2026 · High

High-severity vulnerabilities disclosed in 2026

High-rated CVEs published in 2026, with SEC.co remediation and prioritization guidance.

536 published vulnerabilities · page 5 of 6

  • CVE-2026-37227HIGH 7.5

    FlexRIC v2.0.0 has a flaw that allows anyone on the network to crash the near-RT RIC (Radio Access Network Intelligent Controller) by sending it a specially crafted message. The vulnerability exists because the software accepts certain message types during initial validation but then hits an unconditional assertion when actually processing them, causing an immediate crash. No authentication is required—an attacker simply needs network access to port 36421 where the RIC listens.

  • CVE-2026-37228HIGH 7.5

    FlexRIC v2.0.0 has a flaw in how it handles incoming network messages that allows a remote attacker to crash critical RAN Intelligent Controller processes without needing credentials or a valid connection. An attacker simply sends a message larger than the system's receive buffer, triggering a fatal error. This affects the near-RT RIC, iApp, E2 Agent, and xApp components on standard E2AP ports, making it a availability risk for 5G infrastructure operators.

  • CVE-2026-37229HIGH 7.5

    FlexRIC v2.0.0, an open RAN intelligent controller, crashes when it receives malformed network data over SCTP. An attacker on the network can send a simple invalid byte sequence to either the near-RT RIC or iApp service (listening on ports 36421 and 36422) and cause an immediate denial of service. The vulnerability exists in the ASN.1 message decoding layer and triggers before the system performs any security checks, making it trivial to exploit.

  • CVE-2026-37230HIGH 7.5

    FlexRIC v2.0.0, an open RAN (O-RAN) near-real-time RIC (intelligent controller), crashes when it receives a RIC_INDICATION message with an invalid ran_func_id—a function identifier that doesn't exist in its internal registry. An unauthenticated attacker on the network can trigger this crash by sending a specially crafted message to port 36421, causing either an assertion failure in debug builds or a segmentation fault in release builds. This is a denial-of-service vulnerability that can disrupt RAN management and orchestration.

  • CVE-2026-37231HIGH 7.5

    FlexRIC v2.0.0 contains a counter overflow vulnerability that causes the application identifier (xapp_id) assignment mechanism to generate duplicate IDs after approximately 65,530 registration requests. When a duplicate ID is registered, the iApp component—which listens on port 36422—crashes due to an unhandled collision in its internal data structure. An attacker with network access can systematically trigger this denial-of-service condition by repeatedly initiating E42_SETUP_REQUEST messages to force counter wraparound and subsequent application crashes.

  • CVE-2026-37233HIGH 7.5

    FlexRIC v2.0.0 has a critical flaw in how it isolates multiple xApps (RAN applications) running on the same RIC (RAN Intelligent Controller). A malicious xApp can trick the system into thinking it owns another xApp's subscriptions and delete them, disrupting service for legitimate applications. The root cause is a simple but devastating coding error: the isolation check compares an xApp's ID to itself instead of comparing it to the requesting xApp's ID, rendering the multi-tenant protection completely ineffective.

  • CVE-2026-37235HIGH 7.5

    FlexRIC v2.0.0 contains a critical authentication bypass flaw in its E42 message handler. An attacker on the network can forge requests claiming to be any authorized xApp (a RIC application component) without proving their identity. The system validates only that the claimed xApp ID falls within a valid range, but does not verify that the request actually originated from that xApp. By sending a malicious request with a spoofed xApp ID to the iApp service on port 36422, an attacker can trick the RIC into routing responses to a legitimate xApp, corrupting its internal state and potentially crashing it, the RIC itself, or the iApp.

  • CVE-2026-37460HIGH 7.5

    FRRouting, a widely-used open-source routing protocol suite, contains a flaw in how it validates incoming BGP UPDATE messages. An attacker on the network can send a specially crafted message that causes the routing daemon to crash or become unresponsive, disrupting network operations. This is a network-based denial-of-service vulnerability requiring no authentication or user interaction.

  • CVE-2026-37462HIGH 7.5

    A flaw in GoBGP version 4.3.0 allows an attacker to crash BGP routing services by sending specially crafted BGP UPDATE messages. The vulnerability stems from improper integer handling in the message parsing function, which doesn't validate message length correctly before processing. An attacker with network access to a BGP speaker running the vulnerable version can exploit this without authentication to trigger a denial of service.

  • CVE-2026-38570HIGH 7.5

    CVE-2026-38570 is a denial-of-service vulnerability in bacnet_stack version 1.3.1 that stems from an out-of-bounds read flaw in the bacnet_tag_number_decode function. An attacker can trigger this flaw remotely without authentication to crash or hang systems running the vulnerable library, disrupting BACnet (Building Automation and Control Networks) operations. The vulnerability does not enable data theft or system compromise, but availability impact is significant in industrial and building automation environments where BACnet is critical infrastructure.

  • CVE-2026-39929HIGH 7.5

    Lakeside SysTrack Agent contains a vulnerability that allows an attacker on the network to crash the application by sending a malicious UDP packet. No authentication is required, and the attack does not require user interaction. The vulnerability affects multiple recent versions of the agent and results in denial of service, making it a significant availability risk for organizations relying on SysTrack for endpoint management and monitoring.

  • CVE-2026-40780HIGH 7.5

    Liquid Web's BookIt plugin contains a flaw in its password recovery mechanism that allows attackers to bypass authentication. Rather than attacking the login process directly, an attacker can exploit an alternate recovery path to gain unauthorized access without needing valid credentials. This affects BookIt versions before 2.5.4.1.

  • CVE-2026-40964HIGH 7.5

    A critical authentication flaw in Cloud Foundry's cf-auth-proxy component allows anyone on the internet to forge valid authentication tokens and read all application logs and system metrics without logging in. The vulnerability affects all versions of log-cache_release through v3.2.6, and Cloud Foundry Deployment installations bundling those versions. An attacker needs only network access to the affected component—no special credentials or user interaction required.

  • CVE-2026-41032HIGH 7.5

    CVE-2026-41032 is a high-severity information disclosure vulnerability affecting network controllers. An unauthenticated attacker on the same network segment can download log files from the controller without authentication, potentially exposing sensitive operational data. The vulnerability requires no user interaction and can be exploited over the network, making it a significant confidentiality risk for organizations running vulnerable controller infrastructure.

  • CVE-2026-41084HIGH 7.5

    A flaw in Apache Airflow's task management API allows an authenticated user with editing permission on one workflow (DAG) to secretly modify task states in completely different workflows—including those owned by other teams. The vulnerability exploits a mismatch between authorization checks (which validate against the workflow in the URL) and the actual workflow being modified (specified in the request body). An attacker with legitimate access to edit one workflow can bypass permission controls to interfere with unrelated workflows, potentially disrupting operations, hiding failures, or triggering unintended task executions.

  • CVE-2026-41565HIGH 7.5

    CryptX, a cryptographic library for Perl, contains a stack buffer overflow vulnerability in its AEAD (Authenticated Encryption with Associated Data) decryption functions. When these functions process an authentication tag longer than expected, they overflow a fixed-size buffer on the stack, potentially corrupting memory and crashing the application. An attacker who can supply a maliciously long authentication tag to vulnerable code paths can trigger this crash. The vulnerability affects four specific decryption functions: gcm_decrypt_verify, ccm_decrypt_verify, chacha20poly1305_decrypt_verify, and eax_decrypt_verify. Patches were released incrementally, with gcm_decrypt_verify fixed in version 0.088 and the remaining three functions addressed in version 0.088_001.

  • CVE-2026-41577HIGH 7.5

    Authentik, an open-source identity provider, contains a flaw in how it processes SAML authentication assertions. The software fails to validate time-based and audience restrictions on these assertions, meaning an attacker could replay old, expired authentication tokens or use tokens intended for a different service. This could allow unauthorized access to systems relying on authentik for authentication.

  • CVE-2026-41858HIGH 7.5

    BOSH-Ecosystem's windows-utilities-release contains a critical password generation flaw that undermines a key security hardening measure. The tool is designed to lock down Windows VMs by setting an Administrator account password that should be cryptographically random and unguessable. However, the password generation relies on a predictable random number generator seeded only with the system clock. An attacker who can estimate when a VM was booted can narrow down the possible passwords to a small, brute-forceable set, potentially recovering the Administrator credential and gaining full control of the system.

  • CVE-2026-42342HIGH 7.5

    React Router and Remix applications using Framework Mode are vulnerable to a denial-of-service attack via crafted requests that exploit unbounded path expansion in the __manifest endpoint. An unauthenticated attacker can send specially constructed requests that cause the server to consume excessive resources, slowing response times or rendering the application unavailable to legitimate users. This does not affect applications built with Declarative Mode or Data Mode routing patterns.

  • CVE-2026-42504HIGH 7.5

    A vulnerability exists in MIME header parsing where specially crafted email headers containing multiple invalid encoded-words can trigger excessive CPU consumption, effectively causing a denial of service. An attacker can send a malicious email with a crafted header to impact system availability without requiring authentication or user interaction.

  • CVE-2026-42669HIGH 7.5

    EventPrime versions through 4.3.2.0 contain a missing authorization vulnerability that allows unauthenticated attackers to modify data or perform actions they should not have access to. The flaw stems from improperly configured access control checks, meaning the application fails to verify user permissions before allowing sensitive operations. An attacker on the network can exploit this without credentials or user interaction, potentially altering event configurations, participant data, or other critical information depending on EventPrime's scope.

  • CVE-2026-42670HIGH 7.5

    CVE-2026-42670 is a missing authorization flaw in Etoile Web Design Incorporated's Five Star Restaurant Reservations system. An attacker can access sensitive data by exploiting improperly configured access controls without needing credentials or user interaction. The vulnerability allows unauthenticated remote access to confidential information, presenting a direct risk to restaurant operations and customer data.

  • CVE-2026-42673HIGH 7.5

    Logtivity's Activity Logs plugin leaks sensitive information that should not be transmitted. The vulnerability allows unauthorized users to retrieve embedded sensitive data through the plugin's normal network communication channels. This affects all versions through 3.3.6 and requires patching to prevent data exposure.

  • CVE-2026-42674HIGH 7.5

    The Advanced Access Manager (AAM) plugin contains a vulnerability that allows attackers to bypass authentication by spoofing requests through URL encoding techniques. An attacker can craft specially encoded URLs to circumvent access controls without needing valid credentials, potentially gaining unauthorized access to protected resources. This affects AAM versions up through 7.1.0.

  • CVE-2026-42677HIGH 7.5

    A missing authorization flaw in WP Document Revisions allows unauthenticated attackers to access sensitive documents by exploiting improperly configured security levels. The vulnerability affects how the plugin enforces access control rules, enabling unauthorized users to view confidential information stored within the WordPress environment.

  • CVE-2026-44422HIGH 7.5

    FreeRDP, a widely-used open-source Remote Desktop Protocol client, contains a memory corruption vulnerability in its authentication-redirection subsystem. A malicious RDP server can craft specially-formed authentication data that causes the FreeRDP client to allocate a single heap object but then attempt to free it twice—or use it after the first deallocation. This occurs because the parser doesn't properly track which heap objects correspond to which data structures when the same object reference is reused. The result is a crash or potential code execution on the client machine. The vulnerability requires user interaction (connecting to a malicious server) but affects all FreeRDP versions before 3.26.0.

  • CVE-2026-44594HIGH 7.5

    esm.sh, a popular CDN for JavaScript development that eliminates the need for build processes, contains a vulnerability in how it processes package metadata. An attacker can publish a malicious npm package that tricks the esm.sh server into reading and exposing sensitive files from its own filesystem. This happens because the service doesn't properly validate how it interprets the 'browser' field in package.json during the build process. While the attacker cannot modify files or crash the service, they can gain unauthorized access to confidential data stored on esm.sh infrastructure.

  • CVE-2026-45017HIGH 7.5

    Python Liquid is a templating engine used to process dynamic content. Versions before 2.2.0 contain a path traversal flaw that lets an attacker with the ability to author templates bypass security restrictions and read arbitrary files from the server. An attacker could use the {% include %} or {% render %} template tags with absolute file paths to access files outside the intended template directory. The compromised files are then processed as templates, potentially exposing their contents. This requires the attacker to have template authoring privileges and targets files readable by the application.

  • CVE-2026-46110HIGH 7.5

    CVE-2026-46110 is a NULL pointer dereference vulnerability in the Linux kernel's stmmac network driver that can crash a system when memory becomes exhausted during packet reception. The driver manages a circular ring of descriptors to coordinate DMA transfers between the CPU and network hardware. When the driver runs out of memory to allocate new receive buffers, it can incorrectly process already-used descriptors as if they were fresh, leading to a kernel panic. This occurs because the driver doesn't properly distinguish between descriptors that are waiting to be refilled versus those that have already been processed.

  • CVE-2026-46114HIGH 7.5

    A memory leak vulnerability exists in the Linux kernel's RDMA over Converged Ethernet (RoCE) driver. An attacker on the network can send specially crafted RDMA ATOMIC_WRITE requests with zero-length payloads to trigger the responder into reading uninitialized kernel memory and inadvertently leaking it back to the attacker. The vulnerability specifically affects how the kernel validates packet lengths before dereferencing memory, allowing 8 bytes of sensitive kernel data (including kernel strings and pointer information) to be extracted per malicious probe.

  • CVE-2026-46124HIGH 7.5

    A vulnerability in the Linux kernel's ISO 9660 filesystem (isofs) allows an attacker to read arbitrary blocks from a storage device when the filesystem is exported over NFS. An authenticated attacker can craft a malicious NFS file handle that causes the kernel to interpret unrelated data on the underlying block device as if it were part of the ISO filesystem, leaking that data to the NFS client. While this does not cause memory corruption or system crashes, it exposes sensitive information from adjacent partitions or disk regions. The issue affects systems that export ISO images (typically loop-mounted) over NFS, which is a narrower deployment scenario but still represents a data confidentiality risk.

  • CVE-2026-46133HIGH 7.5

    A flaw in the Linux kernel's RDMA/rxe (Soft RoCE) driver allows an unauthenticated attacker to crash the system by sending a specially crafted UDP packet with an invalid opcode. The vulnerability exists in how the driver validates incoming packets before processing checksums. When a packet uses an undefined opcode value, the driver fails to properly validate packet length, leading to an out-of-bounds memory read that triggers a kernel panic. An attacker needs only network access to the RDMA port and can exploit this without authentication, credentials, or any prior connection setup.

  • CVE-2022-4991HIGH 7.4

    Tychon, a Windows application, contains a vulnerability in how it configures OpenSSL. An unprivileged user can place a malicious configuration file in a location that Tychon's privileged service will read, potentially allowing that user to execute arbitrary code with SYSTEM-level privileges. This is a local privilege escalation vulnerability that requires an attacker to have filesystem write access to a specific directory on the target system.

  • CVE-2025-14774HIGH 7.4

    CVE-2025-14774 is a flaw in ABB T-MAC Plus (version 4.0-24) where access control is not properly enforced, allowing an attacker on the same network to disrupt system availability without needing credentials or user interaction. The vulnerability has a CVSS score of 7.4 (HIGH) and is classified as an incorrect authorization issue.

  • CVE-2025-64390HIGH 7.4

    PlayStation 4 consoles running firmware versions 13.00 through 13.02 are vulnerable to a privilege escalation attack that allows an attacker with local access to escape the Blu-ray Disc Java (BD-J) sandbox environment by crafting a malicious JAR file. Once the sandbox is bypassed, an attacker could gain elevated system privileges on the device, potentially leading to unauthorized access or control of the console.

  • CVE-2026-10629HIGH 7.4

    Verizon's IMS (IP Multimedia Subsystem) platform handles VoLTE call signaling without proper encryption and authentication protections. An attacker positioned on the network path—such as a rogue cell tower operator, compromised router, or ISP-level adversary—can eavesdrop on, modify, or spoof VoLTE call setup messages. This breaks the confidentiality of who is calling whom and when, and enables attackers to hijack, redirect, or terminate calls by tampering with unprotected signaling traffic.

  • CVE-2026-10968HIGH 7.4

    A vulnerability in Chrome's graphics rendering engine (Dawn) on Windows allows attackers to steal sensitive data from websites you're visiting. If an attacker first compromises Chrome's renderer process—the part that runs web content—they can craft a malicious webpage to leak information across website boundaries, bypassing Chrome's security isolation. This requires the attacker to have already gained control of the renderer, making it part of a multi-stage attack but with serious data-theft consequences once achieved.

  • CVE-2026-10973HIGH 7.4

    A flaw in Google Chrome's Dawn graphics component allowed attackers to extract sensitive data across website boundaries through a specially crafted web page. The vulnerability required user interaction (clicking or visiting a malicious page) but did not require any special privileges. An attacker could craft HTML that exploits uninitialized memory in Chrome's graphics processing to read data from other origins that should have been isolated, potentially exposing authentication tokens, personal information, or other sensitive content loaded in the same browser session.

  • CVE-2026-10976HIGH 7.4

    A memory disclosure vulnerability exists in Google Chrome's graphics engine (Dawn) that could allow an attacker to read sensitive data from Chrome's process memory. The flaw stems from uninitialized variables being used without proper initialization checks. An attacker would need to trick a user into visiting a specially crafted webpage to trigger the vulnerability. The issue affects Chrome versions before 149.0.7827.53.

  • CVE-2026-44393HIGH 7.4

    OpenStack's oslo.messaging library contains a critical flaw in how it validates TLS certificates when connecting to RabbitMQ brokers. The driver accepts any certificate signed by your organization's CA without checking that it actually belongs to the RabbitMQ server you're trying to reach. This means an attacker positioned on your network could intercept traffic, present a valid (but wrong) certificate, and trick OpenStack services into sending sensitive control-plane messages to the attacker instead of RabbitMQ. The vulnerability affects all versions from 1.0.0 through 17.3.0.

  • CVE-2026-10068HIGH 7.3

    A server-side request forgery (SSRF) vulnerability has been identified in Shibby Tomato version 1.28, specifically within the miniupnpd daemon's SUBSCRIBE call handler. An attacker can exploit this flaw remotely without authentication to make the affected device perform unintended network requests on their behalf. This could lead to unauthorized access to internal services, data exfiltration, or lateral movement within a network. However, the practical impact is limited since Shibby Tomato is no longer maintained, with the project having been superseded by FreshTomato.

  • CVE-2026-10110HIGH 7.3

    A SQL injection vulnerability exists in code-projects Student Details Management System version 1.0 affecting the /index.php file. An attacker can manipulate the 'roll' parameter to inject arbitrary SQL commands, potentially accessing, modifying, or deleting sensitive student records. The vulnerability requires no authentication and can be exploited remotely over the network. Public exploit code is already available, increasing the risk of active exploitation.

  • CVE-2026-10111HIGH 7.3

    A SQL injection vulnerability exists in the Login Page of sambitraj STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker can manipulate the email parameter during login to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication or user interaction and can be exploited remotely. Exploit code has already been published publicly, elevating the practical risk.

  • CVE-2026-10157HIGH 7.3

    Open5GS, an open-source 5G core network software stack, contains an authentication bypass vulnerability in its NGAP (NG Application Protocol) PathSwitchRequest message handler. An unauthenticated attacker can exploit this remotely to bypass authentication controls, potentially gaining unauthorized access to 5G network functions. The vulnerability affects Open5GS versions up to 2.7.6 and has been publicly disclosed with exploit code available, elevating the practical risk to deployed systems.

  • CVE-2026-10167HIGH 7.3

    A flaw in the OUSL-GROUP-BrinaryBrains School Student Management System allows attackers to bypass authentication by manipulating role parameters during login cookie creation. An attacker can remotely exploit this without requiring special privileges or user interaction, potentially gaining unauthorized access to the system. Proof-of-concept code has been publicly released, increasing the risk of real-world exploitation.

  • CVE-2026-10178HIGH 7.3

    A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows unauthenticated remote attackers to inject malicious SQL commands through the ID parameter in the admin album editing interface. The flaw permits reading, modifying, or deleting database records without authorization. Public exploit code is available, elevating immediate risk.

  • CVE-2026-10184HIGH 7.3

    SourceCodester Hospitals Patient Records Management System version 1.0 contains a SQL injection vulnerability in its user deletion function. An attacker can send a specially crafted request to the /classes/Users.php endpoint that manipulates the ID parameter, allowing unauthorized database queries. Because this flaw requires no authentication and can be exploited over the network, it poses a significant risk to hospital operations and patient data confidentiality.

  • CVE-2026-10185HIGH 7.3

    A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An attacker can send a malicious request to the /classes/Users.php file with a crafted ID parameter that causes the application to execute unintended database commands. No authentication is required, and the vulnerability is accessible over the network. Public exploit code is available, increasing the risk of active exploitation.

  • CVE-2026-10186HIGH 7.3

    CVE-2026-10186 is a SQL injection vulnerability in code-projects Online Hospital Management System version 1.0. An attacker can craft a malicious request to the /patient.php file, manipulating the 'editid' parameter to execute arbitrary SQL commands against the backend database. No authentication is required, and the exploit can be triggered remotely over the network. Public exploit details are available, increasing the practical risk of active exploitation.

  • CVE-2026-10208HIGH 7.3

    A SQL injection vulnerability exists in the Online Hospital Management System version 1.php, specifically in the login_user function of login_1.php. An attacker can manipulate the Username parameter during login to inject malicious SQL commands. This allows unauthorized access and data compromise without requiring authentication or user interaction. The vulnerability is remotely exploitable and public exploit code has already been released.

  • CVE-2026-10214HIGH 7.3

    A command injection vulnerability exists in the Bash Tool component of chatgpt-on-wechat versions up to 2.0.8. An attacker can remotely exploit a flaw in the _get_safety_warning function to execute arbitrary operating system commands without authentication. This issue is being actively exploited in the wild. Organizations using affected versions should prioritize upgrading to 2.0.9 immediately.

  • CVE-2026-10219HIGH 7.3

    nextlevelbuilder GoClaw versions up to 3.11.3 contain a command injection vulnerability in the write_file tool. An unauthenticated attacker can manipulate the WriteFile function to inject arbitrary operating system commands, which are then executed on the affected system. The vulnerability is remotely exploitable and does not require user interaction or special privileges.

  • CVE-2026-10220HIGH 7.3

    NousResearch's hermes-agent application contains a vulnerability in how it handles plugin skill requests. An attacker can send specially crafted input to the skill_view function that gets injected into backend operations, potentially compromising the confidentiality, integrity, and availability of the affected system. The vulnerability is network-accessible, requires no authentication, and can be triggered without user interaction. Because exploit details have been publicly disclosed, the attack surface is visible to potential adversaries.

  • CVE-2026-10221HIGH 7.3

    A code injection vulnerability exists in NousResearch's hermes-agent software, affecting versions up to 0.12.0. The flaw resides in the context compression function and allows remote attackers to inject malicious code without requiring authentication or user interaction. Public exploit code is available, increasing the practical risk of exploitation.

  • CVE-2026-10225HIGH 7.3

    A SQL injection vulnerability exists in raisulislamg4's student management system (PHP-based). An attacker can manipulate the Username parameter in the login_check.php file to inject malicious SQL commands. The vulnerability is network-accessible, requires no authentication, and doesn't require user interaction. Exploit code is publicly available. The project uses a rolling release model, making it difficult to track specific patched versions.

  • CVE-2026-10226HIGH 7.3

    A SQL injection vulnerability exists in the raisulislamg4 student management system (a PHP-based open-source project). An attacker can manipulate parameters in the delete.php file—specifically user_id, course_id, teacher_id, student_id, or application_id—to inject malicious SQL commands. This can be exploited remotely without authentication or user interaction, allowing an attacker to read, modify, or delete database records. Proof-of-concept code has been published, increasing the risk of active exploitation.

  • CVE-2026-10227HIGH 7.3

    A SQL injection vulnerability exists in the student management system by raisulislamg4 (up to commit 310d950e) that allows unauthenticated attackers to manipulate the role parameter in the user creation process. An attacker can submit malicious input through the add_user_check.php endpoint to execute arbitrary SQL commands, potentially reading, modifying, or deleting database contents. The vulnerability has been publicly disclosed and proof-of-concept information is available, increasing the likelihood of active exploitation.

  • CVE-2026-10236HIGH 7.3

    A security flaw exists in SourceCodester Water Billing Management System version 1.0 that allows attackers to bypass authorization controls in the User Management system. An attacker can remotely manipulate user-related operations through the /classes/Users.php?f=save endpoint without needing credentials or user interaction. This means an unauthorized person could potentially create, modify, or access user accounts and associated data. Public disclosure of this vulnerability means attackers are likely already aware of and testing for it.

  • CVE-2026-10243HIGH 7.3

    A critical authentication flaw exists in code-projects Smart Parking System version 1.0 that allows unauthenticated remote attackers to bypass security controls on multiple administrative endpoints. An attacker can interact with these endpoints without valid credentials, potentially gaining unauthorized access to sensitive parking system functions. The vulnerability has been publicly disclosed and exploit code is available, elevating the risk of active exploitation.

  • CVE-2026-10249HIGH 7.3

    A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 within the admin request-viewing interface. An unauthenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive patient data, modification of records, or system disruption. Public exploits are already available, elevating the practical risk.

  • CVE-2026-10250HIGH 7.3

    A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 that allows unauthenticated attackers to manipulate the hospital parameter in the /admin/campsdetails.php file, potentially compromising the confidentiality, integrity, and availability of the system and its data. The vulnerability is remotely exploitable and public exploit code is available, elevating active exploitation risk.

  • CVE-2026-10251HIGH 7.3

    A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. An attacker can send a specially crafted request to the login functionality via the Username parameter to execute arbitrary database commands. Because the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to exposed instances. Public exploit code is available, increasing the likelihood of active exploitation.

  • CVE-2026-10252HIGH 7.3

    A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0 that allows unauthenticated attackers to inject malicious SQL commands through the ID parameter in the /manage_tenant.php file. This could enable attackers to read, modify, or delete tenant data stored in the application's database without requiring any special credentials or user interaction. The vulnerability is publicly known and exploit code is available.

  • CVE-2026-10253HIGH 7.3

    A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. The vulnerability is located in the /manage_payment.php file, specifically in how it processes the ID parameter. An attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive payment and rental data. The vulnerability requires no authentication, can be exploited over the network, and exploit code is publicly available.

  • CVE-2026-10260HIGH 7.3

    CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its admin job deletion function. An attacker can manipulate the ID parameter in the /admin/jobs-admins/delete-jobs.php file to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication and can be exploited over the network. Proof-of-concept code has been released publicly, increasing the likelihood of active exploitation.

  • CVE-2026-10261HIGH 7.3

    CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its application status checking functionality. An attacker can manipulate the ID parameter in the /users/application_status.php file to inject malicious SQL commands, potentially gaining unauthorized access to the database. The vulnerability can be exploited remotely without authentication, making it accessible to anyone on the internet.

  • CVE-2026-10262HIGH 7.3

    A SQL injection vulnerability exists in Real State Services version 1.0 that allows an attacker to manipulate the Username parameter in the login form (/loginuser.php) to inject malicious SQL commands. Because no authentication is required and the vulnerability can be triggered over the network, an attacker can exploit this remotely to read, modify, or delete sensitive database information without needing valid credentials. The flaw has been publicly disclosed, increasing the risk of active exploitation.

  • CVE-2026-10263HIGH 7.3

    A SQL injection vulnerability exists in SourceCodester Computer Repair Shop Management System version 1.0 and earlier. An attacker can manipulate the ID parameter in the product management interface to inject malicious SQL commands, potentially exposing, modifying, or deleting sensitive data. The vulnerability requires no authentication and can be exploited remotely by anyone with network access to the application.

  • CVE-2026-10273HIGH 7.3

    php-censor versions up to 2.1.6 contain a remote code execution vulnerability in the webhook processing logic. An attacker can manipulate the commitId parameter sent to the Webhook Endpoint to inject and execute arbitrary operating system commands on the affected server. No authentication is required, and the exploit technique has been publicly disclosed, increasing the likelihood of active exploitation.

  • CVE-2026-10280HIGH 7.3

    Horizon921's mcpilot version 0.1.0 contains a server-side request forgery (SSRF) vulnerability in its MCP API Call Endpoint. An attacker can manipulate the serverBaseUrl parameter to trick the application into making requests to arbitrary internal or external systems. Because this requires no authentication and can be exploited over the network, it represents a meaningful attack surface for anyone running this software. The flaw has already been disclosed publicly and exploit code is available.

  • CVE-2026-10281HIGH 7.3

    Enderfga's claw-orchestrator contains an authentication bypass in its API endpoint handler. Versions up to 3.5.5 fail to enforce authentication checks in the EmbeddedServer component, allowing unauthenticated remote attackers to access protected functionality. The flaw has been publicly disclosed and exploit code is available. Version 3.5.6 addresses the issue.

  • CVE-2026-10287HIGH 7.3

    A server-side request forgery (SSRF) vulnerability exists in SourceCodester SEO Meta Tag Extractor version 1.0. An attacker can manipulate the URL parameter passed to the get_headers function in /index.php to make the vulnerable server perform requests on their behalf—potentially accessing internal services, exfiltrating data, or launching attacks against other systems on the network. No authentication is required, and the flaw can be exploited remotely over the network. Public exploit code is already available.

  • CVE-2026-10288HIGH 7.3

    A flaw in the Hotel and Tourism Reservation System version 1.0 allows attackers to bypass admin authentication. The vulnerability exists in the admin login page where the password verification function can be manipulated, enabling unauthorized access to the administrative interface without valid credentials. An attacker can exploit this remotely over the network, and proof-of-concept code has already been published publicly.

  • CVE-2026-10290HIGH 7.3

    A SQL injection vulnerability exists in the Hotel and Tourism Reservation System version 1.0, specifically in the tour.php file's GET parameter handler. An attacker can manipulate the 'tour' parameter to inject arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database. Because the vulnerability is remotely exploitable without authentication, and public exploits are available, organizations running this software face immediate risk.

  • CVE-2026-10606HIGH 7.3

    DedeCMS version 5.7.88 contains a SQL injection vulnerability in its feedback handling system. An attacker can manipulate user input passed to the TrimMsg function in the feedback component to inject malicious SQL commands. Since no authentication is required and the attack can be performed over the network, this vulnerability poses a significant risk to any organization running the affected version. The vulnerability has already been disclosed publicly, increasing the likelihood of active exploitation.

  • CVE-2026-10607HIGH 7.3

    DedeCMS 5.7.88 contains a SQL injection vulnerability in its friend links management function. An attacker can manipulate the 'msg' parameter in /plus/flink.php to inject malicious SQL commands, allowing unauthorized database access, modification, or deletion. No authentication is required, and the vulnerability can be exploited over the network. Public exploit code exists, elevating the practical risk.

  • CVE-2026-10608HIGH 7.3

    DedeCMS version 5.7.88 contains a SQL injection vulnerability in its RemoveXSS function within the /plus/carbuyaction.php file. An attacker can inject malicious SQL commands through the postname or des parameters without authentication, potentially compromising data confidentiality, integrity, and availability. The vulnerability is remotely exploitable and proof-of-concept code has been publicly released.

  • CVE-2026-10617HIGH 7.3

    GoClaw, a component by nextlevelbuilder, contains a flaw in its webhook verification handler that allows attackers to bypass authentication checks. An unauthenticated remote attacker can exploit this weakness to gain unauthorized access to protected webhook endpoints. The vulnerability affects GoClaw versions up to and including 3.11.3, and exploit code has already been made public, increasing the practical risk.

  • CVE-2026-10619HIGH 7.3

    A remote authentication bypass vulnerability exists in the sayan365 student-management-system affecting commit 7f3c9ce7d410332335c2affac93a385485051800 and earlier versions. An unauthenticated attacker can bypass authentication controls on multiple endpoints without requiring any special privileges or user interaction. The vulnerability allows attackers to gain unauthorized access to the system with confidentiality, integrity, and availability impact. Public exploit code is now available, increasing immediate risk.

  • CVE-2026-10620HIGH 7.3

    A SQL injection vulnerability exists in code-projects Student Admission System version 1.0. The flaw resides in the /index.php file and can be exploited by manipulating the eid or did parameters. An attacker can inject malicious SQL commands without authentication, potentially reading or modifying sensitive student and admission data. Public exploit code is available, increasing the likelihood of active exploitation.

  • CVE-2026-10694HIGH 7.3

    SourceCodester's Online Food Ordering System version 2.0 contains a file inclusion vulnerability in its index.php page parameter. An unauthenticated attacker can supply a malicious page argument to cause the application to include and execute arbitrary files, potentially from the local filesystem or remote sources. This vulnerability requires no user interaction and can be exploited over the network. Public exploits are available.

  • CVE-2026-10704HIGH 7.3

    SourceCodester's Pizzafy E-Commerce System version 1.0 contains a SQL injection vulnerability in the administrative login function. An attacker can manipulate the username field during authentication to inject malicious SQL commands, potentially gaining unauthorized database access without needing credentials or user interaction. The vulnerability is network-accessible and exploits are now publicly available.

  • CVE-2026-10771HIGH 7.3

    A server-side request forgery (SSRF) vulnerability exists in CRMEB Java version 1.4. An attacker can manipulate the URL parameter in the RestTemplate.getForEntity function to force the server to make unintended outbound requests. This occurs in the QR code generation endpoint and requires no authentication. Since exploit code has been publicly disclosed, the risk of active exploitation is elevated.

  • CVE-2026-10777HIGH 7.3

    A weakness in the administrative backend of ealpha072's Student-Management-System allows attackers to bypass authentication controls and gain unauthorized access to sensitive functions. The vulnerability exists in the admin/config.php file and can be exploited remotely without requiring any special privileges or user interaction. Because exploit code is publicly available, the risk of active abuse is elevated. The project uses a rolling release model, so specific patched versions have not been publicly disclosed.

  • CVE-2026-11035HIGH 7.3

    Google Chrome on Android contains a flaw in how it handles Custom Tabs—a feature that allows apps to open web content within their own interface. An attacker with local access to a device can exploit this vulnerability by crafting a malicious XML file, potentially gaining elevated privileges on the system. The issue affects Chrome versions prior to 149.0.7827.53. While the base severity from Chromium is listed as Medium, the overall risk score reflects the complete attack chain impact.

  • CVE-2026-30649HIGH 7.3

    A buffer overflow vulnerability exists in VIVOTEK's FD8136 network camera that allows an unauthenticated remote attacker to execute arbitrary code. The flaw is located in the set_getparam.cgi component, which handles parameter processing without proper boundary checks. An attacker on the network can send a specially crafted request to trigger the overflow and gain complete control of the device.

  • CVE-2026-30760HIGH 7.3

    SourceBans Material Admin, a web-based administration panel, contains a vulnerability that allows unauthenticated attackers to alter user data through a specially crafted XAJAX request. An attacker can send a malicious web request to manipulate account information, permissions, or other critical user attributes without needing valid credentials. This affects versions prior to 1.1.6.

  • CVE-2026-30761HIGH 7.3

    SourceBans Material Admin v1.1.6 contains a critical weakness in its image upload functionality that allows unauthenticated attackers to upload malicious files and execute arbitrary code on affected servers. An attacker can craft a specially designed image file that bypasses upload validation, leading to remote code execution without needing valid credentials or user interaction. This is a direct pathway to full system compromise.

  • CVE-2026-36609HIGH 7.3

    A vulnerability in Mercusys AC12G (EU) V1 routers with firmware version AC12G(EU)_V1_200909 allows attackers on the network to recover administrator passwords. The router uses a static authentication nonce (a security token) that remains the same for requests from the same IP address, and combines this with weak password encoding. An attacker who captures authentication traffic can reverse-engineer the encoding to extract plaintext credentials, potentially gaining full administrative control of the router.

  • CVE-2026-36611HIGH 7.3

    A Mercusys AC12G (EU) V1 router with firmware version AC12G(EU)_V1_200909 has a vulnerability that exposes uninitialized memory to attackers on the same network. When the router receives certain requests on its UPnP port without proper headers, it returns 128 bytes of raw memory content that should have been inaccessible. An attacker with network access can exploit this to leak sensitive internal data without needing credentials.

  • CVE-2026-37579HIGH 7.3

    SMSGate sms-core versions 2.1.13.6 and earlier contain a remote code execution vulnerability in the CMPP7 message handling component. An unauthenticated attacker on the network can exploit this flaw to execute arbitrary code on affected systems without any user interaction, potentially gaining full control of the SMS gateway infrastructure.

  • CVE-2026-39292HIGH 7.3

    Falco Solutions PHPPageBuilder version 0.31.0 has a file upload vulnerability that lets attackers upload malicious files without proper checks. An attacker can exploit this to upload executable code and run commands on the affected server, potentially taking complete control of the web application.

  • CVE-2026-42061HIGH 7.3

    Acronis DeviceLock DLP on Windows contains a local privilege escalation vulnerability stemming from improper permission assignment to child processes. An authenticated user with limited privileges can exploit this flaw to gain elevated system access, potentially compromising data loss prevention controls and system integrity. The vulnerability requires local access and user interaction but delivers high-impact consequences including confidentiality, integrity, and availability breaches.

  • CVE-2026-42675HIGH 7.3

    Themefic Hydra Booking versions up to 1.1.41 contain a missing authorization flaw that allows attackers to bypass access controls and perform unauthorized actions. An attacker without authentication can exploit incorrectly configured security levels to access or modify booking data and functionality that should be restricted. This is a network-based vulnerability requiring no user interaction or special privileges.

  • CVE-2025-11262HIGH 7.2

    Link Whisper Free, a WordPress plugin, contains a stored cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages. When site visitors access affected pages, the injected scripts execute in their browsers, potentially allowing attackers to steal credentials, redirect users, or perform actions on their behalf. The vulnerability stems from improper handling of the user_id parameter and affects all versions up to 0.9.0.

  • CVE-2025-41265HIGH 7.2

    Waterfall Security's WF-500 TX Host contains a command injection flaw in its web-based administration interface. An attacker with valid administrative credentials can inject malicious operating system commands through the web UI, leading to arbitrary command execution on the device itself. This is a post-authentication attack—the attacker must already have admin-level access—but once inside, they can run any OS-level commands the host permits.

  • CVE-2025-41266HIGH 7.2

    A command injection vulnerability exists in the Waterfall WF-500 TX Host administration interface that allows authenticated users with elevated privileges to execute arbitrary system commands. An attacker who has already gained administrative access can leverage this flaw to run operating system-level commands, potentially compromising the entire appliance. The vulnerability affects version 7.9.1.0 R2502171040 and requires the attacker to be authenticated and have high-level privileges, reducing but not eliminating the risk in environments where admin credential exposure is a concern.

  • CVE-2025-41267HIGH 7.2

    A command injection vulnerability exists in the Waterfall WF-500 TX Host administration web interface that allows authenticated administrators to execute arbitrary operating system commands. An attacker with administrative credentials can craft malicious input through the WebUI to bypass command sanitization and gain direct OS-level access to the device. This is a post-authentication attack requiring valid admin credentials, but once exploited, provides complete system compromise.

  • CVE-2025-41279HIGH 7.2

    Nozomi Networks Labs discovered a command injection vulnerability in Waterfall's WF-500 RX Host administration interface. An authenticated attacker with administrative privileges can inject operating system commands through the web UI, leading to arbitrary code execution on the affected device. This is a serious risk for organizations using this industrial security appliance, as the attacker would gain full control of the host system.

  • CVE-2026-10072HIGH 7.2

    DreamMaker, a product developed by Interinfo, contains a vulnerability that allows attackers with privileged access to upload arbitrary files to the server. An attacker exploiting this flaw could upload malicious web shells, gaining the ability to execute code and maintain persistent access to the affected system. The vulnerability requires the attacker to have elevated credentials, but once leveraged, it provides complete control over server operations.