Skip to main content
CVE-2026-31816 CRITICAL POC Act Now

Authorization bypass in Budibase 3.31.4 and earlier. The authorized() middleware can be bypassed, enabling injection attacks. PoC available.

CSRF Budibase
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-24713 CRITICAL PATCH Act Now

Input validation vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Second critical CVE affecting the IoT database.

Apache Iotdb
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24015 CRITICAL PATCH Act Now

Vulnerability in Apache IoTDB from 1.0.0 before 1.3.7 and from 2.0.0 before 2.0.7. Critical severity issue in the IoT time-series database platform.

Apache Iotdb
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3630 CRITICAL Act Now

Stack-based buffer overflow in Delta Electronics COMMGR2 communication management software. ICS vulnerability enabling remote code execution on industrial communication gateways.

Industrial Buffer Overflow Stack Overflow Commgr2
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-70039 CRITICAL Act Now

OS command injection in Linagora Twake v2023.Q1.1223 allows unauthenticated remote code execution.

Command Injection Twake
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-70046 CRITICAL Act Now

Inclusion of functionality from untrusted control sphere in Miazzy oa-front-service allows executing code from untrusted sources.

Information Disclosure Oa Font Service
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-70042 CRITICAL Act Now

SSRF vulnerability in ThermaKube Kubernetes monitoring tool allows server-side requests to internal services.

SSRF Thermakube
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-40639 CRITICAL Act Now

SQL injection in Eventobot event management application allows unauthenticated attackers to perform complete database operations including data retrieval, creation, update, and deletion.

PHP SQLi Eventobot
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25960 CRITICAL PATCH Act Now

Server-Side Request Forgery in vLLM's multimodal MediaConnector allows remote attackers to coerce the inference server into fetching attacker-chosen internal URLs, bypassing the allowed_media_domains allowlist that was added to fix CVE-2026-24779. The bypass exploits a backslash-before-@ parsing disagreement between urllib3.util.parse_url (validation layer) and aiohttp/yarl (HTTP client), so a URL the allowlist reads as a permitted host is actually fetched from an internal target. It carries a CVSS 9.8 rating, a vendor patch and Red Hat advisory are available, and a working bypass payload is published in the GHSA advisory and fix test suite, though EPSS is very low (0.02%, 3rd percentile) and it is not on CISA KEV.

SSRF Vllm
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30240 CRITICAL Act Now

Path traversal in Budibase low-code platform 3.31.5 and earlier allows attackers to read arbitrary files through the application builder.

Path Traversal Budibase
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-3823 CRITICAL Act Now

Remote code execution in Atop Technologies EHG2408-series industrial Ethernet switches (including the EHG2408 and EHG2408-2SFP firmware) allows unauthenticated attackers to hijack the device's execution flow via a stack-based buffer overflow and run arbitrary code. The flaw was reported through Taiwan's CERT (TWCERT) and carries a CVSS 4.0 base score of 9.3, reflecting fully unauthenticated network exploitation with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis, and the EPSS score is low (0.14%, 34th percentile), suggesting exploitation has not yet been observed at scale.

Buffer Overflow Stack Overflow Atop Ehg2408 2sfp Firmware Atop Ehg2408 Firmware RCE
NVD VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2025-41764 CRITICAL Act Now

Unauthorized firmware upload via wwwupdate.cgi endpoint due to insufficient authorization. Remote attackers can upload and apply arbitrary firmware updates.

Authentication Bypass Universal Bacnet Router Firmware
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-41765 CRITICAL Act Now

Unauthorized file upload via wwwupload.cgi endpoint. Same product as CVE-2025-41764 — second unauthorized upload vector.

Authentication Bypass Universal Bacnet Router Firmware
NVD
CVSS 3.1
9.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy