Skip to main content
CVE-2025-71243 CRITICAL POC THREAT Emergency

The Saisies plugin for SPIP CMS versions 5.4.0 through 5.11.0 contains a critical remote code execution vulnerability. Attackers can exploit the vulnerability to execute arbitrary code on the SPIP server, compromising the content management system and its database.

RCE Saisies
NVD
CVSS 3.1
9.8
EPSS
73.5%
Threat
5.7
CVE-2026-0926 CRITICAL POC Act Now

Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.

WordPress PHP LFI Information Disclosure RCE
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-2686 CRITICAL POC Act Now

Command injection in SECCN Dingcheng G10 3.1.0.181203 router via session_login.cgi. PoC available.

Command Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-1405 CRITICAL POC Act Now

Arbitrary file upload in Slider Future WordPress plugin.

WordPress RCE
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-25242 CRITICAL POC PATCH Act Now

Unauthenticated file upload in Gogs self-hosted Git service 0.13.4 and below. Default configuration exposes file upload endpoints. PoC and patch available.

CSRF Gogs Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-26318 HIGH POC PATCH This Week

Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.

Node.js Command Injection Systeminformation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-25232 HIGH POC PATCH This Week

Gogs is an open source self-hosted Git service. [CVSS 8.8 HIGH]

SSH Privilege Escalation Gogs Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25755 HIGH POC PATCH This Week

PDF object injection in the jsPDF JavaScript library (npm package 'jspdf', versions prior to 4.2.0) lets an attacker who controls the string passed to the addJS method break out of the PDF JavaScript string delimiter and inject arbitrary PDF dictionary objects, including auto-executing Additional Actions (/AA). Any user who later opens the generated PDF in a JavaScript-capable viewer executes the injected actions, affecting confidentiality, integrity and availability of their document session. Publicly available exploit code exists (a documented payload is published in the GitHub advisory), but EPSS is very low (0.04%, 10th percentile) and the issue is not in CISA KEV.

RCE Code Injection Jspdf
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24834 HIGH POC PATCH This Week

Privilege escalation in Kata Containers (versions prior to 3.27.0) running on the Cloud Hypervisor backend lets a sufficiently-privileged container user write to the guest micro-VM's root filesystem and gain arbitrary code execution as root inside that VM. The root cause is that the read-only DAX/virtio-pmem rootfs image is never actually enforced read-only, so guest writes to /dev/pmem0 are observed by the guest. Publicly available exploit detail exists (GitHub Security Advisory GHSA-wwj6-vghv-5p64), though EPSS exploitation probability is negligible (0.01%) and it is not on CISA KEV.

RCE Kata Containers
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25535 HIGH POC PATCH This Week

Denial of service in jsPDF (npm package, all versions prior to 4.2.0) lets an attacker who can supply image input to the `addImage` or `html` methods crash the host process. A malicious GIF whose header declares enormous width/height values forces the bundled omggif decoder to attempt allocation of an oversized pixel buffer, producing out-of-memory errors. Publicly available exploit code exists (no active exploitation reported in CISA KEV), and the EPSS probability is low at 0.05%.

Denial Of Service Jspdf
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-26286 HIGH POC This Week

SillyTavern versions before 1.16.0 contain a server-side request forgery (SSRF) vulnerability in the asset download endpoint that allows authenticated users to make arbitrary HTTP requests from the server and access internal services, cloud metadata, and private network resources. Public exploit code exists for this vulnerability, which can be mitigated by upgrading to version 1.16.0 or configuring domain whitelisting in the config.yaml file.

SSRF AI / ML Sillytavern
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-26280 HIGH POC PATCH This Week

Command injection in the systeminformation Node.js library (versions prior to 5.30.8) lets attackers run arbitrary OS commands on Linux hosts through the wifiNetworks() function. While the iface argument is sanitized on the first call, the setTimeout retry path (triggered when the initial scan returns no results) re-invokes getWifiNetworkListIw() with the original unsanitized value, which reaches execSync('iwlist <iface> scan'). Any application that forwards user-controlled input to si.wifiNetworks() can be coerced into executing commands with the Node.js process privileges; publicly available exploit code exists, though EPSS risk is low (0.08%, 24th percentile) and it is not on the CISA KEV list.

Node.js Command Injection Systeminformation
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-26200 HIGH POC PATCH This Week

Heap buffer overflow in HDF5 versions prior to 1.14.4-2 allows attackers to trigger denial-of-service or potentially achieve code execution by crafting malicious h5 files. The vulnerability affects any system parsing untrusted HDF5 data files and has public exploit code available. A patch is not yet available, leaving affected deployments at risk.

RCE Buffer Overflow Heap Overflow Hdf5
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-27013 HIGH POC PATCH This Week

Stored XSS in Fabric.js prior to version 7.2.0 allows attackers to inject arbitrary SVG elements and event handlers when user-supplied JSON is loaded and exported via toSVG(), affecting applications that process collaborative designs, imports, or CMS plugins. Public exploit code exists for this vulnerability. Applications rendering the SVG output in browsers are vulnerable to arbitrary JavaScript execution.

RCE XSS Fabric.Js
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-1581 HIGH POC This Week

Unauthenticated attackers can exploit time-based SQL injection in wpForo Forum plugin for WordPress versions up to 2.4.14 through the 'wpfob' parameter to extract sensitive database information. The vulnerability stems from insufficient input sanitization and improper SQL query preparation, allowing attackers to inject arbitrary SQL commands without authentication. No patch is currently available.

WordPress SQLi
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26202 HIGH POC PATCH This Week

Penpot before version 2.13.2 contains a path traversal vulnerability in the font creation endpoint that allows authenticated users with team edit permissions to read arbitrary files from the server filesystem. By supplying local file paths such as `/etc/passwd` as font data, attackers can retrieve sensitive files including system configuration, application secrets, and credentials. Public exploit code exists for this vulnerability, which could enable further server compromise depending on the Penpot process permissions.

Path Traversal Information Disclosure Penpot
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26278 HIGH POC PATCH This Week

Fast XML Parser versions 4.1.3 through 5.3.5 are vulnerable to XML entity expansion attacks that allow remote attackers to cause denial of service by forcing unbounded entity expansion with minimal payload sizes. Public exploit code exists for this vulnerability, enabling attackers to freeze or severely degrade application performance. Upgrade to version 5.3.6 or disable entity processing using the `processEntities: false` option to mitigate the risk.

Fast Xml Parser Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26201 HIGH POC PATCH This Week

emp3r0r C2 framework versions prior to 3.21.2 crash due to unsynchronized concurrent map access in Go goroutines, allowing attackers with network access to trigger denial of service against the C2 infrastructure. Public exploit code exists for this vulnerability. The issue is resolved in version 3.21.2 and later.

Linux Golang Denial Of Service Emp3r0r Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26267 HIGH POC PATCH This Week

Function name collision in Rs Soroban SDK versions prior to 22.0.10, 23.5.2, and 25.1.1 causes the #[contractimpl] macro to invoke incorrect functions when both trait and inherent implementations share identical function names, allowing attackers to exploit logic flaws through public exploit code. Smart contract developers using affected versions risk silent execution of unintended code paths that could compromise contract integrity and security guarantees. Patches are available for all vulnerable versions.

Authentication Bypass Rs Soroban Sdk
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27114 HIGH POC This Week

Nanazip versions up to 6.0.1630.0 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).

Denial Of Service Nanazip
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25474 HIGH POC PATCH This Week

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSecret` is not configured, allowing attackers with network access to the webhook endpoint to forge Telegram messages and trigger unintended bot actions. Public exploit code exists for this vulnerability. Affected deployments must upgrade to version 2026.2.1 or later, or ensure the webhook endpoint is not reachable by untrusted networks.

Authentication Bypass AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26193 HIGH POC PATCH GHSA This Week

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. [CVSS 7.3 HIGH]

XSS AI / ML Open Webui
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26192 HIGH POC PATCH GHSA This Week

Stored XSS in Open WebUI prior to version 0.7.0 allows authenticated users to inject malicious HTML payloads into chat document metadata, which execute in the browser when citations are previewed or viewed in shared chats. Public exploit code exists for this vulnerability, and an attacker with login access can compromise any user who interacts with their weaponized chat documents. Upgrade to version 0.7.0 or later to remediate.

XSS AI / ML Open Webui
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-25926 HIGH POC This Week

Notepad++ versions before 8.9.2 allow local code execution through an unsafe search path vulnerability that permits attackers to hijack the Windows Explorer executable if they control the process working directory. A user with local access running the affected application could be tricked into executing a malicious explorer.exe, leading to arbitrary code execution with application privileges. Public exploit code exists for this vulnerability and no patch is currently available.

Windows
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2019-25419 HIGH POC This Week

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the schedule endpoint. [CVSS 7.2 HIGH]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2019-25422 HIGH POC This Week

Comodo Dome Firewall 2.7.0 contains cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through the vpnfw endpoint. [CVSS 7.2 HIGH]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2019-25405 HIGH POC This Week

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the newLicense parameter. [CVSS 7.2 HIGH]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-26282 MEDIUM POC This Month

NanaZip versions 5.0.1252.0 through 6.0.1629.0 contain an out-of-bounds heap read in the .NET Single File bundle parser that can crash the application or expose sensitive heap memory when processing malicious archive files. A local attacker with user privileges can exploit this vulnerability by crafting a specially formatted file, and public exploit code is currently available. No patch is yet available for affected users.

.NET Denial Of Service Nanazip
NVD GitHub
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-26312 MEDIUM POC This Month

Denial-of-service in Stalwart Mail Server versions 0.13.0 through 0.15.4 allows authenticated users to crash the server by sending a specially crafted email with malformed nested MIME parts through IMAP or JMAP, triggering infinite loops and resource exhaustion. The vulnerability requires valid credentials to exploit and public exploit code exists, but no patch is currently available for affected versions.

Denial Of Service Stalwart
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-25229 MEDIUM POC PATCH This Month

Gogs versions 0.13.4 and earlier contain an access control bypass in the label management function that allows authenticated users to modify labels across repositories they don't own. The vulnerability stems from insufficient validation in the label update endpoint, enabling cross-repository label tampering attacks. Public exploit code exists for this issue, though a patch is available in version 0.14.1.

Authentication Bypass Gogs Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13671 MEDIUM POC This Month

Web Site Management Server versions up to 16.7.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).

CSRF Web Site Management Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2019-25404 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input through admin management parameters. [CVSS 6.4 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25403 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the comment parameter. [CVSS 6.4 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25430 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25414 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the ID parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25413 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the ID parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25402 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted input to the username parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25429 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the openvpn_advanced endpoint. [CVSS 6.1 MEDIUM]

Openvpn XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25427 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the antispyware endpoint. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25423 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains multiple reflected cross-site scripting vulnerabilities in the /korugan/proxyconfig endpoint that allow attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25421 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains multiple cross-site scripting vulnerabilities that allow attackers to inject malicious scripts through the policyfw endpoint. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25420 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the snat endpoint. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25417 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the protocol parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25415 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input to the hotspot_permanent_users endpoint. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25428 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains multiple reflected cross-site scripting vulnerabilities in the openvpn_users endpoint that allow attackers to inject malicious scripts through POST parameters. [CVSS 6.1 MEDIUM]

Openvpn XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25426 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the dnsmasq endpoint. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25425 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the VIRUS_ADMIN parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25424 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting unsanitized input to the EXCEPTIONSITELIST parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25418 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input to the FWADDRESSES parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25416 MEDIUM POC This Month

Comodo Dome Firewall 2.7.0 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through the device parameter. [CVSS 6.1 MEDIUM]

XSS Dome Firewall
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
Page 1 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy