By year
Vulnerabilities disclosed in 2026
CVEs published in 2026 with SEC.co analysis.
1014 published vulnerabilities · page 3 of 11
- CVE-2018-25411HIGH 8.2
MGB OpenSource Guestbook version 0.7.0.2 contains a flaw that allows attackers to inject malicious database commands into the application without needing to log in. By sending specially crafted web requests to the email.php file with harmful code embedded in the 'id' parameter, an attacker can read sensitive information directly from the database—including the names of tables and columns that store user data. This vulnerability requires no authentication, making it trivial for an external attacker to exploit.
- CVE-2018-25413HIGH 8.2
AiOPMSD Final version 1.0.0 contains an SQL injection flaw that allows attackers to execute unauthorized database queries without authentication. By crafting malicious SQL statements and sending them through the application's search function (search.php), an attacker can extract sensitive information such as database credentials, usernames, and system details. This is a network-based attack requiring no user interaction or special privileges.
- CVE-2018-25414HIGH 8.2
AiOPMSD Final version 1.0.0 contains a straightforward but serious SQL injection flaw in its actor.php endpoint. An attacker can craft malicious SQL code and send it through the actor parameter via a simple GET request—no authentication required—to execute arbitrary database queries. This allows them to extract sensitive information like database credentials, usernames, and version details directly from the backend database.
- CVE-2018-25415HIGH 8.2
AiOPMSD Final version 1.0.0 contains an unauthenticated SQL injection flaw in its director.php endpoint. An attacker can craft a malicious URL with SQL code injected into the director parameter and send it as a simple GET request—no login required. Once executed, the attacker gains unauthorized access to the database, potentially exposing usernames, database names, system version information, and other sensitive data. The vulnerability is trivial to trigger and requires no special tools or user interaction.
- CVE-2018-25416HIGH 8.2
AiOPMSD Final version 1.0.0 contains a SQL injection flaw that allows anyone on the internet to query the application's database directly without logging in. An attacker can craft malicious requests to the country.php endpoint to extract sensitive information such as usernames, database names, and version numbers. This is a straightforward injection attack—the application fails to sanitize user input before passing it to SQL queries.
- CVE-2018-25417HIGH 8.2
AiOPMSD Final 1.0.0 contains an unauthenticated SQL injection flaw in the quality.php endpoint. An attacker can craft a malicious GET request with a SQL payload in the quality parameter to run arbitrary SQL commands against the backend database, potentially exposing usernames, database identifiers, and version information without requiring any authentication or user interaction.
- CVE-2018-25418HIGH 8.2
AiOPMSD Final version 1.0.0 contains an SQL injection vulnerability in its year parameter that allows attackers to execute arbitrary database queries without authentication. By crafting malicious SQL code and sending it through GET requests to the year.php endpoint, an attacker can extract sensitive information such as usernames, database names, and database version details. The vulnerability requires no user interaction and can be exploited over the network by any unauthenticated actor.
- CVE-2018-25419HIGH 8.2
AiOPMSD Final 1.0.0 suffers from a critical SQL injection flaw in its genre parameter. An attacker can craft a malicious URL to genre.php and extract sensitive data—usernames, database names, version information—without needing to authenticate. The vulnerability is straightforward to exploit over the network and poses a real risk to confidentiality of stored data.
- CVE-2018-25420HIGH 8.2
AiOPMSD Final version 1.0.0 contains an SQL injection flaw that lets attackers query the application's database without needing any credentials. By crafting malicious SQL code into web requests targeting the watch.php endpoint, an attacker can extract sensitive data like user credentials and database structure information. The vulnerability requires no authentication, no special interaction from a victim, and poses a direct threat to data confidentiality.
- CVE-2018-25422HIGH 8.2
MOGG web simulator Script contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the id parameter in play.php. Attackers can craft malicious GET requests to extract sensitive data like usernames and other database information without needing authentication.
- CVE-2018-25424HIGH 8.2
Gate Pass Management System version 2.1 contains an SQL injection flaw in its login mechanism that allows attackers to bypass authentication entirely without knowing valid credentials. By crafting malicious SQL code into the login and password fields of the application's login form, an unauthenticated attacker can trick the system into granting access. This is a critical weakness because the login page is typically the first line of defense, and compromising it gives attackers full entry to the application and any data it manages.
- CVE-2018-25425HIGH 8.2
Yot CMS version 3.3.1 contains an unauthenticated SQL injection vulnerability accessible through HTTP GET requests. An attacker can manipulate the 'aid' or 'cid' URL parameters to inject arbitrary SQL commands, potentially exposing sensitive database information without requiring any authentication or user interaction. The vulnerability is network-accessible and relatively straightforward to exploit.
- CVE-2018-25428HIGH 8.2
Paroiciel version 11.20 contains an unauthenticated SQL injection flaw in its trec.php endpoint. An attacker can craft malicious web requests to the tRecIdListe parameter, inject arbitrary SQL commands, and retrieve sensitive database contents like table and column names without needing valid credentials. This is a remote attack that requires no special privileges or user interaction.
- CVE-2018-25433HIGH 8.2
The JE Photo Gallery component for Joomla version 1.1 contains a critical flaw that allows attackers to inject malicious SQL commands without needing credentials. By manipulating a parameter in web requests, attackers can extract sensitive information directly from the database, including user credentials. This vulnerability requires no authentication or user interaction, making it particularly dangerous for websites using this component.
- CVE-2018-25434HIGH 8.2
WP AutoSuggest version 0.24 contains a critical SQL injection flaw that lets attackers bypass authentication entirely and query your WordPress database directly. By sending specially crafted requests to the plugin's autosuggest.php endpoint, an attacker can extract sensitive data—posts, user information, and other database contents—without needing any WordPress account or permissions. This is particularly dangerous because the vulnerability requires no user interaction and is trivial to exploit remotely.
- CVE-2019-25726HIGH 8.2
All in One Video Downloader version 1.2 contains an SQL injection flaw that lets attackers query the application's database without authentication. By crafting malicious requests to the admin interface, adversaries can extract sensitive information like user credentials and database structure details. The vulnerability requires no special access or user interaction—attackers can exploit it remotely over the network.
- CVE-2019-25728HIGH 8.2
Care2x 2.7 contains a flaw that lets attackers bypass authentication entirely and read sensitive database information by modifying a cookie called ck_config. An attacker on the internet can craft a malicious request without any credentials to trick the application into executing unauthorized database queries. The vulnerability affects login pages and module endpoints, making it a straightforward way to extract private data.
- CVE-2019-25730HIGH 8.2
Listing Hub CMS version 1.0 contains a SQL injection flaw that allows attackers without credentials to run arbitrary database commands. By sending specially crafted requests to the pages.php file with malicious values in the id parameter, attackers can extract sensitive information such as database credentials and system version details. The vulnerability requires no authentication or user interaction, making it a straightforward attack vector for anyone with network access to the affected application.
- CVE-2019-25732HIGH 8.2
PHP EI-Tube Script 3 contains a flaw that allows attackers to inject malicious commands into the application's search function without needing any credentials. By crafting specially designed search queries, an attacker can trick the application into executing unauthorized database commands, potentially exposing usernames, passwords, and other sensitive information stored in the database.
- CVE-2019-25745HIGH 8.2
The Google Review Slider WordPress plugin version 6.1 contains a SQL injection flaw that allows attackers to execute unauthorized database queries without needing to log in. By crafting malicious requests targeting the 'tid' parameter, an attacker can gradually extract sensitive data from a WordPress site's database using time-based blind SQL injection—a technique where database response delays confirm whether injected queries are true or false. This vulnerability poses a direct risk to any WordPress installation running the affected plugin version.
- CVE-2021-4478HIGH 8.2
Dräger CC-Vision Basic (versions before 7.5.3) and Dräger CC-Vision E-Cal (versions before 7.2.5.0) are vulnerable to a buffer overflow when processing specially crafted .gdt files. An attacker can create a malicious file that, when opened by a user, causes the application to crash or potentially execute arbitrary code on the system. The vulnerability requires user interaction—someone must open the malicious file—but does not require elevated privileges to trigger.
- CVE-2021-4480HIGH 8.2
Dräger Protector Software before version 6.4.2 has a local privilege escalation flaw rooted in overly permissive file system permissions. An attacker with local access to an affected system can replace critical binaries or loaded modules, then trigger execution with NT SYSTEM privileges—the highest level of access on Windows. This gives an adversary complete control over the host.
- CVE-2021-4481HIGH 8.2
Dräger Protector Software versions prior to 6.4.2 suffer from a local privilege escalation flaw rooted in overly permissive file system permissions. An attacker with local access to an affected system can exploit this weakness to replace system binaries or loaded modules, ultimately executing arbitrary code with the highest privilege level (NT SYSTEM). This is a boots-on-the-ground attack: the attacker must have local file system access, but once they do, they can gain complete system control.
- CVE-2025-69755HIGH 8.2
A vulnerability in the Neterbit NW-431F Router (firmware version NW-431F-20241014-IR03) allows attackers on the network to read sensitive information and run unauthorized commands on the device. An attacker can send specially crafted requests to the router's at_command.asp interface without needing credentials or user interaction, making this a direct and urgent threat to any organization using this model.
- CVE-2026-10622HIGH 8.2
Collibra Agent contains a flaw in how it authenticates users to its REST API. The vulnerability allows someone from the internet to call administrative functions through REST endpoints without providing valid credentials. An attacker can exploit this to gain unauthorized access to sensitive functionality that should be restricted to authenticated administrators.
- CVE-2026-24088HIGH 8.2
CVE-2026-24088 is a cryptographic flaw in Qualcomm wireless and networking chipsets that allows a high-privileged attacker to bypass security controls and load a custom bootloader onto affected devices. The vulnerability stems from improper validation during firmware partition processing, enabling unauthorized modification of the boot sequence. This could allow an attacker with administrative or hardware-level access to inject malicious code that executes before the operating system, potentially taking complete control of the device.
- CVE-2026-24751HIGH 8.2
Kiteworks, a platform used to securely share and manage sensitive business data, contains a reflected cross-site scripting (XSS) vulnerability in its Secure Data Forms feature. An attacker can craft a malicious link that, when clicked by a legitimate user, causes the victim's browser to execute arbitrary JavaScript code within the context of the Kiteworks application. This could allow the attacker to steal session cookies, impersonate the user, or perform unauthorized actions on their behalf. The vulnerability affects all versions of Kiteworks prior to 9.3.0.
- CVE-2026-24752HIGH 8.2
Kiteworks, a private data network platform, contains a reflected cross-site scripting (XSS) flaw in its Secure Data Forms component that could allow an attacker to inject malicious JavaScript. An attacker could craft a deceptive link and trick a user into clicking it, causing the user's browser to execute arbitrary code in the context of their Kiteworks session. This is a social engineering attack vector rather than a direct infrastructure compromise, but the impact can be severe if the victim has administrative or sensitive data access.
- CVE-2026-28299HIGH 8.2
SolarWinds Web Help Desk contains a denial-of-service vulnerability that allows attackers to crash the server by exhausting memory resources. No authentication or user interaction is required—an attacker on the network can trigger this condition remotely, making it straightforward to exploit. While the vulnerability does not expose sensitive data or allow unauthorized changes to the system, the ability to take down your help desk platform creates immediate business disruption.
- CVE-2026-35675HIGH 8.2
phpMyFAQ versions before 4.1.3 contain a critical flaw in their password reset mechanism that completely bypasses authentication checks. An attacker does not need valid credentials or access to a victim's email to reset passwords—they can simply request a password reset for any user account, and the system grants it without verification. This means attackers can take over any account, including administrator accounts, giving them full control of the FAQ system and potentially the underlying server.
- CVE-2026-35676HIGH 8.2
phpMyFAQ versions before 4.1.3 contain a critical flaw that allows anyone on the internet to reset user account passwords without authentication. An attacker can enumerate valid usernames and email addresses, then forcibly change passwords by sending direct API requests. This bypasses normal security controls and immediately locks legitimate users out of their accounts.
- CVE-2026-37234HIGH 8.2
FlexRIC v2.0.0 contains a resource management flaw in how it handles SCTP (Stream Control Transmission Protocol) connections to the RIC (Radio Interface Controller). An attacker can abuse the E42 setup protocol to register multiple application IDs (xapp_ids) over a single connection. When that connection is closed, only the first registered application's resources are cleaned up; the others remain as orphaned entries in system memory. Over time or through repeated connections, this allows an attacker to accumulate stale subscriptions and exhaust available resources, potentially corrupting the internal state of the intelligent application platform (iApp).
- CVE-2026-41010HIGH 8.2
BOSH Director is vulnerable to arbitrary command execution when processing uploaded release tarballs. An attacker with elevated privileges can craft a malicious release manifest that embeds shell metacharacters in a job name. When the system unpacks the tarball, these characters are interpreted by the shell, allowing the attacker to execute arbitrary commands with the privileges of the BOSH Director process. The vulnerability stems from unsafe string interpolation of untrusted input directly into a shell command.
- CVE-2026-41011HIGH 8.2
BOSH (the Cloud Foundry deployment automation framework) contains a shell injection vulnerability in its package validation logic. When a user uploads a release tarball containing a malicious package name, the system executes that name as a shell command without sanitization. An authenticated attacker with upload privileges can inject arbitrary commands that run with BOSH director privileges. The vulnerability exists because validation occurs after the dangerous shell operation, not before.
- CVE-2026-41249HIGH 8.2
CoreShop, a Pimcore-based eCommerce platform, contains a critical flaw in its GitHub Actions workflow configuration that allows attackers to execute arbitrary code on build infrastructure. The vulnerability stems from a workflow that accepts pull requests from untrusted sources but then executes scripts using code from those unverified pull requests. An attacker can simply submit a malicious pull request to trigger code execution on CoreShop's CI/CD runners, potentially compromising the build pipeline, stealing credentials, or injecting malicious code into releases.
