Skip to main content
CVE-2024-58041 CRITICAL Act Now

Insecure random number generation in Smolder 1.51 Perl testing framework. Uses rand() for cryptographic operations instead of a CSPRNG, enabling prediction of security tokens.

Information Disclosure Smolder
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-40538 CRITICAL Act Now

Broken access control in SolarWinds Serv-U allows unauthorized user creation by exploiting privilege assignment flaws. First of four critical Serv-U vulnerabilities.

Windows Serv U
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-40541 CRITICAL Act Now

IDOR vulnerability in SolarWinds Serv-U allows accessing objects belonging to other users. Fourth critical Serv-U vulnerability in this batch.

Windows Serv U
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27461 MEDIUM POC PATCH This Month

Pimcore is an Open Source Data & Experience Management Platform. [CVSS 4.9 MEDIUM]

SQLi Pimcore
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-23678 HIGH This Week

Authenticated attackers can achieve remote code execution on Binardat 10G08-0800GSM network switches by injecting the %1a character into the traceroute hostname parameter on the web management interface, allowing arbitrary CLI command execution. The vulnerability affects firmware version V300SP10260209 and earlier, and currently has no available patch. This requires valid web interface credentials but poses significant risk due to its high severity rating and network-accessible attack vector.

Command Injection 10g08 0800gsm Firmware
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-13943 HIGH This Week

A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device. [CVSS 8.8 HIGH]

Zyxel Command Injection Dx3300 T1 Firmware Px3321 T1 Firmware Wx5610 B0 Firmware +49
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-63409 HIGH This Week

Gcom Epon 1Ge Firmware versions up to c00r371v00b01 is affected by improper access control (CVSS 8.8).

Privilege Escalation Gcom Epon 1ge Firmware Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3044 HIGH This Week

Remote code execution in Tenda AC8 firmware versions up to 16.03.34.06 allows authenticated attackers to execute arbitrary code via a stack-based buffer overflow in the HTTP upload handler. Public exploit code exists for this vulnerability, which has no patch available. An attacker with valid credentials can trigger the overflow by manipulating the boundary parameter in multipart upload requests.

Buffer Overflow Stack Overflow Ac8 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22765 HIGH This Week

Dell Wyse Management Suite versions prior to 5.5 suffer from improper access controls that allow authenticated remote attackers to escalate their privileges. An attacker with low-level credentials can bypass authorization checks to gain high-privilege access to the system, potentially compromising confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

Authentication Bypass Dell Wyse Management Suite
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2769 HIGH PATCH This Week

A use-after-free vulnerability in the IndexedDB storage component of Firefox and Thunderbird allows remote attackers to achieve arbitrary code execution through user interaction. Affected versions include Firefox below 148, Firefox ESR below 115.33 and 140.8, and Thunderbird below 148 and 140.8. No patch is currently available for this high-severity flaw.

Use After Free Memory Corruption Mozilla Information Disclosure Thunderbird
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15386 HIGH This Week

The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved. [CVSS 8.8 HIGH]

WordPress PHP
NVD WPScan
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2798 HIGH PATCH This Week

A use-after-free vulnerability in Firefox and Thunderbird's DOM processing allows remote attackers to execute arbitrary code through a malicious webpage or email attachment, requiring only user interaction to trigger. This affects Firefox versions below 148 and Thunderbird versions below 148, with no patch currently available.

Use After Free Memory Corruption Mozilla Information Disclosure Thunderbird
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24443 HIGH This Week

Eventsentry versions up to 6.0.1.20 contains a vulnerability that allows attackers to privilege escalation (CVSS 8.8).

Privilege Escalation Eventsentry
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1773 HIGH This Week

IEC 60870-5-104: Potential Denial of Service impact on reception of invalid U-format frame. Product is only affected if IEC 60870-5-104 bi-directional functionality is configured. [CVSS 7.5 HIGH]

Denial Of Service Rtu540 Firmware Rtu560 Firmware Rtu520 Firmware Rtu530 Firmware
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2024-56373 HIGH PATCH This Week

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. [CVSS 8.4 HIGH]

RCE AI / ML Airflow
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-27468 HIGH PATCH This Week

Unauthenticated attackers can bypass FASP administrator approval in Mastodon 4.4.0-4.4.13 and 4.5.0-4.5.6 to subscribe to account events and request content backfill, affecting only servers with the experimental FASP feature enabled. While individual requests cause minor information disclosure of publicly available URIs, repeated exploitation enables denial-of-service attacks. A patch is available to address this authorization bypass.

Denial Of Service Authentication Bypass Mastodon
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-25794 HIGH PATCH GHSA This Week

Integer overflow in ImageMagick's UHDR image decoder allows remote attackers to trigger heap buffer overflows by supplying specially crafted images with large dimensions, potentially crashing the application or corrupting heap memory. The vulnerability affects ImageMagick versions prior to 7.1.2-15 and requires no user interaction or authentication to exploit. Organizations using vulnerable versions should upgrade immediately, as no workaround is available.

Imagemagick Buffer Overflow Heap Overflow
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-2460 HIGH This Week

Improper access control in REB500 firmware allows authenticated users with low privileges to read and modify unauthorized directories via the DAC protocol. An attacker with valid credentials can escalate their file system access beyond their intended permissions, potentially compromising sensitive data or system integrity. No patch is currently available for this vulnerability.

Information Disclosure Reb500 Firmware
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-27732 HIGH PATCH This Week

Server-side request forgery in AVideo prior to version 22.0 allows authenticated users to make arbitrary outbound requests from the affected server via an unvalidated downloadURL parameter in the aVideoEncoder.json.php endpoint. An attacker can exploit this to probe internal network services, access metadata endpoints, and retrieve sensitive data, potentially leading to further system compromise. This affects PHP deployments running vulnerable AVideo versions.

PHP SSRF Avideo
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-33180 HIGH This Week

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 8.0 HIGH]

Linux Privilege Escalation Nvos Cumulus Linux
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-33179 HIGH This Week

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could run an unauthorized command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 8.0 HIGH]

Linux Privilege Escalation Nvos Cumulus Linux
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-14963 HIGH This Week

A vulnerability identified in the HX Agent driver file fekern.sys allowed a threat actor with local user access the ability to gain elevated system privileges. [CVSS 7.8 HIGH]

Windows Endpoint Security
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-2664 HIGH This Week

Local privilege escalation via out-of-bounds memory read in Docker Desktop's grpcfuse kernel module (versions up to 4.61.0) on Linux, Windows, and macOS allows authenticated local attackers to achieve complete system compromise through manipulation of /proc/docker entries. The vulnerability requires local access and valid user credentials but enables reading and modifying arbitrary kernel memory with high impact on confidentiality, integrity, and availability. Docker Desktop 4.62.0 and later resolve this issue.

Linux Windows macOS Docker Desktop
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-1524 HIGH This Week

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. [CVSS 7.7 HIGH]

Authentication Bypass Api Manager Identity Server
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-3105 HIGH PATCH This Week

Mautic's Contact Activity API endpoint is vulnerable to SQL injection due to insufficient validation of the sort direction parameter, allowing authenticated attackers to execute arbitrary SQL queries. This high-severity vulnerability (CVSS 7.6) affects multiple versions and could enable unauthorized data access or modification. No patch is currently available; users should contact security@mautic.org for mitigation guidance.

SQLi Mautic
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-27572 HIGH PATCH This Week

Wasmtime's HTTP header handling in the wasmtime-wasi-http crate crashes when processing excessive header fields, allowing remote attackers to trigger denial of service against applications embedding Wasmtime. The vulnerability affects versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0, and has been patched to return a controlled trap instead of panicking. Embedders should update immediately to mitigate this DoS vector.

