Skip to main content
CVE-2025-67038 CRITICAL POC KEV THREAT Emergency

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Code Injection RCE Eds5032 Firmware Eds5008 Firmware Eds5016 Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
Threat
5.0
CVE-2019-25468 CRITICAL POC Act Now

RCE in NetGain EM Plus 10.1.68. PoC available.

RCE Code Injection
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2019-25471 CRITICAL POC Act Now

Arbitrary file upload in FileThingie 2.5.7 via ZIP archives. PoC available.

PHP File Upload Path Traversal
NVD GitHub Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2019-25487 CRITICAL POC Act Now

Command execution in SAPIDO RB-1732 V2.0.43 router. PoC available.

Authentication Bypass
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2018-25159 CRITICAL POC Act Now

OGNL injection in Epross AVCON6 management platform. PoC available.

Code Injection
NVD Exploit-DB VulDB
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-27897 CRITICAL Act Now

Path traversal in Vociferous speech-to-text tool before 4.4.2. CVSS 10.0.

Path Traversal Vociferous
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-31957 CRITICAL Act Now

Default password in Himmelblau Azure Entra ID suite 3.0.0-3.0.x. CVSS 10.0.

Azure
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.2%
CVE-2026-31852 CRITICAL Act Now

Arbitrary code execution in Jellyfin iOS GitHub Actions workflow. CVSS 10.0.

Privilege Escalation RCE Apple iOS
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-66956 CRITICAL Act Now

Insecure access control in Asseco SEE Live 2.0. Remote access to attachments.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27591 CRITICAL PATCH Act Now

Access control bypass in Winter CMS before 1.0.477/1.1.12/1.2.12. CVSS 9.9.

PHP Laravel
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-31975 CRITICAL PATCH Act Now

OS command injection in Cloud CLI (Claude Code UI) before 1.25.0. EPSS 0.39%.

Command Injection Cloud Cli
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-3826 CRITICAL Act Now

LFI to RCE in IFTOP by WellChoose.

LFI PHP RCE Organization Portal System
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-2631 CRITICAL Act Now

Unauthenticated REST endpoint in Datalogics Ecommerce Delivery WordPress plugin before 2.6.60.

WordPress Privilege Escalation
NVD WPScan
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-32136 CRITICAL PATCH Act Now

Auth bypass in AdGuard Home before 0.107.73.

Authentication Bypass Adguardhome Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-31874 CRITICAL Act Now

Missing auth in Taskosaur project management 1.0.0.

Authentication Bypass Taskosaur
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-70082 CRITICAL Act Now

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Command Injection RCE Eds3016Ps1Ns Firmware Eds3008Ps1Ns Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30741 CRITICAL Act Now

RCE in OpenClaw Agent Platform v2026.2.6 via prompt injection.

RCE Code Injection Openclaw
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-23813 CRITICAL Act Now

Auth bypass in HPE Aruba AOS-CX switch web management.

Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-31840 CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-67041 CRITICAL Act Now

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Command Injection Eds3016Ps1Ns Firmware Eds3008Ps1Ns Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31877 CRITICAL Act Now

SQL injection in Frappe framework before 15.84.0/14.99.0.

SQLi Frappe
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31896 CRITICAL Act Now

SQL injection in WeGIA before 3.6.6.

PHP SQLi Denial Of Service Information Disclosure Wegia
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31871 CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31856 CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-70041 CRITICAL Act Now

Hardcoded password in ThermaKube Kubernetes monitoring.

Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-70024 CRITICAL Act Now

SQL injection in generatedata 4.0.14.

SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-67035 CRITICAL Act Now

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Code Injection RCE Eds5032 Firmware Eds5008 Firmware Eds5016 Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30903 CRITICAL Act Now

File path control in Zoom Workplace for Windows Mail feature before 6.6.0.

Privilege Escalation Microsoft
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-3916 CRITICAL PATCH Act Now

Sandbox escape via Web Speech in Chrome before 146.0.7680.71. Patch available.

Google Information Disclosure Buffer Overflow Chrome Red Hat +1
NVD VulDB
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-27842 CRITICAL Act Now

Remote attackers can completely bypass authentication on MR-GM5L-S1 and MR-GM5A-L1 devices to arbitrarily modify device configurations. The vulnerability requires no authentication, no user interaction, and low attack complexity (CVSS:4.0 AV:N/AC:L/PR:N/UI:N), scoring 9.3 critical. EPSS exploitation probability is low (0.10%, 28th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis, suggesting limited real-world targeting to date despite the severe access control failure.

Authentication Bypass
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-29515 CRITICAL Act Now

embedded SwiFTP FTP server component contains a vulnerability that allows attackers to log in without valid credentials.

Authentication Bypass Fileexplorer
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-24448 CRITICAL Act Now

Hard-coded credentials in MR-GM5L-S1 and MR-GM5A-L1 enable remote unauthenticated attackers to gain administrative access with critical CVSS 9.3 score. The CWE-798 flaw allows complete system compromise through embedded default credentials that cannot be changed by users. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite the critical severity, though authentication bypass capabilities make this a priority for affected deployments.

Authentication Bypass
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-32096 CRITICAL Act Now

SSRF in Plunk email platform before 0.7.0.

SSRF Plunk
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2026-32133 CRITICAL Act Now

Blind SSRF in 2FAuth 2FA manager before 6.1.0.

SSRF 2fauth
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-31862 CRITICAL PATCH Act Now

Command injection in Cloud CLI (Claude Code UI) Git operations before 1.24.0.

Command Injection Cloud Cli
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2025-67039 CRITICAL Act Now

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Authentication Bypass Eds3016Ps1Ns Firmware Eds3008Ps1Ns Firmware
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27478 CRITICAL POC PATCH GHSA Act Now

Auth bypass in Unity Catalog 0.4.0 and earlier.

Authentication Bypass AI / ML
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2023-27573 CRITICAL Act Now

Default credentials in netbox-docker before 2.5.0.

Docker Information Disclosure
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy