Skip to main content
CVE-2026-3037 HIGH This Week

Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.

RCE Command Injection Xweb 500d Pro Firmware Xweb 500b Pro Firmware Xweb 300d Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-25721 HIGH This Week

Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the server username or password fields during restore operations via the API V1 endpoint. The vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges but could compromise the entire system. No patch is currently available for this vulnerability.

RCE Command Injection Xweb 500b Pro Firmware Xweb 300d Pro Firmware Xweb 500d Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-25196 HIGH This Week

Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into Wi-Fi SSID or password configuration fields. The vulnerability affects multiple Xweb Pro models (300d, 500b, 500d) and requires high privilege access to exploit, though successful exploitation grants complete system compromise across the network. No patch is currently available.

RCE Command Injection Xweb 500b Pro Firmware Xweb 300d Pro Firmware Xweb 500d Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-25105 HIGH This Week

Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the Modbus command tool parameters accessible through the debug route. The vulnerability affects Xweb 300d Pro, 500d Pro, and 500b Pro devices, with a CVSS score of 8.0 indicating high severity. No patch is currently available for this command injection flaw.

RCE Command Injection Xweb 300d Pro Firmware Xweb 500d Pro Firmware Xweb 500b Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-25037 HIGH This Week

Remote code execution in XWEB Pro firmware versions 1.12.1 and prior allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads through crafted LCD state configurations that are processed during system initialization. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges to exploit, though the impact extends across connected systems. No patch is currently available for this high-severity vulnerability (CVSS 8.0).

RCE Command Injection Xweb 500b Pro Firmware Xweb 300d Pro Firmware Xweb 500d Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-24452 HIGH This Week

Remote code execution in Xweb Pro firmware (versions 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by uploading a malicious template file through the devices route. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro models, with no patch currently available. The high CVSS score of 8.0 reflects the severity of achieving code execution with administrative privileges on vulnerable devices.

RCE Command Injection Xweb 300d Pro Firmware Xweb 500b Pro Firmware Xweb 500d Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-23702 HIGH This Week

Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier (affecting Xweb 500b Pro, 500d Pro, and 300d Pro models) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the server username field during the import preconfiguration API action. An attacker with administrative privileges can exploit this OS command injection vulnerability to gain complete system compromise. No patch is currently available for this vulnerability.

RCE Command Injection Xweb 500b Pro Firmware Xweb 500d Pro Firmware Xweb 300d Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-20764 HIGH This Week

Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. No patch is currently available, requiring organizations to implement network access controls or disable affected devices until remediation is released.

RCE Command Injection Xweb 500b Pro Firmware Xweb 500d Pro Firmware Xweb 300d Pro Firmware
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-28425 HIGH PATCH This Week

Remote code execution in Statmatic CMS versions prior to 5.73.11 and 6.4.0 allows authenticated users with control panel access and permission to modify Antlers-enabled fields to execute arbitrary code in the application context. An attacker exploiting this vulnerability can fully compromise the application, including stealing sensitive configuration data, modifying or exfiltrating user data, and disrupting availability. A patch is available and exploitation requires authenticated access with specific field configuration permissions.

RCE Code Injection Statamic
NVD GitHub VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-28364 HIGH PATCH This Week

Heap memory corruption in the OCaml runtime (before 4.14.3 and 5.x before 5.4.1) lets an attacker who can feed crafted Marshal-format data into an application's deserialization path read past buffer bounds and, through a multi-phase chain, achieve code execution. The flaw lives in the readblock() routine of runtime/intern.c, which copies blocks using attacker-controlled lengths without bounds checks. There is no public exploit identified at time of analysis and EPSS is very low (0.04%), but multiple vendors (SUSE, Red Hat) have shipped fixed packages.

RCE Buffer Overflow Deserialization Ocaml
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-10990 HIGH PATCH This Week

A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. [CVSS 7.5 HIGH]

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26305 HIGH This Week

Mobility46.Se's WebSocket API fails to implement authentication rate limiting, enabling remote attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force attacks to compromise accounts. The vulnerability requires no authentication or user interaction and affects all network-accessible instances. No patch is currently available.

Authentication Bypass Mobility46.Se
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-24445 HIGH This Week

Ev.Energy's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against charger telemetry systems or conduct brute-force credential attacks without restriction. This vulnerability affects all unauthenticated network-based interactions with the affected application and has no available patch at this time.

Authentication Bypass Ev.Energy
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25945 HIGH This Week

Ev2go.Io's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks that disrupt charger telemetry or conduct brute-force attacks to compromise user accounts. The vulnerability affects all users of the platform and currently has no available patch. With a CVSS score of 7.5 and low exploit prevalence, this represents a significant availability and authentication risk requiring immediate mitigation.

Authentication Bypass Ev2go.Io
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25114 HIGH This Week

Cloudcharge.Se's WebSocket API fails to implement authentication rate limiting, enabling attackers to launch denial-of-service attacks against charger infrastructure or conduct brute-force credential attacks without restriction. The vulnerability affects remote, unauthenticated attackers and could result in service disruption or unauthorized system access. No patch is currently available.

Authentication Bypass Cloudcharge.Se
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25113 HIGH This Week

Switchenergy.com's WebSocket API fails to implement rate limiting on authentication attempts, enabling attackers to launch denial-of-service attacks against the platform's charger telemetry infrastructure or execute brute-force credential attacks. This network-accessible vulnerability requires no authentication or user interaction, making it trivial to exploit and potentially exposing the service to sustained availability disruptions or account compromise.

