Skip to main content
CVE-2026-26266 CRITICAL PATCH Act Now

Stored XSS in AliasVault password manager. Patch available.

XSS Aliasvault
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-3437 CRITICAL Act Now

Local privilege escalation in Portwell Engineering Toolkits 4.8.2 stems from a kernel driver that exposes unchecked arbitrary memory read/write primitives to authenticated users. An attacker already logged onto an affected industrial/embedded host can corrupt kernel memory to elevate to SYSTEM-level control or crash the machine. No public exploit has been identified and the EPSS score is very low (0.02%, 3rd percentile), indicating no current evidence of opportunistic exploitation; this was reported through CISA's ICS-CERT rather than via observed in-the-wild activity.

Engineering Toolkits Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2024-55022 HIGH This Week

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain an authenticated command injection vulnerability via the HMI Name parameter. [CVSS 8.8 HIGH]

Command Injection Cmt 3072xh2 Firmware Easyweb
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-2448 HIGH This Week

Page Builder by SiteOrigin (WordPress plugin) versions up to 2.33.5 is affected by path traversal (CVSS 8.8).

WordPress PHP Path Traversal RCE Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0869 HIGH This Week

Brocade Active Support Connectivity Gateway versions up to 3.4.0 contains a vulnerability that allows attackers to an unauthorized user to perform ASCG operations related to Brocade Support Link( (CVSS 8.8).

Authentication Bypass Brocade Active Support Connectivity Gateway
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1566 HIGH This Week

Authenticated agents in the LatePoint WordPress plugin versions up to 5.2.7 can arbitrarily link customer accounts to any user ID during account creation, enabling privilege escalation to administrator accounts. An attacker with agent-level access can exploit this to reset an administrator's password and gain full site control. No patch is currently available.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24502 HIGH This Week

Command \| Intel Vpro Out Of Band versions up to 4.7.0 is affected by uncontrolled search path element (CVSS 8.8).

Privilege Escalation Dell
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1876 HIGH This Week

Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all is affected by improper resource shutdown or release.

Information Disclosure Melsec Iq F Fx5 Enet Ip Firmware
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-1875 HIGH This Week

Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP all is affected by improper resource shutdown or release.

Information Disclosure Melsec Iq F Fx5 Eip Firmware
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-1874 HIGH This Week

Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP is affected by always-incorrect control flow implementation.

Information Disclosure Melsec Iq F Fx5 Eip Firmware Melsec Iq F Fx5 Enet Ip Firmware
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-2637 HIGH This Week

Local privilege escalation in iBoysoft NTFS for Mac 8.0.0 allows authenticated macOS users to gain root access through the ntfshelperd privileged helper daemon. The daemon exposes an unauthenticated NSConnection service running as root, enabling any local user with standard privileges to communicate directly with the root-level service and execute privileged operations. EPSS probability is very low (0.02%, 6th percentile) with no confirmed active exploitation or public POC at time of analysis, suggesting limited real-world targeting despite high technical severity.

Privilege Escalation Ntfs For Mac
NVD
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-28518 HIGH This Week

OpenViking 0.2.1 and earlier contain a path traversal vulnerability in .ovpack file imports that enables local attackers to write arbitrary files outside the intended directory by crafting malicious ZIP archives with traversal sequences or absolute paths. An attacker with user interaction can overwrite or create files with the privileges of the importing process, potentially leading to code execution or system compromise. No patch is currently available for this vulnerability.

Path Traversal Openviking
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2026-3351 MEDIUM POC PATCH This Month

Canonical LXD 6.6 on Linux contains an authorization bypass in the GET /1.0/certificates API endpoint that allows authenticated users with restricted privileges to enumerate all certificate fingerprints trusted by the server. Public exploit code exists for this vulnerability. While this enables information disclosure with limited impact, it could facilitate further attacks by revealing trust relationships on the system.

Linux Lxd Suse
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2021-35484 HIGH This Week

Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. [CVSS 8.2 HIGH]

SQLi Impact
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2021-35486 HIGH This Week

Impact Mobile versions up to 19.11.2.10-20210118042150283 is affected by cross-site request forgery (csrf) (CVSS 8.1).

CSRF Impact Mobile
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2021-35485 HIGH This Week

Impact versions up to 19.11.2.10-20210118042150283 is affected by unrestricted upload of file with dangerous type (CVSS 8.0).

File Upload Impact
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-52365 HIGH This Week

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system(). [CVSS 7.8 HIGH]

Command Injection
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-15595 HIGH This Week

A privilege escalation vulnerability in Inno Setup 6.2.1 and earlier versions allows local attackers to gain elevated privileges through DLL hijacking. This vulnerability requires user interaction but no authentication, enabling attackers to execute arbitrary code with higher privileges by placing a malicious DLL in a location searched by the installer. While not currently listed in CISA KEV, the vulnerability has a moderate EPSS score of 0.043% and affects a widely-used Windows installer creation tool.

Privilege Escalation Inno Setup
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25673 HIGH PATCH This Week

Django URL field validation triggers excessive Unicode normalization on Windows when processing certain malicious Unicode characters, enabling remote attackers to cause denial of service through crafted URL inputs. Affected versions include Django 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29, with potential impact to unsupported series 5.0.x, 4.1.x, and 3.2.x. A patch is available for all affected supported versions.

Python Django Denial Of Service Microsoft
NVD VulDB HeroDevs
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-62817 HIGH This Week

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, 2400, 1580, and 2500. A NULL pointer dereference of session->ncp_hdr_buf in __pilot_parsing_ncp() causes a denial of service. [CVSS 7.5 HIGH]

Samsung Null Pointer Dereference Denial Of Service Exynos 2400 Firmware Exynos 1280 Firmware +5
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66363 HIGH This Week

An issue was discovered in LBS in Samsung Mobile Processor Exynos 2200. There was no check for memory initialization within DL NAS Transport messages. [CVSS 7.5 HIGH]

Samsung Exynos 2200 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-62814 HIGH This Week

An issue was discovered in Samsung Mobile Processor Exynos 1280, 2200, 1380, 1480, and 2400. A NULL pointer dereference of ft_handle in load_fw_utc_vector() causes a denial of service. [CVSS 7.5 HIGH]

Samsung Null Pointer Dereference Denial Of Service Exynos 1380 Firmware Exynos 1280 Firmware +3
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-55021 HIGH This Week

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to contain a hardcoded password in the FTP protocol. [CVSS 7.5 HIGH]

Authentication Bypass Cmt 3072xh2 Firmware Easyweb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-55019 HIGH This Week

Incorrect access control in the component download_wb.cgi of Weintek cMT-3072XH2 easyweb Web Version v2.1.53, OS v20231011 allows unauthenticated attack to download arbitrary files. [CVSS 7.5 HIGH]

Authentication Bypass Easyweb Cmt 3072xh2 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-55027 HIGH This Week

Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 was discovered to stroe credentials in plaintext in the component uac_temp.db. [CVSS 7.5 HIGH]

Information Disclosure Cmt 3072xh2 Firmware Easyweb
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-27981 HIGH This Week

Homebox prior to version 0.24.0 fails to validate the TrustProxy configuration setting, allowing attackers to bypass authentication rate limiting by forging the X-Real-IP header on direct connections. This enables an attacker to attempt unlimited authentication attempts by spoofing a different IP address for each request, compromising both confidentiality and integrity of the system. The vulnerability affects all Homebox installations where the TrustProxy option is disabled or misconfigured.

Authentication Bypass Homebox
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-12345 HIGH POC This Week

A security vulnerability has been detected in LLM-Claw 0.1.0/0.1.1/0.1.1a/0.1.1a-p1. The affected element is the function agent_deploy_init of the file /agents/deploy/initiate.c of the component Agent Deployment. [CVSS 8.8 HIGH]

Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-25906 HIGH This Week

Optimizer versions up to 6.3.1 is affected by improper link resolution before file access (CVSS 7.3).

Path Traversal Dell Optimizer
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-2269 HIGH This Week

Server-Side Request Forgery in the Uncanny Automator WordPress plugin up to version 7.0.0.3 allows authenticated administrators to make arbitrary web requests from the affected server and store remote file contents locally, potentially enabling remote code execution. The vulnerability requires administrator-level privileges and has no available patch. Attackers can exploit this to interact with internal services and upload arbitrary files to the web server.

WordPress RCE SSRF File Upload
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-3342 HIGH This Week

WatchGuard Fireware OS contains an out-of-bounds write vulnerability in its management interface that permits authenticated administrators to achieve root-level code execution. The flaw affects versions 11.9 through 11.12.4_Update1, 12.0 through 12.11.7, and 2025.1 through 2026.1.1, with no patch currently available. While exploitation requires high-level administrative privileges, successful attacks grant complete system compromise.

Buffer Overflow RCE Fireware
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-2568 HIGH This Week

Stored cross-site scripting in WP Zendesk for Contact Form 7 and related WordPress plugins through version 1.1.5 allows unauthenticated attackers to inject malicious scripts into form submissions that execute in other users' browsers. The vulnerability stems from inadequate input sanitization and output escaping on submitted form data. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-1567 HIGH This Week

Infosphere Information Server versions up to 11.7.1.6 is affected by improper restriction of xml external entity reference (CVSS 7.1).

IBM XXE Infosphere Information Server
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-2915 HIGH This Week

HP System Event Utility versions prior to 3.2.16 allow local authenticated users to corrupt system integrity and cause denial of service through arbitrary file writes with elevated privileges. An attacker with local access and valid credentials can leverage this vulnerability to modify critical files and disrupt system availability. No patch is currently available for affected installations.

Denial Of Service System Event Utility
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-15598 LOW POC Monitor

A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made public and could be used. A comment in the source code warns use...

Information Disclosure Sqlbot
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-26889 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_category.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26888 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_stock.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26887 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_supplier.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26890 LOW POC Monitor

Sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_product.php. [CVSS 2.7 LOW]

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26886 LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26885 LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26884 LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26883 LOW POC Monitor

Simple Online Men\'S Salon Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26891 LOW POC Monitor

Simple Logistic Hub Parcel\'S Management System versions up to 1.0 is affected by sql injection (CVSS 2.7).

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-14604 MEDIUM This Month

IBM Storage Scale IBM S through rage Scale 5.2.3.0 - 5.2.3.5, and IBM S through rage Scale 6.0.0.0 - 6.0.0.1 could allow a local user to unintentionally trigger additional permissions for resources in a way that allows that resource to be executed by unintended actors. [CVSS 6.6 MEDIUM]

IBM Storage Scale
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-2606 MEDIUM This Month

Improper input validation in IBM webMethods API Gateway and API Management allows authenticated attackers to read arbitrary files on the server by supplying a file:// URI to the /createapi endpoint instead of the expected https:// schema. Affected versions include webMethods API Gateway 10.11 through 11.1_Fix7 and webMethods API Management on-premises installations. No patch is currently available for this medium-severity vulnerability.

IBM Webmethods Api Gateway
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-55025 MEDIUM This Month

Incorrect access control in the VNC component of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows unauthorized attackers to access the HMI system. [CVSS 6.5 MEDIUM]

Authentication Bypass Easyweb Cmt 3072xh2 Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-13616 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 returns sensitive information in an HTTP response that could be used in further attacks against the system. [CVSS 6.5 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1487 MEDIUM This Month

Calendar Booking Plugin for Appointments and Event versions up to 5.2.7 is affected by sql injection (CVSS 6.5).

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13688 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the wrapped command component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-13687 MEDIUM This Month

IBM DataStage on Cloud Pak for Data 5.1.2 through 5.3.0 could allow an authenticated user to execute arbitrary commands with normal user privileges on the system due to improper validation of user supplied input through the user-defined function component. [CVSS 6.3 MEDIUM]

IBM Datastage On Cloud Pak For Data
NVD
CVSS 3.1
6.3
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy