Skip to main content
CVE-2026-29058 CRITICAL POC PATCH Act Now

Unauthenticated OS command injection in AVideo before 7.0.

Command Injection Avideo Encoder
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28794 CRITICAL POC PATCH Act Now

Prototype pollution in oRPC before 1.13.6. PoC and patch available.

Node.js RCE Denial Of Service Authentication Bypass Deserialization +1
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-29042 CRITICAL POC PATCH Act Now

Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.

Command Injection AI / ML Nuclio Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-27005 CRITICAL POC Act Now

SQL injection in Chartbrew before 4.8.3. PoC available.

MySQL PostgreSQL Chartbrew
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-28501 CRITICAL POC Act Now

Unauthenticated SQL injection in AVideo before 24.0.

PHP SQLi Avideo
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-29183 CRITICAL POC PATCH Act Now

Reflected XSS in SiYuan knowledge management before 3.5.9.

XSS Siyuan Suse
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-29065 CRITICAL POC PATCH Act Now

Zip Slip in changedetection.io before 0.54.4 via backup restore. PoC and patch available.

Path Traversal Changedetection
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-29789 CRITICAL Act Now

Missing authorization in Vito server management before 3.20.3. CVSS 9.9.

PHP Authentication Bypass Vito
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-2331 CRITICAL Act Now

Unauthenticated file read/write via AppEngine Fileaccess over HTTP.

Path Traversal Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-28514 CRITICAL Act Now

Auth bypass in Rocket.Chat before 7.8.6+. Multiple versions affected.

Authentication Bypass Rocket.Chat
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-2446 CRITICAL Act Now

Auth bypass in PowerPack for LearnDash WordPress plugin before 1.3.0.

WordPress Authentication Bypass
NVD WPScan
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28710 CRITICAL Act Now

Improper authentication in Acronis Cyber Protect 17.

Linux Windows Information Disclosure Cyber Protect
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30831 CRITICAL Act Now

Auth bypass in Rocket.Chat before 7.10.8+. Second auth bypass CVE.

Authentication Bypass Rocket.Chat
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28795 CRITICAL PATCH Act Now

Path traversal in OpenChatBI before fix. PoC and patch available.

Path Traversal AI / ML Openchatbi
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28785 CRITICAL PATCH Act Now

SQL injection in Ghostfolio before 2.244.0 via symbol validation bypass. Patch available.

RCE SQLi Ghostfolio
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28438 CRITICAL PATCH Act Now

SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.

SQLi AI / ML Cocoindex
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-2330 CRITICAL Act Now

Filesystem access via CROWN REST interface on industrial device. EPSS 0.25%.

Path Traversal Information Disclosure
NVD
CVSS 3.1
9.4
EPSS
0.2%
CVE-2026-26051 CRITICAL Act Now

WebSocket auth bypass — same industrial platform family.

Privilege Escalation Authentication Bypass E Mobility
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-22552 CRITICAL Act Now

Unauthenticated remote attackers can impersonate electric vehicle charging stations in ePower.ie by connecting to exposed OCPP WebSocket endpoints without credentials. Using any known or guessed charging station identifier, attackers gain full control to issue fraudulent charging commands, manipulate billing data, and corrupt network telemetry sent to backend systems. CISA ICS-CERT published an advisory (ICSA-26-062-07) indicating industrial control system exposure. EPSS score of 0.12% (31st percentile) suggests low automated exploitation probability despite 9.3 CVSS, though the authentication bypass affects critical electric vehicle charging infrastructure.

Privilege Escalation Authentication Bypass Epower Ie
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-26288 CRITICAL Act Now

Unauthenticated remote attackers can impersonate electric vehicle charging stations in Everon's api.everon.io platform via unprotected OCPP WebSocket endpoints. By connecting with a known or discovered station identifier, attackers gain full control to issue OCPP commands as legitimate chargers, manipulate charging session data, escalate privileges within the charging network infrastructure, and corrupt backend telemetry. CISA ICS-CERT reports this vulnerability affecting critical EV charging infrastructure. Despite 9.3 CVSS score indicating critical severity, EPSS score of 0.09% (25th percentile) suggests exploitation requires specialized knowledge of OCPP protocol and charging network architecture rather than mass automated scanning.

Privilege Escalation Authentication Bypass Api Everon Io
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-28680 CRITICAL PATCH Act Now

SSRF in Ghostfolio wealth management before 2.245.0. Patch available.

SSRF Ghostfolio
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-28497 CRITICAL Act Now

Integer overflow in TinyWeb before 2.03.

Integer Overflow Authentication Bypass Tinyweb
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-59543 CRITICAL Act Now

Second stored XSS in Chamilo LMS before 1.11.34.

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2025-59542 CRITICAL Act Now

Stored XSS in Chamilo LMS before 1.11.34.

XSS Chamilo Lms
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy