db2
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-70846 HIGH This Week

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. [CVSS 7.1 HIGH]

XSS
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25087 HIGH PATCH GHSA This Week

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. [CVSS 7.0 HIGH]

Apache Python Ruby Use After Free Memory Corruption +4
NVD GitHub
CVSS 3.1
7.0
EPSS
0.2%
CVE-2026-2618 LOW POC Monitor

A vulnerability was determined in Beetel 777VR1 up to 01.00.09. This impacts an unknown function of the component SSH Service. [CVSS 3.7 LOW]

Information Disclosure 777vr1 Firmware
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2025-27900 MEDIUM PATCH This Month

Db2 Recovery Expert versions up to 5.5.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.8).

IBM Open Redirect Db2 Recovery Expert
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-22284 MEDIUM PATCH This Month

Unauthenticated command injection in Dell SmartFabric OS10 versions before 10.5.6.12 allows high-privileged remote attackers to execute arbitrary commands on affected network devices. The vulnerability stems from improper sanitization of user-supplied input in command processing, requiring attacker knowledge of administrative credentials to trigger. A patch is available and administrators should prioritize updating affected systems given the severity of potential command execution impact.

Command Injection Smartfabric Os10
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2026-23596 MEDIUM PATCH This Month

Unauthenticated attackers can trigger service restarts through the management API in Aruba Networking Private 5G Core, causing denial of service and disrupting system availability. This network-adjacent vulnerability requires no authentication or user interaction and has a publicly available patch to remediate the issue.

Denial Of Service Aruba Networking Private 5g Core
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-22762 MEDIUM This Month

Arbitrary file deletion in Dell Avamar Server and Virtual Edition versions before 19.10 SP1 with CHF338912 stems from improper path traversal validation in the security module. High-privileged remote attackers can exploit this vulnerability to delete files on affected systems, though no patch is currently available.

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-36598 MEDIUM This Month

Dell Avamar, versions prior to 19.12 with patch 338905, contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Security. [CVSS 6.5 MEDIUM]

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-14689 MEDIUM This Month

Db2 contains a vulnerability that allows attackers to an authenticated user to cause a denial of service due to improper neutralizatio (CVSS 6.5).

IBM Linux Windows Denial Of Service Db2
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-31118 MEDIUM This Month

Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-33130 MEDIUM This Month

IBM DB2 Merge Backup for Linux, UNIX and Windows 12.1.0.0 could allow an authenticated user to cause the program to crash due to a buffer being overwritten when it is allocated on the stack. [CVSS 6.5 MEDIUM]

IBM Linux Windows Denial Of Service Db2 Merge Backup
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-33124 MEDIUM This Month

Db2 Merge Backup versions up to 12.1.0.0 is affected by incorrect calculation of buffer size (CVSS 6.5).

IBM Linux Windows Denial Of Service Db2 Merge Backup
NVD
CVSS 3.1
6.5
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy