CVE-2026-25072 - XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a predictable sessio

CVE-2026-25071 - XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain a missing authentica

CVE-2026-25070 - XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command inject

CVE-2026-2371 - The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Di

CVE-2026-1981 - The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable

CVE-2026-1644 - The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all vers

CVE-2026-3233 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-30244 - Plane is an an open-source project management tool. Prior to version 1.2.2, unauthenticated attacker

CVE-2026-30242 - Plane is an an open-source project management tool. Prior to version 1.2.3, the webhook URL validati

CVE-2026-30241 - Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the

CVE-2026-30238 - Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions

CVE-2026-30237 - Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions

CVE-2026-27142 - Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can all

CVE-2026-27139 - On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the r

CVE-2026-27138 - Certificate verification can panic when a certificate in the chain has an empty DNS name and another

CVE-2026-27137 - When verifying a certificate chain which contains a certificate containing multiple email address co

CVE-2026-25679 - url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

CVE-2026-30835 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30233 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-30231 - Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools.

CVE-2026-30230 - Flare is a Next.js-based, self-hostable file sharing platform that integrates with screenshot tools.

CVE-2026-30229 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30228 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30227 - MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipu

CVE-2026-30225 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-30224 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-30223 - OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1,

CVE-2026-29795 - stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Pr

CVE-2026-29791 - Agentgateway is an open source data plane for agentic AI connectivity within or across any agent fra

CVE-2026-29790 - dbt-common is the shared common utilities for dbt-core and adapter implementations use. Prior to ver

CVE-2026-29789 - Vito is a self-hosted web application that helps manage servers and deploy PHP applications into pro

CVE-2026-29788 - TSPortal is the WikiTide Foundation’s in-house platform used by the Trust and Safety team to manage

CVE-2026-29182 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.

CVE-2026-30847 - Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notifica

CVE-2026-30846 - Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwe

CVE-2026-30845 - Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board co

CVE-2026-30844 - Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Serv

CVE-2026-30843 - Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecu

CVE-2025-69654 - A crafted JavaScript input executed with the QuickJS release 2025-09-13, fixed in commit fcd33c1afa7

CVE-2026-3653 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in

CVE-2026-29063 - Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and

CVE-2025-69653 - A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13,

CVE-2025-69652 - GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an abort (SIGABRT) when proces

CVE-2025-69650 - GNU Binutils thru 2.46 readelf contains a double free vulnerability when processing a crafted ELF bi

CVE-2025-69649 - GNU Binutils thru 2.46 readelf contains a null pointer dereference vulnerability when processing a c

CVE-2026-3419 - Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after th

CVE-2026-30833 - Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions

CVE-2026-30831 - Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions

CVE-2026-29178 - Lemmy, a link aggregator and forum for the fediverse, is vulnerable to server-side request forgery v

CVE-2026-29110 - Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.0, in non-debu

CVE-2026-29091 - Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior

CVE-2026-29089 - TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgre

CVE-2026-29087 - @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when usi

CVE-2026-28514 - Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions

CVE-2025-69651 - GNU Binutils thru 2.46 readelf contains a vulnerability that leads to an invalid pointer free when p

CVE-2025-69646 - Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with ma

CVE-2025-69645 - Binutils objdump contains a denial-of-service vulnerability when processing a crafted binary with ma

CVE-2025-69644 - An issue was discovered in Binutils before 2.46. The objdump contains a denial-of-service vulnerabil

CVE-2026-29783 - The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary

CVE-2026-29082 - Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execut

CVE-2026-29075 - Mesa is an open-source Python library for agent-based modeling, simulating complex systems and explo

CVE-2026-29064 - Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73

CVE-2025-70363 - Incorrect access control in the REST API of Ibexa & Ciril GROUP eZ Platform / Ciril Platform 2.x all

CVE-2025-15602 - Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges tha

CVE-2026-27777 - Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CVE-2026-27764 - The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows mu

CVE-2026-27123 - Rejected reason: Reason: This candidate was issued in error.

CVE-2026-27027 - Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CVE-2026-26288 - WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorize

CVE-2026-26018 - CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a denial of service vulnerabil

CVE-2026-26017 - CoreDNS is a DNS server that chains plugins. Prior to version 1.14.2, a logical vulnerability in Cor

CVE-2026-24696 - The WebSocket Application Programming Interface lacks restrictions on the number of authentication r

CVE-2026-20882 - The WebSocket Application Programming Interface lacks restrictions on the number of authentication r

CVE-2026-20748 - The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows mu

CVE-2026-2754 - Navtor NavBox exposes sensitive configuration and operational data due to missing authentication on

CVE-2026-2753 - An Absolute Path Traversal vulnerability exists in Navtor NavBox. The application exposes an HTTP se

CVE-2026-2752 - Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticate

CVE-2026-26051 - WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorize

CVE-2026-1799 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate has been dete

CVE-2022-4947 - Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-32111. Reason:

CVE-2018-25200 - OOP CMS BLOG 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated att

CVE-2018-25199 - OOP CMS BLOG 1.0 contains SQL injection vulnerabilities that allow unauthenticated attackers to exec

CVE-2018-25198 - eToolz 3.4.8.0 contains a denial of service vulnerability that allows local attackers to crash the a

CVE-2018-25197 - PlayJoom 0.10.1 contains an SQL injection vulnerability that allows unauthenticated attackers to exe

CVE-2018-25196 - ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to man

CVE-2018-25194 - Nominas 0.27 contains an SQL injection vulnerability that allows unauthenticated attackers to execut

CVE-2018-25193 - Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to c

CVE-2018-25192 - GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attacke

CVE-2018-25191 - Facturation System 1.0 contains an SQL injection vulnerability that allows authenticated attackers t

CVE-2018-25190 - Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attac

CVE-2018-25189 - Data Center Audit 2.6.2 contains an SQL injection vulnerability in the username parameter of dca_log

CVE-2018-25188 - Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers

CVE-2018-25187 - Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sen

CVE-2018-25186 - Tina4 Stack 1.0.3 contains a cross-site request forgery vulnerability that allows attackers to modif

CVE-2018-25184 - Surreal ToDo 0.6.1.2 contains a local file inclusion vulnerability that allows unauthenticated attac

CVE-2018-25182 - Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated a

CVE-2018-25181 - Musicco 2.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to downl

CVE-2018-25180 - Maitra 1.7.2 contains an sql injection vulnerability that allows authenticated attackers to execute

CVE-2018-25179 - Gumbo CMS 0.99 contains an SQL injection vulnerability that allows unauthenticated attackers to exec

CVE-2018-25178 - Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attacke

CVE-2018-25177 - Data Center Audit 2.6.2 contains a cross-site request forgery vulnerability that allows attackers to

CVE-2018-25176 - Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to

CVE-2018-25175 - Alienor Web Libre 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers

CVE-2018-25174 - ABC ERP 0.6.4 contains a cross-site request forgery vulnerability that allows attackers to modify ad

CVE-2018-25173 - Rmedia SMS 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to extr

CVE-2018-25172 - Pedidos 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute

CVE-2018-25171 - EdTv 2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbi

CVE-2018-25170 - DoceboLMS 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manip

CVE-2018-25169 - AMPPS 2.7 contains a denial of service vulnerability that allows remote attackers to crash the servi

CVE-2018-25168 - Precurio Intranet Portal 2.0 contains a cross-site request forgery vulnerability that allows unauthe

CVE-2018-25167 - Net-Billetterie 2.9 contains an SQL injection vulnerability in the login parameter of login.inc.php

CVE-2018-25166 - Meneame English Pligg 5.8 contains an SQL injection vulnerability that allows unauthenticated attack

CVE-2018-25165 - Galaxy Forces MMORPG 0.5.8 contains an SQL injection vulnerability that allows authenticated attacke

CVE-2018-25164 - EverSync 0.5 contains an arbitrary file download vulnerability that allows unauthenticated attackers

CVE-2018-25163 - BitZoom 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute

CVE-2018-25162 - 2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attacker

CVE-2018-25161 - Warranty Tracking System 11.06.3 contains an SQL injection vulnerability that allows attackers to ex

CVE-2026-28106 - URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Kings Plugins B2BKing Premium a

CVE-2026-28080 - Missing Authorization vulnerability in Rank Math Rank Math SEO PRO allows Exploiting Incorrectly Con

CVE-2024-35644 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab

CVE-2026-1468 - QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craf

CVE-2026-3589 - The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch reques

CVE-2026-23925 - An authenticated Zabbix user (User role) with template/host write permissions is able to create obje

CVE-2026-2830 - The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is v

CVE-2026-2331 - An attacker may perform unauthenticated read and write operations on sensitive filesystem areas via

CVE-2026-2330 - An attacker may access restricted filesystem areas on the device via the CROWN REST interface due to

CVE-2026-29183 - SiYuan is a personal knowledge management system. Prior to version 3.5.9, an unauthenticated reflect

CVE-2026-29074 - SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG

CVE-2026-29073 - SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a

CVE-2026-29062 - jackson-core contains core low-level incremental ("streaming") parser and generator abstractions use

CVE-2026-29059 - Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows an

CVE-2026-29068 - PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17

CVE-2026-29065 - changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, a

CVE-2026-29058 - AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can e

CVE-2026-29049 - melange allows users to build apk packages using declarative pipelines. In version 0.40.5 and prior,

CVE-2026-29048 - HumHub is an Open Source Enterprise Social Network. In version 1.18.0, a cross-site scripting vulner

CVE-2026-29042 - Nuclio is a "Serverless" framework for Real-Time Events and Data Processing. Prior to version 1.15.2

CVE-2026-29039 - changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, th

CVE-2026-29038 - changedetection.io is a free open source web page change detection tool. Prior to version 0.54.4, th

CVE-2026-28804 - pypdf is a free and open-source pure-python PDF library. Prior to version 6.7.5, an attacker who use

CVE-2026-28802 - Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to bef

CVE-2026-28801 - Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.

CVE-2026-28800 - Natro Macro is an open-source Bee Swarm Simulator macro written in AutoHotkey. Prior to version 1.1.

CVE-2026-28799 - PJSIP is a free and open source multimedia communication library written in C. Prior to version 2.17

CVE-2026-28795 - OpenChatBI is an intelligent chat-based BI tool powered by large language models, designed to help u

CVE-2026-28438 - CocoIndex is a data transformation framework for AI. Prior to version 0.3.34, the Doris target conne

CVE-2026-2446 - The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF check

CVE-2026-1128 - The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting cou

CVE-2026-29084 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-29061 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-29060 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-28794 - oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards.

CVE-2026-28787 - OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, t

CVE-2026-28785 - Ghostfolio is an open source wealth management software. Prior to version 2.244.0, by bypassing symb

CVE-2026-28685 - Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoic

CVE-2026-28683 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-28682 - Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior

CVE-2026-28681 - Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the

CVE-2026-28680 - Ghostfolio is an open source wealth management software. Prior to version 2.245.0, an attacker can e

CVE-2026-28679 - Home-Gallery.org is a self-hosted open-source web gallery to browse personal photos and videos. Prio

CVE-2026-28677 - OpenSift is an AI study tool that sifts through large datasets using semantic search and generative

CVE-2026-28676 - OpenSift is an AI study tool that sifts through large datasets using semantic search and generative

CVE-2026-28675 - OpenSift is an AI study tool that sifts through large datasets using semantic search and generative

CVE-2026-28509 - LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI rend

CVE-2026-28508 - Idno is a social publishing platform. Prior to version 1.6.4, a logic error in the API authenticatio

CVE-2026-28507 - Idno is a social publishing platform. Prior to version 1.6.4, there is a remote code execution vulne

CVE-2026-28429 - Talishar is a fan-made Flesh and Blood project. Prior to commit 6be3871, a Path Traversal vulnerabil

CVE-2026-28428 - Talishar is a fan-made Flesh and Blood project. Prior to commit a9c218e, an authentication bypass vu

CVE-2026-27605 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-27603 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-27005 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-25888 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-25887 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-25877 - Chartbrew is an open-source web application that can connect directly to databases and APIs and use

CVE-2026-29093 - WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml

CVE-2026-29046 - TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.04, TinyWeb ac

CVE-2026-29041 - Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an aut

CVE-2026-28502 - WWBN AVideo is an open source video platform. Prior to version 24.0, an authenticated Remote Code Ex

CVE-2026-28501 - WWBN AVideo is an open source video platform. Prior to version 24.0, an unauthenticated SQL Injectio

CVE-2026-28497 - TinyWeb is a web server (HTTP, HTTPS) written in Delphi for Win32. Prior to version 2.03, an integer

CVE-2026-27807 - MarkUs is a web application for the submission and grading of student assignments. Prior to version

CVE-2026-25962 - MarkUs is a web application for the submission and grading of student assignments. Prior to version

CVE-2025-59544 - Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to

CVE-2025-59543 - Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri

CVE-2025-59542 - Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scri

CVE-2025-59541 - Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSR

CVE-2025-59540 - Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists

CVE-2025-55289 - Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerabili

CVE-2026-3616 - A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0.

CVE-2026-3613 - A vulnerability was identified in Wavlink WL-NU516U1 V240425. This vulnerability affects the functio

CVE-2026-3612 - A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 o

CVE-2026-3610 - A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3.2-3. Affected by this issue i

CVE-2026-2589 - The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive I

CVE-2026-28727 - Local privilege escalation due to insecure Unix socket permissions. The following products are affec

CVE-2026-28726 - Sensitive information disclosure due to improper access control. The following products are affected

CVE-2026-28725 - Sensitive information disclosure due to improper configuration of a headless browser. The following

CVE-2026-28724 - Unauthorized data access due to insufficient access control validation. The following products are a

CVE-2026-28723 - Unauthorized report deletion due to insufficient access control. The following products are affected

CVE-2026-28722 - Local privilege escalation due to improper soft link handling. The following products are affected:

CVE-2026-28721 - Local privilege escalation due to improper soft link handling. The following products are affected:

CVE-2026-28720 - Unauthorized modification of settings due to insufficient authorization checks. The following produc

CVE-2026-28719 - Unauthorized resource manipulation due to improper authorization checks. The following products are

CVE-2026-28718 - Denial of service due to insufficient input validation in authentication logging. The following prod

CVE-2026-28717 - Local privilege escalation due to improper directory permissions. The following products are affecte

CVE-2026-28716 - Information disclosure and manipulation due to improper authorization checks. The following products

CVE-2026-28715 - Sensitive information disclosure due to improper authorization checks. The following products are af

CVE-2026-28714 - Unnecessary transmission of sensitive cryptographic material. The following products are affected: A

CVE-2026-28713 - Default credentials set for local privileged user in Virtual Appliance. The following products are a

CVE-2026-28712 - Local privilege escalation due to DLL hijacking vulnerability. The following products are affected:

CVE-2026-28711 - Local privilege escalation due to DLL hijacking vulnerability. The following products are affected:

CVE-2026-28710 - Sensitive information disclosure and manipulation due to improper authentication. The following prod

CVE-2026-28709 - Unauthorized resource manipulation due to improper authorization checks. The following products are

CVE-2026-27778 - The WebSocket Application Programming Interface lacks restrictions on the number of authentication r

CVE-2026-27770 - Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

CVE-2026-24912 - The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows mu

CVE-2026-22552 - WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorize

CVE-2025-30413 - Credentials are not deleted from Acronis Agent after plan revocation. The following products are aff

CVE-2025-11792 - Local privilege escalation due to DLL hijacking vulnerability. The following products are affected:

CVE-2025-11791 - Sensitive information disclosure and manipulation due to insufficient authorization checks. The foll

CVE-2025-11790 - Credentials are not deleted from Acronis Agent after plan revocation. The following products are aff

CVE-2026-26125 - Payment Orchestrator Service Elevation of Privilege Vulnerability

CVE-2026-26124 - '.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally.

CVE-2026-26122 - Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized

CVE-2026-23651 - Permissive regular expression in Azure Compute Gallery allows an authorized attacker to elevate priv

CVE-2026-21536 - Microsoft Devices Pricing Program Remote Code Execution Vulnerability

CVE-2026-3606 - A vulnerability has been found in Ettercap 0.8.4-Garofalo. Affected by this vulnerability is the fun

CVE-2026-2593 - The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cros

CVE-2026-29613 - OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles (optional plugin) we

CVE-2026-29612 - OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing

CVE-2026-29611 - OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles ext

CVE-2026-29610 - OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers

CVE-2026-29609 - OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard

CVE-2026-29606 - OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-ca

CVE-2026-28486 - OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive e

CVE-2026-28485 - OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent

CVE-2026-28484 - Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVE-2026-28482 - OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId par

CVE-2026-28481 - OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in

CVE-2026-28480 - OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram al

CVE-2026-28479 - OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and

CVE-2026-28478 - OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers t

CVE-2026-28477 - OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the m

CVE-2026-28476 - OpenClaw versions prior to 2026.2.14 contain a server-side request forgery vulnerability in the opti

CVE-2026-28475 - OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validati

CVE-2026-28474 - OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable

CVE-2026-28473 - OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with

CVE-2026-28472 - OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handsha

CVE-2026-28471 - OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contai

CVE-2026-28470 - OpenClaw versions prior to 2026.2.2 contain an exec approvals (must be enabled) allowlist bypass vul

CVE-2026-28469 - OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat moni