Industrial Denial Of Service Wasmtime Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27195 HIGH PATCH This Week

Wasmtime versions 39.0.0 and later experience a denial-of-service panic when async WebAssembly component functions are called and then abandoned by the host before completion, such as when the Future is dropped after a single poll during an async yield. This affects applications using Wasmtime's component model with async support, allowing an attacker to crash the runtime through specially crafted async function invocations. A patch is available to address this stability issue.

Golang Industrial Wasmtime Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25989 HIGH PATCH This Week

ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service when processing maliciously crafted SVG files due to an off-by-one error in boundary validation. An unauthenticated remote attacker can trigger an integer underflow by bypassing the flawed size check, causing the application to crash or become unresponsive. No patch is currently available for affected deployments.

Denial Of Service Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2803 HIGH PATCH This Week

The Settings UI component in Firefox and Thunderbird versions prior to 148 fails to properly restrict access to sensitive configuration data, enabling unauthenticated attackers to remotely disclose confidential information without user interaction. This vulnerability bypasses existing security mitigations designed to protect user settings and preferences. No patch is currently available for affected users.

Information Disclosure Mozilla
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2801 HIGH PATCH This Week

Improper boundary condition handling in the JavaScript/WebAssembly engine of Firefox and Thunderbird before version 148 enables remote denial of service attacks without requiring user interaction or privileges. An attacker can crash affected applications or cause service unavailability by sending specially crafted content. No patch is currently available.

Mozilla Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25985 HIGH PATCH This Week

Imagemagick versions up to 7.1.2-15 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25969 HIGH PATCH This Week

Denial of service in ImageMagick prior to 7.1.2-15 stems from a memory leak in the WriteASHLARImage function within coders/ashlar.c, where an allocated structure is not released when an exception is thrown during ASHLAR image encoding. Remote attackers who can submit images for processing can trigger repeated leaks to exhaust process memory in long-running services that embed ImageMagick. No public exploit identified at time of analysis, and EPSS risk is negligible at 0.05% (16th percentile).

Imagemagick Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24485 HIGH PATCH This Week

ImageMagick is free and open-source software used for editing and manipulating digital images. [CVSS 7.5 HIGH]

Denial Of Service Magick.Net Imagemagick Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-48928 HIGH PATCH This Week

Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. [CVSS 7.5 HIGH]

Golang MySQL CSRF Piwigo
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25965 HIGH PATCH This Week

Local file disclosure in ImageMagick before 7.1.2-15 and 6.9.13-40 lets attackers bypass the path security policy (policy-secure.xml) using directory traversal, reading files a rule such as `/etc/*` was meant to block. Because the policy matcher evaluates the raw, unnormalized filename string before the OS resolves it, a traversal sequence slips past the deny rule while the kernel still opens the real sensitive file. No public exploit is identified at time of analysis and EPSS is very low (0.04%), but the bug undermines a control specifically deployed to harden image-processing pipelines that handle untrusted input.

Path Traversal Imagemagick
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24481 HIGH PATCH This Week

Heap memory disclosure in ImageMagick's PSD file parser allows unauthenticated remote attackers to leak sensitive information from process memory by crafting malicious Photoshop files with improperly compressed layer data. Affected versions prior to 7.1.2-15 and 6.9.13-40 fail to properly validate decompressed data sizes, exposing uninitialized heap contents in generated output images. No patch is currently available for this vulnerability.

Adobe Information Disclosure Imagemagick Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27521 HIGH This Week

10G08-0800Gsm Firmware is affected by improper restriction of excessive authentication attempts (CVSS 7.5).

Authentication Bypass 10g08 0800gsm Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2783 HIGH PATCH This Week

Unauthenticated attackers can extract sensitive information from Firefox and Thunderbird users through a JavaScript engine JIT compilation flaw, affecting all versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The vulnerability requires no user interaction and can be exploited remotely over the network. No patch is currently available for this high-severity flaw.

Information Disclosure Memory Corruption Mozilla
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2794 HIGH PATCH This Week

Uninitialized memory in Firefox and Firefox Focus for Android versions prior to 148 enables remote attackers to read sensitive data without authentication or user interaction. The vulnerability allows information disclosure through memory that was not properly cleared before use, potentially exposing confidential user information to network-based attackers.

Information Disclosure Mozilla Google
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27519 HIGH This Week

Binardat 10G08-0800GSM network switches version V300SP10260209 and earlier expose a hardcoded RC4 encryption key in client-side JavaScript, allowing unauthenticated remote attackers to decrypt sensitive configuration data and compromise network confidentiality. The static key weakness eliminates the intended cryptographic protection for protected values transmitted to and from the device.

Information Disclosure 10g08 0800gsm Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27520 HIGH This Week

Binardat 10G08-0800GSM network switch firmware versions before V300SP10260209 expose user credentials by storing passwords as reversible Base64-encoded values in web interface cookies, allowing unauthenticated attackers with cookie access to recover plaintext passwords. This high-severity vulnerability affects confidentiality of administrative credentials with no available patch, creating significant risk for network infrastructure compromise.

Information Disclosure 10g08 0800gsm Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27516 HIGH This Week

Binardat 10G08-0800GSM network switch firmware prior to V300SP10260209 stores administrative credentials in plaintext within the web interface and HTTP responses, enabling unauthenticated attackers to extract valid user passwords. This information disclosure vulnerability affects network administrators and can lead to unauthorized access to critical network infrastructure. No patch is currently available.

Information Disclosure 10g08 0800gsm Firmware
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25967 HIGH PATCH This Week

Stack-based buffer overflow in ImageMagick versions before 7.1.2-15 allows remote attackers to crash the application and potentially corrupt memory by submitting specially crafted FTXT image files. The vulnerability requires high complexity to exploit but impacts both confidentiality and availability of affected systems. No patch is currently available for this HIGH severity issue (CVSS 7.4).

Buffer Overflow Stack Overflow Denial Of Service Imagemagick Red Hat +1
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-2459 HIGH This Week

Authenticated users with Installer role in REB500 firmware can bypass directory access controls to read and modify files outside their authorized scope. This privilege escalation affects systems where installer accounts are provisioned, enabling unauthorized data access and manipulation. No patch is currently available.

Information Disclosure Reb500 Firmware
NVD
CVSS 4.0
7.4
EPSS
0.0%
CVE-2025-33181 HIGH This Week

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges. [CVSS 7.3 HIGH]

Linux Privilege Escalation Nvos Cumulus Linux
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-22766 HIGH PATCH This Week

Remote code execution in Dell Wyse Management Suite versions before 5.5 via unrestricted file upload allows high-privileged attackers with network access to execute arbitrary commands on affected systems. The vulnerability stems from insufficient validation of uploaded file types, enabling attackers to bypass security controls and gain code execution. A patch is available for affected organizations to remediate this risk.

File Upload Dell Wyse Management Suite
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-1459 HIGH This Week

Zyxel VMG3625-T50B, DX5401 B1, and EMG5523 T50B devices with firmware through version 5.50(ABPM.9.7)C0 contain a post-authentication command injection vulnerability in the TR-369 certificate download function that allows authenticated administrators to execute arbitrary operating system commands. An attacker with admin credentials could leverage this to gain complete control over the affected device. No patch is currently available.

Zyxel Command Injection Dx5401 B1 Firmware Emg5523 T50b Firmware Vmg3625 T50b Firmware +3
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-13776 HIGH This Week

Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content. [CVSS 7.1 HIGH]

Authentication Bypass Finka Magazyn Finka Place Finka Stw Finka Fk +2
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-10010 MEDIUM This Month

Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).

Linux RCE Cryptopro Secure Disk Windows Linux Kernel
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-3091 MEDIUM This Month

Synology Presto Client versions prior to 2.1.3-0672 are vulnerable to DLL hijacking during installation, enabling local attackers with user privileges to read or write arbitrary files by placing malicious libraries in the installer directory. The vulnerability requires user interaction and local access but grants high-impact capabilities including confidentiality and integrity violations. No patch is currently available.

Synology Information Disclosure
NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy