CVE Database

CVE-2026-21413CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0
CWE CWE-129

A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2025-59851CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0

HCL DFXAnalytics is affected by a Using Components with Known Vulnerabilities flaw where the application utilizes unpatched libraries or sub-components, which could allow an attacker to identify and exploit publicly known security vulnerabilities to gain unauthorized access or compromise the application.

CVE-2026-50873CRITICALnone
CVSS 9.8
EPSS 0.44%
Priority 0

An arbitrary file upload vulnerability in the attachment handling component of flatnotes v5.5.4 allows attackers to execute arbitrary code via uploading a crafted HTML or SVG file.

CVE-2026-34114CRITICALnone
CVSS 9.8
EPSS 0.54%
Priority 0
CWE CWE-78

Guardian language-system passes the id GET parameter directly into a PHP exec() call in translate_text.php (line 18) without sanitization: exec(\"php jobs/translate_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-4277CRITICALnone
CVSS 9.8
EPSS 0.01%
Priority 0
CWE CWE-862

An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. Add permissions on inline model instances were not validated on submission of forged `POST` data in `GenericInlineModelAdmin`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank N05ec@LZU-DSLab for reporting this issue.

CVE-2026-27697CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0
CWE CWE-89

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3.

CVE-2026-26142CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-502

Deserialization of untrusted data in Nuance PowerScribe allows an unauthorized attacker to execute code over a network.

CVE-2026-44109CRITICALnone
CVSS 9.8
EPSS 0.16%
Priority 0
CWE CWE-1188

OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration and blank callback tokens fail open instead of rejecting requests, enabling attackers to bypass signature verification and replay protection to execute arbitrary commands.

CVE-2026-25089KEVCRITICALin_the_wild
CVSS 9.8
EPSS
Priority 0
CWE CWE-78

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4 through 5.0.5, FortiSandbox PaaS 5.0.4 through 5.0.5 may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests

CVE-2026-39808KEVCRITICALin_the_wild
CVSS 9.8
EPSS 0.29%
Priority 0
CWE CWE-78

A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>

CVE-2026-1952CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0
CWE CWE-912

Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.

CVE-2026-39948CRITICALnone
CVSS 9.8
EPSS 0.42%
Priority 0
CWE CWE-89

Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv() (rather than gfrv() with FILTER_VALIDATE_IS_REGEX validation) and concatenated directly into RLIKE SQL clauses in lib/html_graph.php and lib/html_tree.php, which are reachable pre-authentication through graph_view.php on installations with guest graph viewing enabled. Because the unbalanced-quote payload bypasses the regex validation that would otherwise reject it, an unauthenticated attacker can inject arbitrary SQL to compromise the confidentiality, integrity, and availability of the database. This advisory is similar to GHSA-69gg-mjfm-jjpc. This issue has been fixed in version 1.2.31.

CVE-2024-14034CRITICALnone
CVSS 9.8
EPSS 0.01%
Priority 0
CWE CWE-287

Hirschmann HiEOS devices versions prior to 01.1.00 contain an authentication bypass vulnerability in the HTTP(S) management module that allows unauthenticated remote attackers to gain administrative access by sending specially crafted HTTP(S) requests. Attackers can exploit improper authentication handling to obtain elevated privileges and perform unauthorized actions including configuration download or upload and firmware modification.

CVE-2026-34109CRITICALnone
CVSS 9.8
EPSS 0.54%
Priority 0
CWE CWE-78

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speech.php (line 18) without sanitization: exec(\"php jobs/speech_audio.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2025-70218CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0

Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via POST to the goform/formAdvFirewall component.

CVE-2026-13776CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-843

Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVE-2026-34111CRITICALnone
CVSS 9.8
EPSS 0.55%
Priority 0
CWE CWE-78

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac_text.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac_text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-8660CRITICALnone
CVSS 9.8
EPSS 0.55%
Priority 0
CWE CWE-78

OS Command Injection vulnerability in the ping action of Rapid7 InsightConnect Ping Plugin on Linux allows remote attackers to execute arbitrary OS commands via the host parameter due to insufficient input validation when constructing shell commands.

CVE-2026-43575CRITICALnone
CVSS 9.8
EPSS 0.09%
Priority 0
CWE CWE-862

OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the interactive browser session.

CVE-2026-20792CRITICALnone
CVSS 9.8
EPSS 0.06%
Priority 0
CWE CWE-307

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or misrouting legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

CVE-2026-26369CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 29
CWE CWE-269

eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user (UG_USER) can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their account to the UG_ADMIN group, bypassing intended access controls and gaining administrative capabilities such as modifying device configurations, network settings, and other smart home system functions.

CVE-2026-24115CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0

An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate the sizes of `gstup` and `gstdwn` before concatenating them into `gstruleQos` may lead to buffer overflow.

CVE-2026-3400CRITICALnone
CVSS 9.8
EPSS 0.05%
Priority 0
CWE CWE-119

A security flaw has been discovered in Tenda AC15 up to 15.13.07.13. Affected by this issue is some unknown functionality of the file /goform/TextEditingConversion. The manipulation of the argument wpapsk_crypto2_4g results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.

CVE-2026-34117CRITICALnone
CVSS 9.8
EPSS 0.54%
Priority 0
CWE CWE-78

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text_to_subtitles.php (line 19) without sanitization: exec(\"php jobs/text_to_subtitles.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-40050CRITICALnone
CVSS 9.8
EPSS 0.27%
Priority 0
CWE CWE-22

CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication. Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation. LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. CrowdStrike identified this vulnerability during continuous and ongoing product testing.

CVE-2025-55270CRITICALnone
CVSS 9.8
EPSS 0.10%
Priority 0
CWE CWE-20

HCL Aftermarket DPC is affected by Improper Input Validation which allows an attacker to inject executable code and can carry out attacks such as XSS, SQL Injection, Command Injection etc.

CVE-2026-3813CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0
CWE CWE-74

A vulnerability was identified in opencc JFlow up to 5badc00db382d7cb82dad231e6a866b18e0addfe. Affected by this vulnerability is the function Calculate of the file src/main/java/bp/wf/httphandler/WF_CCForm.java. Such manipulation leads to injection. The attack may be performed from remote. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

CVE-2026-4670CRITICALnone
CVSS 9.8
EPSS 0.07%
Priority 0
CWE CWE-305

Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

CVE-2026-9072CRITICALnone
CVSS 9.8
EPSS 0.38%
Priority 0
CWE CWE-94

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty - when using Intelligent Management with the WebSphere WebServer Plug-in component - are vulnerable to remote code execution and denial of service. This vulnerability can be exploited when an attacker impersonates backend servers and sends crafted responses to the plug-in.

CVE-2026-10060CRITICALnone
CVSS 9.8
EPSS 1.06%
Priority 0
CWE CWE-74

A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor explains: "This product has been EOL for 15 years (since 2009). As the item has been EOL for such a long time, we are not able to replicate or fix any vulnerabilities." This vulnerability only affects products that are no longer supported by the maintainer.

CVE-2026-30703CRITICALnone
CVSS 9.8
EPSS 0.11%
Priority 0

A command injection vulnerability exists in the web management interface of the WiFi Extender WDR201A (HW V2.1, FW LFMZX28040922V1.02). The adm.cgi endpoint improperly sanitizes user-supplied input provided to a command-related parameter in the sysCMD functionality.

CVE-2026-33824CRITICALnone
CVSS 9.8
EPSS 0.07%
Priority 0
CWE CWE-415

Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.

CVE-2026-6987CRITICALnone
CVSS 9.8
EPSS 1.28%
Priority 0
CWE CWE-74

A vulnerability was detected in PicoClaw up to 0.2.4. Impacted is an unknown function of the file /api/gateway/restart of the component Web Launcher Management Plane. Performing a manipulation results in command injection. It is possible to initiate the attack remotely. The project was informed of the problem early through an issue report but has not responded yet.

CVE-2024-58351CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-94

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relies on vm2 for sandboxing, an attacker can abuse it to achieve remote code execution and sandbox escape, denial of service by crashing the server, server-side request forgery, prompt injection, and server variable and data exfiltration. These issues are self-targeted and do not persist to other users.

CVE-2018-25201CRITICALnone
CVSS 9.8
EPSS 0.10%
Priority 0
CWE CWE-89

School Management System CMS 1.0 contains an SQL injection vulnerability in the admin login functionality that allows attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit malicious payloads using boolean-based blind SQL injection techniques to the processlogin endpoint to authenticate as administrator without valid credentials.

CVE-2026-58138CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-94

Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to authentication. Attackers can exploit unsandboxed GraalVM evaluators configured with HostAccess.ALL or allowAllAccess(true) through INLINE, LAMBDA, DO_WHILE, and SWITCH task types to invoke arbitrary system commands via Java reflection or direct subprocess calls.

CVE-2026-5975CRITICALnone
CVSS 9.8
EPSS 0.89%
Priority 0
CWE CWE-77

A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wanIdx leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used.

CVE-2026-25955CRITICALnone
CVSS 9.8
EPSS 0.05%
Priority 17
CWE CWE-416

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.23.0, `xf_AppUpdateWindowFromSurface` reuses a cached `XImage` whose `data` pointer references a freed RDPGFX surface buffer, because `gdi_DeleteSurface` frees `surface->data` without invalidating the `appWindow->image` that aliases it. Version 3.23.0 fixes the issue.

CVE-2026-2912CRITICALpoc
CVSS 9.8
EPSS 0.02%
Priority 61
CWE CWE-74

A vulnerability was found in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/students/assessments/results/studentresult-view.php. The manipulation of the argument test_id results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

CVE-2026-31657CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0

In the Linux kernel, the following vulnerability has been resolved: batman-adv: hold claim backbone gateways by reference batadv_bla_add_claim() can replace claim->backbone_gw and drop the old gateway's last reference while readers still follow the pointer. The netlink claim dump path dereferences claim->backbone_gw->orig and takes claim->backbone_gw->crc_lock without pinning the underlying backbone gateway. batadv_bla_check_claim() still has the same naked pointer access pattern. Reuse batadv_bla_claim_get_backbone_gw() in both readers so they operate on a stable gateway reference until the read-side work is complete. This keeps the dump and claim-check paths aligned with the lifetime rules introduced for the other BLA claim readers.

CVE-2026-31900CRITICALnone
CVSS 9.8
EPSS 0.12%
Priority 0
CWE CWE-20

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

CVE-2026-24378CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0
CWE CWE-502

Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0.

CVE-2026-56030CRITICALnone
CVSS 9.8
EPSS 0.33%
Priority 0
CWE CWE-266

Unauthenticated Privilege Escalation in Paytium <= 5.0.2 versions.

CVE-2026-26218CRITICALnone
CVSS 9.8
EPSS 0.13%
Priority 29
CWE CWE-798

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

CVE-2026-58127CRITICALnone
CVSS 9.8
EPSS 0.78%
Priority 0
CWE CWE-306

PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

CVE-2026-27849CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 29
CWE CWE-78

Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.

CVE-2026-47210CRITICALnone
CVSS 9.8
EPSS 0.88%
Priority 0
CWE CWE-913

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the host process when untrusted code is executed with async support on runtimes exposing WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending). In the tested configuration, a JSPI-backed Promise can reach Promise.prototype.finally() in a way that bypasses the expected Promise-species hardening and exposes a host-originated rejection object to attacker-controlled species logic, breaking the sandbox boundary. This issue has been patched in version 3.11.4.

CVE-2025-15559CRITICALnone
CVSS 9.8
EPSS 0.15%
Priority 29
CWE CWE-78

An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.

CVE-2026-40351CRITICALnone
CVSS 9.8
EPSS 0.05%
Priority 0
CWE CWE-943

FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attacker to pass a MongoDB query operator object (e.g., {"$ne": ""}) as the password field. This NoSQL injection bypasses the password check, enabling login as any user including the root administrator. This issue has been fixed in version 4.14.9.5.

CVE-2026-24968CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0
CWE CWE-266

Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1.0.30.

← PreviousPage 19 of 691Next →