CVE Database

CVE-2026-56315CRITICALnone
CVSS 9.8
EPSS 0.76%
Priority 0
CWE CWE-184

picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support, _aix_support, _pyrepl.pager, and imaplib) exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked modules to achieve remote code execution while bypassing picklescan's safety validation entirely.

CVE-2025-69633CRITICALnone
CVSS 9.8
EPSS 0.11%
Priority 29
CWE CWE-89

A SQL Injection vulnerability in the Advanced Popup Creator (advancedpopupcreator) module for PrestaShop 1.1.26 through 1.2.6 (Fixed in version 1.2.7) allows remote unauthenticated attackers to execute arbitrary SQL queries via the fromController parameter in the popup controller. The parameter is passed unsanitized to SQL queries in classes/AdvancedPopup.php (getPopups() and updateVisits() functions).

CVE-2026-44815CRITICALnone
CVSS 9.8
EPSS 0.09%
Priority 0
CWE CWE-121

Stack-based buffer overflow in Windows DHCP Client allows an unauthorized attacker to execute code over a network.

CVE-2026-26696CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0

code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordteacher_edit.php.

CVE-2026-11714CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-918

IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.7 is affected by a server-side request forgery vulnerability with the apiDiscovery-1.0 feature enabled.

CVE-2026-48773CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-787

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.

CVE-2026-48137CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-822

There is an untrusted pointer dereference vulnerability in the NI grpc-device sideband streaming API that may allow an attacker to cause an arbitrary memory dereference, potentially resulting in remote code execution.  Successful exploitation requires an attacker  to supply a specially crafted Moniker protobuf message.  This affects NI grpc-device 2.17.0 and prior versions.

CVE-2025-69370CRITICALnone
CVSS 9.8
EPSS 0.05%
Priority 29
CWE CWE-502

Deserialization of Untrusted Data vulnerability in ThemeGoods Capella capella allows Object Injection.This issue affects Capella: from n/a through <= 2.5.5.

CVE-2026-49765CRITICALnone
CVSS 9.8
EPSS 0.38%
Priority 0
CWE CWE-502

Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions.

CVE-2026-8452CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-119

Memory overflow vulnerability NetScaler ADC and NetScaler Gateway leading to unpredictable or erroneous behavior and Denial of Service if the appliance is configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server

CVE-2026-27772CRITICALnone
CVSS 9.8
EPSS 0.08%
Priority 0
CWE CWE-306

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

CVE-2026-13766CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-89

DBIx::QuickORM versions before 0.000026 for Perl allow SQL injection via unquoted SQL identifiers. The default SQL builder, a SQL::Abstract subclass, sets bindtype in its constructor but never quote_char, so SQL::Abstract emits identifiers verbatim. Caller-supplied identifiers (order_by, where-clause column keys, field and returning lists, upsert columns, and join aliases) reach the SQL string raw, while values are placeholder-bound and unaffected. A caller that forwards untrusted input to an affected identifier position, such as a user-controlled order_by value, enables SQL injection: the row order can be made to depend on a sub-select over columns the query never selected, and the where and update identifier positions permit further data disclosure and tampering.

CVE-2026-52989CRITICALnone
CVSS 9.8
EPSS 0.17%
Priority 0

In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: propagate nvmet_tcp_build_pdu_iovec() errors to its callers Currently, when nvmet_tcp_build_pdu_iovec() detects an out-of-bounds PDU length or offset, it triggers nvmet_tcp_fatal_error(cmd->queue) and returns early. However, because the function returns void, the callers are entirely unaware that a fatal error has occurred and that the cmd->recv_msg.msg_iter was left uninitialized. Callers such as nvmet_tcp_handle_h2c_data_pdu() proceed to blindly overwrite the queue state with queue->rcv_state = NVMET_TCP_RECV_DATA Consequently, the socket receiving loop may attempt to read incoming network data into the uninitialized iterator. Fix this by shifting the error handling responsibility to the callers.

CVE-2026-4631CRITICALpoc
CVSS 9.8
EPSS 0.10%
Priority 0
CWE CWE-78

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH options or shell commands, achieving code execution on the Cockpit host without valid credentials. The injection occurs during the authentication flow before any credential verification takes place, meaning no login is required to exploit the vulnerability.

CVE-2026-22207CRITICALnone
CVSS 9.8
EPSS 0.17%
Priority 28
CWE CWE-306

OpenViking through version 0.1.18, prior to commit 0251c70, contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configuration is omitted. Attackers can send requests to protected endpoints without authentication headers to access administrative functions including account management, resource operations, and system configuration.

CVE-2026-52955CRITICALnone
CVSS 9.8
EPSS 0.18%
Priority 0

In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in crush_decode() A message of type CEPH_MSG_OSD_MAP containing a crush map with at least one bucket has two fields holding the bucket algorithm. If the values in these two fields differ, an out-of-bounds access can occur. This is the case because the first algorithm field (alg) is used to allocate the correct amount of memory for a bucket of this type, while the second algorithm field inside the bucket (b->alg) is used in the subsequent processing. This patch fixes the issue by adding a check that compares alg and b->alg and aborts the processing in case they differ. Furthermore, b->alg is set to 0 in this case, because the destruction of the crush map also uses this field to determine the bucket type, which can again result in an out-of-bounds access when trying to free the memory pointed to by the fields of the bucket. To correctly free the memory allocated for the bucket in such a case, the corresponding call to kfree is moved from the algorithm-specific crush_destroy_bucket functions to the generic crush_destroy_bucket().

CVE-2025-66678CRITICALnone
CVSS 9.8
EPSS 0.02%
Priority 0

An issue in the HwRwDrv.sys component of Nil Hardware Editor Hardware Read & Write Utility v1.25.11.26 and earlier allows attackers to execute arbitrary read and write operations via a crafted request.

CVE-2026-5030CRITICALnone
CVSS 9.8
EPSS 1.17%
Priority 0
CWE CWE-74

A vulnerability has been found in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument host_time leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-58360KEVCRITICALin_the_wild
CVSS 9.8
EPSS 85.69%
Priority 70

OSGeo GeoServer contains an improper restriction of XML external entity reference vulnerability that occurs when the application accepts XML input through a specific endpoint /geoserver/wms operation GetMap and could allow an attacker to define external entities within the XML request.

CVE-2025-71338CRITICALnone
CVSS 9.8
EPSS 0.61%
Priority 0
CWE CWE-73

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like package.json and achieve remote code execution when the application restarts.

CVE-2026-8181KEVCRITICALin_the_wild
CVSS 9.8
EPSS 0.26%
Priority 0
CWE CWE-287

The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the `is_mainwp_authenticated()` function when validating application passwords from the Authorization header. This makes it possible for unauthenticated attackers, with knowledge of an administrator username, to impersonate that administrator for the duration of the request by supplying any random Basic Authentication password achieving privilege escalation.

CVE-2025-71333CRITICALnone
CVSS 9.8
EPSS 0.52%
Priority 0
CWE CWE-73

Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments endpoint when storageType is set to local. Attackers can exploit path traversal in the chatId and chatflowId parameters to upload malicious files to arbitrary directories, potentially enabling remote code execution and server compromise.

CVE-2026-26695CRITICALnone
CVSS 9.8
EPSS 0.01%
Priority 0

code-projects Simple Student Alumni System v1.0 is vulnerable to SQL Injection in /TracerStudy/recordstudent_edit.php.

CVE-2026-57692CRITICALnone
CVSS 9.8
EPSS 0.29%
Priority 0
CWE CWE-266

Incorrect Privilege Assignment vulnerability in LCweb PrivateContent allows Privilege Escalation. This issue affects PrivateContent: from n/a through 9.9.2.

CVE-2026-48172KEVCRITICALin_the_wild
CVSS 9.8
EPSS 0.02%
Priority 0
CWE CWE-266

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7.

CVE-2026-14104CRITICALnone
CVSS 9.8
EPSS 0.21%
Priority 0
CWE CWE-20

Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)

CVE-2026-2550CRITICALpoc
CVSS 9.8
EPSS 0.05%
Priority 68
CWE CWE-284

A vulnerability was found in EFM iptime A6004MX 14.18.2. Affected is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi. The manipulation results in unrestricted upload. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-26218CRITICALnone
CVSS 9.8
EPSS 0.13%
Priority 29
CWE CWE-798

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

CVE-2026-38707CRITICALnone
CVSS 9.8
EPSS 0.27%
Priority 0
CWE CWE-77

A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

CVE-2026-27175KEVCRITICALin_the_wild
CVSS 9.8
EPSS 0.75%
Priority 68
CWE CWE-78

MajorDoMo (aka Major Domestic Module) is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg(). The command is inserted into a database queue by safe_exec(), which performs no sanitization. The cycle_execs.php script, which is web-accessible without authentication, retrieves queued commands and passes them directly to exec(). An attacker can exploit a race condition by first triggering cycle_execs.php (which purges the queue and enters a polling loop), then injecting a malicious command via the rc endpoint while the worker is polling. The injected shell metacharacters expand inside double quotes, achieving remote code execution within one second.

CVE-2026-58127CRITICALnone
CVSS 9.8
EPSS 0.78%
Priority 0
CWE CWE-306

PACSgear MediaWriter 5.2.1 exposes a .NET Remoting TCP service on port 9000 via PacsgearMediaServerEngine.dll, registered with ObjectURIs RemoteObj and UIRemoteObj, without any authentication requirement. By exploiting the MarshalByRefObject object unmarshalling technique and implementing .NET WebClient class methods, an unauthenticated remote attacker can read and write arbitrary files on the host filesystem. The ObjectURIs are identical across all installations by default. Chaining the arbitrary file write primitive with DLL hijacking opportunities in the MediaWriter service (which runs as NT Authority\\SYSTEM and loads missing DLLs such as CRYPTBASE.DLL from the application directory) enables unauthenticated remote code execution as SYSTEM upon service restart.

CVE-2026-14241CRITICALnone
CVSS 9.8
EPSS
Priority 0

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 152.0.4.

CVE-2026-34099CRITICALnone
CVSS 9.8
EPSS 0.46%
Priority 0
CWE CWE-89

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in job_info.php (line 16): SELECT * FROM jobs where id = '\".$_GET['id'].\"'. No authentication is required. An unauthenticated attacker can perform error-based SQL injection to extract the database version, current user, schema names, and table contents.

CVE-2026-45657CRITICALnone
CVSS 9.8
EPSS 0.12%
Priority 0
CWE CWE-122

Use after free in Windows Kernel allows an unauthorized attacker to execute code over a network.

CVE-2026-24114CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 0

An issue was discovered in Tenda W20E V4.0br_V15.11.0.6. Failure to validate `pPortMapIndex` may lead to buffer overflows when using `strcpy`.

CVE-2026-57517CRITICALnone
CVSS 9.8
EPSS 0.58%
Priority 0
CWE CWE-89

Control Web Panel before 0.9.8.1225 contains a blind SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary SQL queries by submitting unsanitized input through the userRes POST parameter at the user endpoint. Attackers can exploit MySQL root privileges obtained via the injection to write arbitrary files using INTO DUMPFILE, enabling deployment of a PHP webshell to the web-accessible roundcube logs directory and achieving remote code execution as the cwpsvc account.

CVE-2025-50187CRITICALnone
CVSS 9.8
EPSS 0.29%
Priority 0
CWE CWE-95

Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.

CVE-2026-53309CRITICALnone
CVSS 9.8
EPSS 0.40%
Priority 0

In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions() region comparison The local-vs-remote region comparison loop uses '<=' instead of '<', causing it to read one entry past the valid range of qr_regions. The other loops in the same function correctly use '<'. Fix the loop condition to use '<' for consistency and correctness.

CVE-2026-40079CRITICALnone
CVSS 9.8
EPSS 0.92%
Priority 0
CWE CWE-78

Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Command Injection due to lack of sanitization in the escape_command() function. The escape_command() function at lib/rrd.php is a no-op: it returns $command unchanged. The command line built by rrdtool_function_graph() is passed through this function and then to shell_exec($full_commandline). The risk is in __rrd_execute() where text_format values from graph templates (which may contain host variable substitutions) reach shell_exec without adequate escaping. This issue has been addressed in version 1.2.31.

CVE-2026-53049CRITICALnone
CVSS 9.8
EPSS 0.17%
Priority 0

In the Linux kernel, the following vulnerability has been resolved: gfs2: add some missing log locking Function gfs2_logd() calls the log flushing functions gfs2_ail1_start(), gfs2_ail1_wait(), and gfs2_ail1_empty() without holding sdp->sd_log_flush_lock, but these functions require exclusion against concurrent transactions. To fix that, add a non-locking __gfs2_log_flush() function. Then, in gfs2_logd(), take sdp->sd_log_flush_lock before calling the above mentioned log flushing functions and __gfs2_log_flush().

CVE-2026-3413CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0
CWE CWE-74

A flaw has been found in itsourcecode University Management System 1.0. This vulnerability affects unknown code of the file /admin_single_student.php. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

CVE-2026-34100CRITICALnone
CVSS 9.8
EPSS 0.37%
Priority 0
CWE CWE-89

Guardian language-system passes the id GET parameter directly into an unsanitized SQL query in media.php (line 17): SELECT id, filename, extension, type, duration, owner, private FROM files where id = '\".$_GET['id'].\"'. An authenticated attacker can perform error-based SQL injection to extract database contents.

CVE-2026-53861CRITICALnone
CVSS 9.8
EPSS 0.24%
Priority 0
CWE CWE-184

OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration.

CVE-2025-8350CRITICALnone
CVSS 9.8
EPSS 0.09%
Priority 29
CWE CWE-306

Execution After Redirect (EAR), Missing Authentication for Critical Function vulnerability in Inrove Software and Internet Services BiEticaret CMS allows Authentication Bypass, HTTP Response Splitting.This issue affects BiEticaret CMS: from 2.1.13 through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2025-9953CRITICALnone
CVSS 9.8
EPSS 0.04%
Priority 29
CWE CWE-566

Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in DATABASE Software Training Consulting Ltd. Databank Accreditation Software allows SQL Injection.This issue affects Databank Accreditation Software: through 19022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-3000CRITICALnone
CVSS 9.8
EPSS 0.10%
Priority 0
CWE CWE-494

IDExpert Windows Logon Agent developed by Changing has a Remote Code Execution vulnerability, allowing unauthenticated remote attackers to force the system to download arbitrary DLL files from a remote source and execute them.

CVE-2026-53805CRITICALnone
CVSS 9.8
EPSS
Priority 0
CWE CWE-502

NVIDIA Spatial Intelligence Lab's (SIL) GEN3C contains an unauthenticated remote code execution vulnerability in the inference API server where the /request-inference and /seed-model endpoints deserialize raw HTTP request bodies using Python's pickle.loads() without authentication or input validation. Attackers can supply a crafted payload containing a __reduce__ gadget to the inference API port to achieve remote code execution as the inference process.

CVE-2026-3411CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 0
CWE CWE-74

A security vulnerability has been detected in itsourcecode University Management System 1.0. Affected by this issue is some unknown functionality of the file /admin_single_student_update.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

CVE-2026-25971CRITICALnone
CVSS 9.8
EPSS 0.03%
Priority 19
CWE CWE-674

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for circular references between two MSLs, leading to a stack overflow. Versions 7.1.2-15 and 6.9.13-40 contain a patch.

CVE-2026-6768CRITICALnone
CVSS 9.8
EPSS
Priority 0

Mitigation bypass in the Networking: Cookies component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

← PreviousPage 46 of 691Next →