Skip to main content
CVE-2026-26736 HIGH POC This Week

Stack-based buffer overflow in TOTOLIK A3002RU firmware versions up to V3.0.0-B20220304.1804 allows authenticated attackers to achieve remote code execution through a malicious static_ipv6 parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The high CVSS score of 8.8 reflects the complete compromise of system confidentiality, integrity, and availability for affected devices.

Buffer Overflow Stack Overflow A3002ru Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-26732 HIGH POC This Week

Stack overflow vulnerabilities in TOTOLIK A3002RU V2.1.1 router firmware allow authenticated attackers to achieve remote code execution through malformed vpnUser or vpnPassword parameters. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected devices at risk of complete compromise.

Buffer Overflow Stack Overflow A3002ru Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26731 HIGH POC This Week

Remote code execution in TOTOLIK A3002RU V2.1.1 firmware results from a stack-based buffer overflow in the DNS configuration function that can be exploited by authenticated network users. Public exploit code exists for this vulnerability, and attackers with valid credentials can achieve full system compromise including code execution and data manipulation. No patch is currently available.

Buffer Overflow Memory Corruption A3002ru Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-55270 HIGH POC This Week

phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. [CVSS 8.8 HIGH]

PHP SQLi Student Management System
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-32355 HIGH POC This Week

Rocket TRUfusion Enterprise versions up to 7.10.4.0 is affected by server-side request forgery (ssrf) (CVSS 7.3).

SSRF Trufusion Enterprise
NVD
CVSS 4.0
7.9
EPSS
2.4%
CVE-2026-2616 HIGH POC This Week

Hard-coded credentials in the Beetel 777VR1 router's web management interface allow adjacent network attackers to gain full administrative access without authentication. Affecting firmware versions up to and including 01.00.09, this vulnerability enables complete device compromise through documented default credentials that cannot be changed through normal configuration. Publicly available exploit code exists with detailed reproduction steps, and the vendor has not responded to disclosure attempts. EPSS score of 0.19% (40th percentile) suggests limited widespread exploitation despite public POC availability, likely due to the device's limited deployment footprint and adjacent network attack requirement.

Authentication Bypass 777vr1 Firmware
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.2%
CVE-2026-2615 HIGH POC This Week

Wl-Nu516U1 Firmware versions up to 20251208. contains a vulnerability that allows attackers to command injection (CVSS 7.2).

Command Injection Wl Nu516u1 Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.4%
CVE-2025-70397 HIGH POC This Week

jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter. [CVSS 7.2 HIGH]

SQLi Jizhicms
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-2627 HIGH POC This Week

Link following vulnerability in Softland FBackup 9.9 and earlier allows local authenticated attackers to escalate privileges by manipulating symbolic links processed by the HID.dll library during backup or restore operations. Public exploit code is available via GitHub, but EPSS score remains extremely low (0.01%) and no active exploitation has been reported. The vendor has not responded to disclosure attempts, leaving users without an official patch.

Information Disclosure Microsoft
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-2630 HIGH This Week

Tenable Security Center is vulnerable to command injection that allows authenticated remote attackers to execute arbitrary code on the hosting server. With no patch currently available and an 8.8 CVSS score, this vulnerability poses a significant risk to organizations relying on this security platform for vulnerability management. Attackers with valid credentials can achieve full system compromise without user interaction.

Command Injection
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-23595 HIGH PATCH This Week

Unauthenticated attackers can bypass API authentication in Aruba Networking Private 5G Core to create unauthorized administrative accounts, enabling full system compromise. Successful exploitation grants attackers administrative privileges to modify configurations and access sensitive data within affected deployments.

Authentication Bypass Aruba Networking Private 5g Core
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-70828 HIGH This Week

An issue in Datart v1.0.0-rc.3 allows attackers to execute arbitrary code via the url parameter in the JDBC configuration [CVSS 8.8 HIGH]

Command Injection RCE Datart
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26119 HIGH PATCH This Week

Windows Admin Center's authentication mechanism can be bypassed by authenticated network users to gain elevated privileges on affected Windows systems. An attacker with valid credentials could exploit this weakness to escalate their access level without additional user interaction. A patch is available to remediate this high-severity vulnerability.

Windows Windows Admin Center Microsoft
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12062 HIGH This Week

The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-13689 HIGH This Week

Datastage On Cloud Pak For Data is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25903 HIGH PATCH This Week

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation.

Apache Authentication Bypass
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-67905 HIGH This Week

Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and performs an insecure log file delete operation in which the target location is user-controllable, allowing a non-admin user to escalate privileges to SYSTEM via a symbolic link, a related issue to CVE-2023-28892. [CVSS 8.7 HIGH]

Privilege Escalation
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-7631 HIGH This Week

Tumeva Internet Technologies Software Information Advertising and Consulting Services Trade Ltd. Co. Tumeva Prime News Software is affected by sql injection (CVSS 8.6).

SQLi
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2025-13691 HIGH This Week

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used to impersonate other users in the system. [CVSS 8.1 HIGH]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-23648 HIGH This Week

Improper file permissions on system binaries in Glory RBG-100 recycler systems running ISPK-08 software allow local attackers to overwrite root-owned executables and achieve privilege escalation. An unprivileged user with local access can modify these world-writable binaries to execute arbitrary commands with root privileges. No patch is currently available for this vulnerability.

Privilege Escalation
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2592 HIGH This Week

Unauthenticated attackers can mark WooCommerce orders as paid in the Zarinpal Gateway plugin (versions up to 5.0.16) by reusing valid payment tokens from other transactions, exploiting insufficient validation of callback handlers. This allows fraudulent order fulfillment without actual payment completion. No patch is currently available and the vulnerability affects all WordPress installations using this payment gateway plugin.

WordPress
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-67102 HIGH This Week

A SQL injection vulnerability in the alldayoffs feature in Jorani up to v1.0.4, allows an authenticated attacker to execute arbitrary SQL commands via the entity parameter. [CVSS 7.6 HIGH]

SQLi Jorani
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-24734 HIGH PATCH This Week

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. [CVSS 7.5 HIGH]

Apache Tomcat Tomcat Native Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-65753 HIGH This Week

TLS certification mechanism of Guardian Gryphon v01.06.0006.22 is affected by improper certificate validation (CVSS 7.5).

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-33088 HIGH This Week

Concert versions up to 2.1.0 is affected by incorrect permission assignment for critical resource (CVSS 7.4).

IBM Concert
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-1216 HIGH This Week

Reflected XSS in WordPress RSS Aggregator plugin versions up to 5.0.10 allows unauthenticated attackers to inject malicious scripts through the unvalidated 'template' parameter. An attacker can exploit this by crafting a malicious link that, when clicked by a victim, executes arbitrary JavaScript in their browser session. No patch is currently available for this vulnerability.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-36247 HIGH This Week

Db2 versions up to 12.1.3 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM Linux Windows XXE Db2
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-70846 HIGH This Week

lty628 aidigu v1.9.1 is vulnerable to Cross Site Scripting (XSS) on the /tools/Password/add page in the input field password. [CVSS 7.1 HIGH]

XSS
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25087 HIGH PATCH GHSA This Week

Use After Free vulnerability in Apache Arrow C++. This issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. [CVSS 7.0 HIGH]

Apache Python Ruby Use After Free Memory Corruption +4
NVD GitHub
CVSS 3.1
7.0
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy