CVE Database

CVE-2026-33032KEVCRITICALin_the_wild
CVSS 9.8
EPSS 0.05%
Priority 0
CWE CWE-306

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

CVE-2026-35184CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0
CWE CWE-89

EcclesiaCRM is CRM Software for church management. Prior to 8.0.0, there is a SQL injection vulnerability in v2/templates/query/queryview.php via the custom and value parameters. This vulnerability is fixed in 8.0.0.

CVE-2018-25159CRITICALnone
CVSS 9.8
EPSS 0.06%
Priority 0
CWE CWE-1334

Epross AVCON6 systems management platform contains an object-graph navigation language (OGNL) injection vulnerability that allows unauthenticated attackers to execute arbitrary commands by injecting malicious OGNL expressions. Attackers can send crafted requests to the login.action endpoint with OGNL payloads in the redirect parameter to instantiate ProcessBuilder objects and execute system commands with root privileges.

CVE-2026-7546CRITICALnone
CVSS 9.8
EPSS 0.08%
Priority 0
CWE CWE-119

A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. The impacted element is the function find_host_ip of the component lighttpd. Such manipulation of the argument Host leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

CVE-2026-49261CRITICALnone
CVSS 9.8
EPSS 0.05%
Priority 0
CWE CWE-78

MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through 10.11.17, 11.4.1 through 11.4.11, 11.8.1 through 11.8.7, and 12.3.1 with `wsrep_notify_cmd` enabled would execute shell commands embedded in the name of the joiner node. This is fixed in 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2. As a workaround, anyone who cannot upgrade now should disable `wsrep_notify_cmd`.

CVE-2026-14104CRITICALnone
CVSS 9.8
EPSS 0.21%
Priority 0
CWE CWE-20

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

CVE-2026-2329CRITICALweaponized
CVSS 9.8
EPSS 37.07%
Priority 89
CWE CWE-121

An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.

CVE-2026-33054CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0
CWE CWE-22

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

CVE-2025-71338CRITICALnone
CVSS 9.8
EPSS 0.61%
Priority 0
CWE CWE-73

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

CVE-2026-2286CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0

CrewAI contains a server-side request forgery vulnerability that enables content acquisition from internal and cloud services, facilitated by the RAG search tools not properly validating URLs provided at runtime.

CVE-2026-33229CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0
CWE CWE-862

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.

CVE-2026-2550CRITICALpoc
CVSS 9.8
EPSS 0.05%
Priority 68
CWE CWE-284

A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-0685CRITICALnone
CVSS 9.8
EPSS 0.73%
Priority 0

Server side template inject (SSTI) in the expression evaluation component in Genshi Template Engine version 0.7.9 allows a remote attacker to achieve remote code execution (RCE) via crafted template expressions.

CVE-2026-2251CRITICALnone
CVSS 9.8
EPSS 0.06%
Priority 0
CWE CWE-22

Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloads

CVE-2026-7137CRITICALnone
CVSS 9.8
EPSS 0.89%
Priority 0
CWE CWE-77

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

CVE-2026-33105CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0
CWE CWE-285

Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over a network.

CVE-2026-31607CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0

In the Linux kernel, the following vulnerability has been resolved: usbip: validate number_of_packets in usbip_pack_ret_submit() When a USB/IP client receives a RET_SUBMIT response, usbip_pack_ret_submit() unconditionally overwrites urb->number_of_packets from the network PDU. This value is subsequently used as the loop bound in usbip_recv_iso() and usbip_pad_iso() to iterate over urb->iso_frame_desc[], a flexible array whose size was fixed at URB allocation time based on the *original* number_of_packets from the CMD_SUBMIT. A malicious USB/IP server can set number_of_packets in the response to a value larger than what was originally submitted, causing a heap out-of-bounds write when usbip_recv_iso() writes to urb->iso_frame_desc[i] beyond the allocated region. KASAN confirmed this with kernel 7.0.0-rc5: BUG: KASAN: slab-out-of-bounds in usbip_recv_iso+0x46a/0x640 Write of size 4 at addr ffff888106351d40 by task vhci_rx/69 The buggy address is located 0 bytes to the right of allocated 320-byte region [ffff888106351c00, ffff888106351d40) The server side (stub_rx.c) and gadget side (vudc_rx.c) already validate number_of_packets in the CMD_SUBMIT path since commits c6688ef9f297 ("usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input") and b78d830f0049 ("usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input"). The server side validates against USBIP_MAX_ISO_PACKETS because no URB exists yet at that point. On the client side we have the original URB, so we can use the tighter bound: the response must not exceed the original number_of_packets. This mirrors the existing validation of actual_length against transfer_buffer_length in usbip_recv_xbuff(), which checks the response value against the original allocation size. Kelvin Mbogo's series ("usb: usbip: fix integer overflow in usbip_recv_iso()", v2) hardens the receive-side functions themselves; this patch complements that work by catching the bad value at its source -- in usbip_pack_ret_submit() before the overwrite -- and using the tighter per-URB allocation bound rather than the global USBIP_MAX_ISO_PACKETS limit. Fix this by checking rpdu->number_of_packets against urb->number_of_packets in usbip_pack_ret_submit() before the overwrite. On violation, clamp to zero so that usbip_recv_iso() and usbip_pad_iso() safely return early.

CVE-2025-12882CRITICALnone
CVSS 9.8
EPSS 0.07%
Priority 29
CWE CWE-269

The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0. This is due to the plugin allowing users who are registering new accounts to set their own role by supplying the 'listing_user_role' parameter. This makes it possible for unauthenticated attackers to gain elevated privileges by registering an account with the administrator role.

CVE-2026-22500CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0
CWE CWE-502

Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through <= 1.1.2.

CVE-2026-9094CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0

Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does not verify that the token's user belongs to the same organization as the target application. This can result in privilege escalation across organizational boundaries.

CVE-2019-25471CRITICALnone
CVSS 9.8
EPSS 0.16%
Priority 0
CWE CWE-22

FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files containing PHP shells, use the unzip functionality to extract them into accessible directories, and execute arbitrary commands through the extracted PHP files.

CVE-2026-26021CRITICALpoc
CVSS 9.8
EPSS 0.03%
Priority 68
CWE CWE-1321

set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.

CVE-2026-6886CRITICALnone
CVSS 9.8
EPSS 0.16%
Priority 0
CWE CWE-1390

Borg SPM 2007 (Sales Ended in 2008) developed by BorG Technology Corporation has a Authentication Bypass vulnerability, allowing unauthenticated remote attackers to log into the system as any user.

CVE-2026-34112CRITICALnone
CVSS 9.8
EPSS 0.54%
Priority 0
CWE CWE-78

Guardian language-system passes the id GET parameter directly into a PHP exec() call in speechmac.php (line 18) without sanitization: exec(\"php jobs/speech_audio_mac.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-34108CRITICALnone
CVSS 9.8
EPSS 0.55%
Priority 0
CWE CWE-78

Guardian language-system passes the id GET parameter directly into a PHP exec() call in text.php (line 15) without sanitization: exec(\"php jobs/text.php \".$login_session.\" \".$_GET['id'].\" ...\"). No authentication is required. An unauthenticated remote attacker can append shell metacharacters to execute arbitrary OS commands on the server.

CVE-2026-58453CRITICALnone
CVSS 9.8
EPSS 1.69%
Priority 0
CWE CWE-1392

JAIOTlink C492A-W6 Wi-Fi IP cameras running firmware 4.8.30.57701411 contain a hard-coded credentials vulnerability that allows network-adjacent attackers to gain unauthorized access by using the default admin username with an empty password accepted by the anyka_ipc HTTP service on port 80. Attackers can authenticate with these hardcoded credentials to access camera snapshots, video streams, network configuration, and factory-level API endpoints including the SetMAC command injection surface.

CVE-2023-54344CRITICALnone
CVSS 9.8
EPSS 0.15%
Priority 0
CWE CWE-306

Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the console interface. Attackers can connect to the OSGi console port and send base64-encoded bash commands wrapped in fork directives to achieve code execution and establish reverse shell connections.

CVE-2025-70085CRITICALnone
CVSS 9.8
EPSS 0.06%
Priority 29
CWE CWE-121

An issue was discovered in OpenSatKit 2.2.1. The EventErrStr buffer has a fixed size of 256 bytes. The code uses sprintf to format two filenames (Source1Filename and the string returned by FileUtil_FileStateStr) into this buffer without any length checking and without using bounded format specifiers such as %.*s. If the filename length approaches OS_MAX_PATH_LEN (commonly 64-256 bytes), the combined formatted string together with constant text can exceed 256 bytes, resulting in a stack buffer overflow. Such unsafe sprintf calls are scattered across multiple functions in file.c, including FILE_ConcatenateCmd() and ConcatenateFiles(), all of which fail to validate the output length.

CVE-2022-50973KEVCRITICALin_the_wild
CVSS 9.8
EPSS 0.86%
Priority 0
CWE CWE-434

Yonyou KSOA 9.0 contains an unauthenticated arbitrary file upload vulnerability in the com.sksoft.bill.ImageUpload servlet that allows unauthenticated attackers to upload arbitrary files by submitting a POST request with attacker-controlled filepath and filename parameters without any authentication, file type, extension, or content validation. Attackers can upload a JSP webshell by specifying a malicious filename and root filepath, with the uploaded file stored under the pictures directory and directly executed by the web server, resulting in unauthenticated remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-11-07 (UTC).

CVE-2026-48137CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-822

There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requires an attacker  to supply a specially crafted Moniker protobuf message.  This affects NI grpc-device 2.17.0 and prior versions.

CVE-2025-50190CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0
CWE CWE-89

Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via the GET openid.assoc_handle parameter with the /index.php script. This issue has been patched in version 1.11.30.

CVE-2026-2038CRITICALnone
CVSS 9.8
EPSS 0.59%
Priority 29
CWE CWE-862

GFI Archiver MArc.Core Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-27934.

CVE-2026-2865CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 22
CWE CWE-74

A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.

CVE-2026-44083CRITICALnone
CVSS 9.8
EPSS 0.06%
Priority 0
CWE CWE-639

An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later

CVE-2019-25441CRITICALweaponized
CVSS 9.8
EPSS 3.36%
Priority 89
CWE CWE-78

thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.

CVE-2026-24113CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0

An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Attackers may exploit the vulnerability by controlling the value of `nptr`. When this value is passed into the `getMibPrefix` function and concatenated using `sprintf` without proper size validation, it could lead to a buffer overflow vulnerability.

CVE-2025-50857CRITICALnone
CVSS 9.8
EPSS 0.58%
Priority 29

ZenTaoPMS v18.11 through v21.6.beta is vulnerable to Directory Traversal in /module/ai/control.php. This allows attackers to execute arbitrary code via a crafted file upload

CVE-2026-24423KEVCRITICALin_the_wild
CVSS 9.8
EPSS 26.16%
Priority 70

SmarterTools SmarterMail contains a missing authentication for critical function vulnerability in the ConnectToHub API method. This could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution.

CVE-2026-20884CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0
CWE CWE-190

An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2026-24120CRITICALnone
CVSS 9.8
EPSS 0.08%
Priority 0
CWE CWE-94

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5.

CVE-2026-7834CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0
CWE CWE-119

A security vulnerability has been detected in EFM ipTIME NAS1dual 1.5.24. This issue affects the function get_csrf_whites of the file /cgi/advanced/misc_main.cgi. Such manipulation leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-6026CRITICALpoc
CVSS 9.8
EPSS 0.89%
Priority 0
CWE CWE-77

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

CVE-2026-25971CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 19
CWE CWE-674

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-33824CRITICALnone
CVSS 9.8
EPSS 0.07%
Priority 0
CWE CWE-415

Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.

CVE-2026-27944KEVCRITICALin_the_wild
CVSS 9.8
EPSS 0.05%
Priority 0
CWE CWE-306

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

CVE-2026-44008CRITICALnone
CVSS 9.8
EPSS 0.07%
Priority 0
CWE CWE-668

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to get host objects and get the host Function object. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This vulnerability is fixed in 3.11.2.

CVE-2026-45972CRITICALnone
CVSS 9.8
EPSS
Priority 0

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open() to prevent an UAF bug if @data != NULL, otherwise a double free.

CVE-2026-1358CRITICALnone
CVSS 9.8
EPSS 0.15%
Priority 29
CWE CWE-434

Airleader Master versions 6.381 and prior allow for file uploads without restriction to multiple webpages running maximum privileges. This could allow an unauthenticated user to potentially obtain remote code execution on the server.

CVE-2026-53228CRITICALnone
CVSS 9.8
EPSS 0.18%
Priority 0

In the Linux kernel, the following vulnerability has been resolved: ipv6: sit: reload inner IPv6 header after GSO offloads ipip6_tunnel_xmit() caches the inner IPv6 header pointer at function entry and continues using it after iptunnel_handle_offloads(). For GSO skbs, iptunnel_handle_offloads() calls skb_header_unclone(). When the skb header is cloned, skb_header_unclone() can call pskb_expand_head(), which may move the skb head. The pskb_expand_head() contract requires pointers into the skb header to be reloaded after the call. If the later skb_realloc_headroom() branch is not taken, SIT uses the stale iph6 pointer to read the inner hop limit and DS field. That can read from a freed skb head after the old head's remaining clone is released. Reload iph6 after the offload helper succeeds and before subsequent reads from the inner IPv6 header. Keep the existing reload after skb_realloc_headroom(), since that branch can also replace the skb.

CVE-2026-2331CRITICALnone
CVSS 9.8
EPSS 0.17%
Priority 0
CWE CWE-552

An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via the AppEngine Fileaccess over HTTP due to improper access restrictions. A critical filesystem directory was unintentionally exposed through the HTTP-based file access feature, allowing access without authentication. This includes device parameter files, enabling an attacker to read and modify application settings, including customer-defined passwords. Additionally, exposure of the custom application directory may allow execution of arbitrary Lua code within the sandboxed AppEngine environment.

← PreviousPage 35 of 691Next →