Authentication Bypass Swtchenergy.Com
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-20792 HIGH This Week

Chargemap.Com's WebSocket API lacks authentication rate limiting, enabling attackers to launch denial-of-service attacks that disrupt charger telemetry or conduct brute-force credential attacks against user accounts. The vulnerability affects all users of the platform and currently has no available patch. With a CVSS score of 7.5 and minimal exploit prerequisites (no authentication or user interaction required), this represents a significant availability risk.

Authentication Bypass Chargemap.Com
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2252 HIGH This Week

Xerox FreeFlow Core versions through 8.0.7 contain an XML External Entity (XXE) vulnerability that allows unauthenticated remote attackers to conduct Server-Side Request Forgery attacks by submitting malicious XML input. This vulnerability could enable attackers to access internal resources or sensitive data on the affected system. A patch is currently unavailable, though Xerox recommends upgrading to version 8.1.0.

SSRF XXE Freeflow Core
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2597 HIGH This Week

Heap buffer overflow in Crypt::SysRandom::XS before version 0.010 allows denial of service through negative length parameter validation bypass in the random_bytes() function. When negative values are passed to the function, integer wraparound causes incorrect memory allocation and unbounded writes to heap memory, triggering application crashes. Exploitation requires attacker control over the length argument, which in typical usage is hardcoded, limiting practical attack scenarios.

Buffer Overflow Memory Corruption Denial Of Service Crypt
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24498 HIGH This Week

Multiple IpTIME router firmware versions (T5008, AX2004M, AX3000Q, AX6000M) through 15.26.8 contain an authentication bypass vulnerability that exposes sensitive information to unauthenticated remote attackers. An attacker can leverage this flaw to access confidential device data without valid credentials. No patch is currently available for affected devices.

Authentication Bypass Information Disclosure T5008 Firmware Ax3000q Firmware Ax2004m Firmware +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-2428 HIGH This Week

Fluent Forms Pro Add On Pack for WordPress versions up to 6.1.17 fail to verify PayPal Instant Payment Notifications by default, allowing unauthenticated attackers to forge payment confirmations and mark unpaid submissions as paid. An attacker can exploit this to trigger post-payment automation including email delivery, access grants, and digital product distribution without actual payment. The vulnerability affects all installations that have not manually enabled IPN verification and currently lacks a patch.

WordPress PHP
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28400 HIGH This Week

and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).

Docker AI / ML
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27647 HIGH This Week

Mobility46.Se's WebSocket implementation allows multiple connections to share predictable session identifiers, enabling attackers to intercept and hijack active charging station sessions without authentication. An attacker can impersonate legitimate stations to execute arbitrary backend commands, intercept communications, or launch denial-of-service attacks by flooding the service with valid session requests. No patch is currently available for this vulnerability.

Authentication Bypass Mobility46.Se
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-26290 HIGH This Week

Ev.Energy's WebSocket implementation accepts duplicate session identifiers from multiple endpoints, allowing attackers to hijack active charging station sessions through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate stations to intercept commands, authenticate as other users, or disrupt service by flooding the backend with spoofed session requests. No patch is currently available.

Authentication Bypass Ev.Energy
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-27652 HIGH This Week

Session hijacking in Cloudcharge.Se's WebSocket backend allows remote attackers to impersonate legitimate charging stations by exploiting predictable session identifiers and the acceptance of duplicate connections, enabling command interception and station displacement. An attacker can authenticate as other users or trigger denial-of-service conditions by flooding the backend with valid session requests. No patch is currently available.

Authentication Bypass Cloudcharge.Se
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-25778 HIGH This Week

Session hijacking in Swtchenergy.Com's WebSocket backend allows remote attackers to impersonate legitimate charging stations and intercept backend commands by exploiting predictable and non-unique session identifiers. An attacker can authenticate as other users, redirect charging station communications, or launch denial-of-service attacks by flooding the backend with valid session requests. No patch is currently available for this vulnerability.

Authentication Bypass Swtchenergy.Com
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-25711 HIGH This Week

Chargemap.Com's WebSocket backend accepts multiple connections with identical session identifiers, allowing attackers to hijack charging station sessions and intercept backend commands through predictable identifier prediction. An unauthenticated remote attacker can impersonate legitimate charging stations, execute unauthorized operations, or disrupt service availability by flooding the backend with crafted session requests. No patch is currently available.

Authentication Bypass Chargemap.Com
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-20895 HIGH This Week

Session hijacking in Ev2go.Io's WebSocket backend allows remote attackers to impersonate legitimate charging stations and intercept commands due to predictable session identifiers and insufficient endpoint validation. An unauthenticated attacker can establish multiple connections with the same session ID to displace legitimate stations, potentially gaining unauthorized access to charging infrastructure or disrupting service availability. No patch is currently available.

Authentication Bypass Ev2go.Io
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-27757 HIGH This Week

Sl902-Swtgw124As Firmware versions up to 200.1.20 contains a vulnerability that allows attackers to change account passwords without verifying the current password (CVSS 7.1).

Information Disclosure Sl902 Swtgw124as Firmware
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28402 HIGH This Week

Authenticated validators in nimiq/core-rs-albatross prior to version 1.2.2 can crash validator nodes by submitting macro block proposals with mismatched body roots that pass verification but cause panics during processing. This vulnerability affects only validator nodes and requires the attacker to be an elected proposer with valid credentials. No patch is currently available, and there is no known workaround.

Denial Of Service Nimiq Proof Of Stake
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy