By severity

High-severity vulnerabilities

CVEs rated High by CVSS, with SEC.co remediation and prioritization guidance.

536 published vulnerabilities · page 6 of 6

  • CVE-2026-10843HIGH 7.2

    OpenShift's Cloud Credential Operator, when running in Mint mode, assigns AWS credentials with excessive permissions. Instead of limiting destructive actions to resources owned by the cluster, the operator grants account-wide scope. If an attacker compromises these credentials, they can perform destructive actions across the entire AWS account, not just the cluster—making lateral movement and account-wide damage possible.

  • CVE-2026-10870HIGH 7.2

    Shibby Tomato version 1.28.0000 contains a command injection vulnerability in its web-based configuration interface that allows authenticated administrators to execute arbitrary operating system commands on the router. An attacker with administrative access can manipulate the DHCP client startup function to inject malicious commands, potentially compromising the entire device and any network it serves. Exploit code has been published publicly, increasing the risk of opportunistic attacks.

  • CVE-2026-10871HIGH 7.2

    Shibby Tomato 1.28.0000 contains a remote command injection vulnerability in its Web UI. An authenticated administrator can craft a malicious request targeting the IPv6 6rd tunnel configuration function, injecting arbitrary operating system commands that execute with the privileges of the affected service. The vulnerability has been publicly disclosed, increasing the likelihood of active exploitation attempts.

  • CVE-2026-10872HIGH 7.2

    Shibby Tomato 1.28.0000 contains a vulnerability in the Web UI component that allows authenticated users with high-level privileges to inject operating system commands through the VPN server startup function. An attacker with administrative access could manipulate input parameters to execute arbitrary commands on the device, potentially compromising the entire router system. Public exploit information exists for this vulnerability.

  • CVE-2026-10873HIGH 7.2

    Shibby Tomato 1.28.0000 contains a command injection vulnerability in its web interface that allows authenticated administrators to execute arbitrary operating system commands. The vulnerability exists in the rstats_path function within the /bin/rstats component. Because exploit code has been publicly disclosed, the risk of active exploitation is elevated. Note that this project has been superseded by FreshTomato, and users should verify their upgrade path accordingly.

  • CVE-2026-2374HIGH 7.2

    The Login No Captcha reCAPTCHA WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in all versions up to 1.8.0. An unauthenticated attacker can exploit this by triggering a login attempt from a non-standard login page URL (such as xmlrpc.php), which causes the plugin to store malicious JavaScript in the WordPress admin dashboard settings. When an administrator logs in within 30 seconds of the attack, that JavaScript executes in their browser with the administrator's privileges. The vulnerability requires the admin to have a whitelisted IP address configured in the plugin, which is a common configuration for sites restricting login access.

  • CVE-2026-24085HIGH 7.2

    A memory corruption vulnerability exists in multiple Qualcomm wireless chipsets and their firmware when processing display command line information. The flaw stems from improper initialization of a variable during command parsing, which could allow a high-privilege attacker with physical access to trigger memory corruption and potentially execute arbitrary code or crash the device. The vulnerability affects a broad range of Qualcomm wireless components used in enterprise and consumer devices.

  • CVE-2026-3820HIGH 7.2

    Supermicro's BMC (Baseboard Management Controller) SMTP service in the AS-2115HS-TNR contains a vulnerability that allows attackers with administrator-level access to inject malicious characters into SMTP configuration fields. This injection can lead the system to execute unintended commands, potentially resulting in loss of service, unauthorized code execution, or complete compromise of the BMC itself. While the attack requires existing high-level privileges, the consequences—especially arbitrary code execution on out-of-band management hardware—are severe.

  • CVE-2026-39276HIGH 7.2

    Emlog Pro v2.6.9 contains a path traversal flaw in its template upload feature that allows authenticated administrators to upload malicious files and execute arbitrary PHP code on the server. An attacker with admin credentials can craft a specially crafted ZIP archive with directory traversal sequences (such as '../') in filenames to escape the intended upload directory, overwrite legitimate template files, or inject malicious code that gets executed by the web server. This is a post-authentication vulnerability, meaning the attacker must already have admin access to the Emlog installation.

  • CVE-2026-40961HIGH 7.2

    Apache Airflow contains a flaw in its login redirect mechanism that allows authenticated users to redirect people to malicious websites. The vulnerability exists because the URL safety check (`is_safe_url`) can be circumvented through crafted URLs, enabling attackers to potentially harvest credentials or distribute malware by making the redirect appear to come from a trusted Airflow instance. Any organization running Airflow and allowing authentication should treat this as a priority.

  • CVE-2018-25392HIGH 7.1

    MaxOn ERP Software versions 8.x through 9.x contain a SQL injection flaw that lets authenticated users inject malicious SQL commands through specific parameters in the activity logging function. An attacker with valid credentials can craft POST requests to extract sensitive database information such as version numbers and database names. While exploitation requires authentication, the impact—unauthorized access to database structure and sensitive data—represents a meaningful security risk for organizations running these versions.

  • CVE-2018-25410HIGH 7.1

    SIM-PKH version 2.4.1 contains a SQL injection flaw in its admin media management interface. An authenticated attacker can craft malicious requests to the /admin/media.php endpoint that inject SQL code, allowing them to extract sensitive database information such as usernames, database names, and version details. The vulnerability requires valid login credentials but poses a meaningful risk to data confidentiality within affected deployments.

  • CVE-2018-25429HIGH 7.1

    Paroiciel version 11.20 contains an SQL injection vulnerability in the zpro.php endpoint that allows authenticated users to execute arbitrary database queries by manipulating the zProIdPro parameter. An attacker with valid credentials can craft malicious SQL statements to extract sensitive information from the database, including usernames, database names, and version details. This is a post-authentication attack that does not require user interaction.

  • CVE-2018-25430HIGH 7.1

    Paroiciel version 11.20 contains a SQL injection flaw in its egeq.php endpoint. Authenticated users can craft malicious requests that embed SQL commands into the eGeqIdEquipe parameter, allowing them to query the underlying database directly. This bypasses normal access controls and could expose sensitive information such as database version details and other stored data. The vulnerability requires valid login credentials, so it represents an insider threat or compromised-account scenario.

  • CVE-2018-25431HIGH 7.1

    No-Cms 1.0 contains a SQL injection flaw in its privilege management export feature. An authenticated user can craft a specially formatted request to extract sensitive data from the application's database by injecting malicious SQL commands into the order_by parameter. The vulnerability requires valid credentials but poses significant risk to data confidentiality.

  • CVE-2025-15654HIGH 7.1

    CVE-2025-15654 is a reflected cross-site scripting (XSS) vulnerability in Fox-themes Prague versions 2.2.8 and earlier. An attacker can craft a malicious URL containing unsanitized input that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the vulnerable application. This allows the attacker to steal session cookies, perform actions on behalf of the victim, or redirect them to phishing sites—all without modifying the application itself.

  • CVE-2025-52612HIGH 7.1

    HCL iControl contains a vulnerability that combines CSV injection with reflected cross-site scripting (XSS) in its export function. An authenticated attacker can craft malicious input that, when a user interacts with exported CSV content or follows a specially crafted link, executes arbitrary JavaScript in the victim's browser session. The vulnerability stems from inadequate input validation and sanitization, allowing attackers to inject both CSV formulas and script payloads.

  • CVE-2025-52759HIGH 7.1

    A reflected cross-site scripting (XSS) vulnerability exists in the UnboundStudio Accordion FAQ plugin affecting versions up to 2.2.1. An attacker can craft a malicious link that, when clicked by a user, executes arbitrary JavaScript in the victim's browser within the context of the affected site. This allows theft of session cookies, credential harvesting, malware injection, or other client-side attacks. The vulnerability requires user interaction—specifically clicking a malicious link—but has no authentication barrier, making it a straightforward social engineering vector.

  • CVE-2025-67448HIGH 7.1

    A stored cross-site scripting (XSS) vulnerability exists in the SMS module of Neterbit NW-431F routers running firmware version 20241014-IR03 and earlier. An attacker can craft a malicious SMS message and send it to a router user; when that user views the message, the embedded script executes in their browser. This allows attackers to steal session tokens, redirect users, inject fake content, or perform actions on behalf of the victim—all without the victim realizing they've been compromised through what appears to be a routine SMS.

  • CVE-2026-10840HIGH 7.1

    A misconfiguration in the OpenShift Pipelines operator allows any authenticated user on a cluster to gain unauthorized control over workload scheduling and certificate management. The tekton-scheduler-rolebinding grants excessive permissions to all authenticated users, enabling them to disrupt job scheduling, alter priorities, delete other users' workloads, or manipulate TLS certificates—including those protecting ingress controllers. This is a privilege escalation issue that turns cluster authentication into a foothold for operational sabotage.

  • CVE-2026-24090HIGH 7.1

    A cryptographic weakness in how Qualcomm processors handle partition table entries during boot allows a local attacker with standard user privileges to modify the boot process without authorization. This could enable an attacker to alter how a device loads its operating system or firmware, potentially leading to installation of malicious code or bypass of security controls. The vulnerability requires direct access to the device and cannot be exploited remotely.

  • CVE-2026-31942HIGH 7.1

    LibreChat versions up to 0.7.6 contain a critical flaw in how API keys are managed. Any authenticated user can manipulate API key settings for other users by injecting parameters into requests, allowing them to replace legitimate API keys (from providers like OpenAI, Anthropic, or Azure) with their own or invalid ones. This means an attacker could intercept conversations through attacker-controlled API endpoints or disable a victim's service entirely.

  • CVE-2026-36176HIGH 7.1

    GNCC GP5 version 7.1.76 leaks Backblaze B2 cloud storage upload credentials to the device's serial console in plaintext. An attacker with physical access to the hardware can monitor the UART interface and capture active, pre-signed upload URLs intended for file transfers. Once captured, these URLs can be used to upload or manipulate files in the connected B2 storage bucket without authorization. The vulnerability requires proximity to the device but poses significant risk to organizations using this gateway in sensitive environments.

  • CVE-2026-36606HIGH 7.1

    Mercusys AC12G (EU) V1 routers running firmware version AC12G(EU)_V1_200909 store backup files that are encrypted with a hardcoded, publicly discoverable key using weak encryption. Anyone who obtains a backup file—whether through direct device access, cloud storage misconfiguration, or phishing—can decrypt it and extract sensitive credentials including the admin password, WiFi pre-shared key, and DDNS login information. This is a local attack that depends on an attacker first gaining access to the backup file itself.

  • CVE-2026-42654HIGH 7.1

    WP Swings Wallet System for WooCommerce contains a flaw that allows attackers with an existing user account to bypass normal authentication safeguards and exploit the password recovery mechanism. An authenticated attacker could use this vulnerability to take over other user accounts, including administrative ones, without knowing their passwords. The vulnerability affects all versions up to and including 2.7.5.

  • CVE-2026-42678HIGH 7.1

    GiveWP, a popular WordPress donation and fundraising plugin maintained by Liquid Web/StellarWP, contains a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by site visitors. Unlike traditional XSS flaws, this vulnerability operates at the DOM (Document Object Model) level in the browser, meaning the attack payload is crafted and executed client-side rather than originating from the server. An attacker can trick a user into clicking a malicious link or visiting a compromised page, leading to credential theft, session hijacking, or unauthorized actions taken on behalf of the victim within the vulnerable GiveWP installation.

  • CVE-2026-42681HIGH 7.1

    E2Pdf.Com's e2pdf plugin contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. When a user visits a crafted link, the injected code executes in their browser within the context of the affected site, potentially allowing theft of session data, credentials, or sensitive information. The vulnerability affects e2pdf versions up to and including 1.32.14.

  • CVE-2026-42683HIGH 7.1

    VikBooking Hotel Booking Engine & PMS contains a DOM-based cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious link or embed JavaScript in user-controllable input fields; when a victim visits the page or interacts with the compromised element, the script executes in their browser with access to session data and sensitive information. This is a client-side vulnerability requiring user interaction but affecting multiple users through a single compromised page.

  • CVE-2026-42685HIGH 7.1

    Ahmad WP Job Portal versions up to 2.5.1 contain a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a specially designed link and trick a user into clicking it, causing the injected code to execute in that user's browser with their privileges. This vulnerability requires user interaction—the victim must click a malicious link—but once triggered, it can be used to steal session tokens, deface content, redirect users to phishing sites, or perform actions on behalf of the victim.

  • CVE-2026-46130HIGH 7.1

    A bug in the Linux kernel's dm-verity-fec (forward error correction) component can cause it to read data from outside the intended memory buffer. This occurs when parity bytes used to verify disk integrity are split across storage blocks in a specific way. Under certain non-default configurations and low-memory conditions, the code attempts to access more data than is available, leading to potential information disclosure or system instability. The issue only manifests with particular combinations of error correction parameters and buffer allocation scenarios.

  • CVE-2026-46140HIGH 7.1

    A flaw in the Linux kernel's Bluetooth driver (btmtk) fails to verify that incoming firmware responses contain sufficient data before reading from them. If a Bluetooth device sends a truncated or malformed response, the kernel code will read beyond the valid data boundaries, potentially exposing sensitive kernel memory. A local attacker with Bluetooth access could exploit this to leak information or crash the system.

  • CVE-2026-46149HIGH 7.1

    A vulnerability in the Linux kernel's SCSI target subsystem allows a local attacker with low privileges to read sensitive kernel memory and potentially crash the system. The issue occurs in the configfs interface where storage path group membership information is displayed. When a storage fabric's name is unusually long, the kernel writes more data than expected to a temporary buffer, and then copies that overrun data to a user-readable sysfs file. On systems with fortify checks enabled, this causes a kernel panic; on others, it leaks kernel memory to unprivileged users.

  • CVE-2026-46150HIGH 7.1

    A flaw in the Linux kernel's fanotify file monitoring subsystem can allow a local user with minimal privileges to bypass permission checks on file access events. The vulnerability stems from a logic error where the kernel incorrectly returns false for marks belonging to unrelated monitoring groups, causing permission event validation to be skipped. An attacker with local access could exploit this to circumvent intended file access restrictions.

  • CVE-2026-44604HIGH 7.0

    A flaw in RPM's archive extraction tool allows an attacker to run arbitrary commands on a system by crafting a malicious archive with shell metacharacters embedded in its folder name. When a user extracts such an archive using the rpmuncompress utility, the unsanitized folder name is passed directly into a shell command, enabling code execution with the privileges of the extracting user. The vulnerability affects ZIP, 7z, and GEM archive formats.

  • CVE-2026-46154HIGH 7.0

    A race condition exists in the Linux kernel's scheduler extension (sched_ext) cgroup interface that can lead to use-after-free memory access. When system administrators adjust cgroup scheduling parameters like weight, idle status, or bandwidth, the kernel reads a pointer to the scheduler without proper synchronization. If another process simultaneously disables and re-enables a different scheduler, the cached pointer becomes stale and points to freed memory. When the original operation tries to use this pointer, it dereferences already-freed kernel memory, potentially allowing local privilege escalation.

  • CVE-2026-46164HIGH 7.0

    A memory management bug in the Linux kernel's Btrfs filesystem can cause the same memory region to be freed twice when a sysfs initialization step fails. This double-free condition can lead to memory corruption and potentially allow an attacker with local access to crash the system or execute code with elevated privileges. The issue occurs in error handling code that wasn't properly coordinated between two layers of the filesystem's initialization logic.