- CVE-2026-43624HIGH 8.2
F5-TTS versions up to 1.1.20 contain a path traversal vulnerability in their finetune Gradio interface that lets unauthenticated attackers write files anywhere on the server's filesystem. The flaw stems from inadequate validation of project names before they're used in file system operations. An attacker can bypass the intended directory boundary by supplying absolute paths (like /tmp/EVIL) and create malicious files with arbitrary content in locations the web server can access. No authentication is required to exploit this.
- CVE-2026-44358HIGH 8.2
Espressif's Shared GitHub DangerJS Action, a reusable CI workflow component, contains a privilege escalation vulnerability in versions prior to 1.0.1. When processing pull requests from forks, the action's entrypoint script executes DangerJS from an untrusted search path after copying fork code into the working directory. This allows fork-supplied code to run inside the action container with the permissions of the workflow, rather than the action's own trusted code. An attacker can exploit this by submitting a malicious pull request from a fork, causing arbitrary code execution in the CI/CD environment.
- CVE-2025-53440HIGH 8.1
CVE-2025-53440 is a PHP Local File Inclusion (LFI) vulnerability in Axiomthemes Confidant that allows an attacker to manipulate file path inputs, potentially leading to the inclusion and execution of arbitrary files on the affected server. The vulnerability stems from improper validation of filenames used in PHP include/require statements. An attacker can exploit this over the network without authentication to read sensitive files or execute malicious code, posing a significant risk to websites using vulnerable versions of Confidant.
- CVE-2025-58705HIGH 8.1
CVE-2025-58705 is a PHP Local File Inclusion (LFI) vulnerability in Axiomthemes Crafti through version 1.12. An attacker can exploit improper filename validation in PHP include/require statements to include and execute arbitrary local files on the server. This allows remote code execution without authentication, making it a critical risk for any organization running vulnerable Crafti installations. The vulnerability has a CVSS 3.1 score of 8.1 (HIGH severity) with network accessibility and high impact across confidentiality, integrity, and availability.
- CVE-2025-58707HIGH 8.1
CVE-2025-58707 is a file inclusion vulnerability in Axiomthemes Spin that allows attackers to include and execute arbitrary local files on the server. By manipulating input parameters, an unauthenticated attacker can reference files outside the intended directory, potentially exposing sensitive data or executing malicious code. The vulnerability affects Spin versions up through 1.8 and carries a CVSS score of 8.1, reflecting its severity.
- CVE-2025-58897HIGH 8.1
Axiomthemes Fermentio contains a vulnerability that allows attackers to include and execute arbitrary PHP files from the local server, potentially leading to unauthorized access, data theft, or system compromise. The vulnerability stems from insufficient validation of filenames used in PHP include/require statements, enabling attackers to manipulate file paths without authentication. Versions up to and including 1.5.0 are affected.
- CVE-2025-59874HIGH 8.1
HCL Hive Telco Observability contains a Content Security Policy (CSP) configuration weakness in its Keycloak authentication component. The application is missing critical CSP directives that browsers rely on to prevent injection attacks. This gap creates conditions for attackers to inject malicious scripts or styles if they can trick users into visiting a compromised or attacker-controlled page, potentially compromising session tokens or stealing sensitive observability data.
- CVE-2025-68886HIGH 8.1
A vulnerability in androThemes Cookiteer plugin allows an attacker to include and execute arbitrary local files through improper input handling in PHP include/require statements. While the vulnerability is classified as a Local File Inclusion (LFI) rather than true Remote File Inclusion, the network-accessible nature of web plugins means an unauthenticated attacker can exploit this remotely to read sensitive files or potentially execute code, depending on file availability and server configuration. All versions through 1.4.8 are affected.
- CVE-2025-69369HIGH 8.1
CVE-2025-69369 is a file inclusion vulnerability in Axiomthemes Racquet versions up to 1.12.0 that allows an attacker to manipulate how the application loads files, potentially executing arbitrary code or accessing sensitive data on the server. The flaw stems from insufficient validation of file paths in PHP include/require statements, making it possible to load unintended files from the local filesystem or, in some configurations, from remote sources.
- CVE-2026-10863HIGH 8.1
A vulnerability in MISP's correlations endpoint allowed authenticated users to manipulate how search results were ordered by injecting values into the order parameter. Rather than applying a server-defined sort, the application accepted user input that could be passed unsafely to the database layer. An attacker with valid credentials could exploit this to reorder results in ways the application designers didn't intend, potentially exposing information through creative query construction or gaining visibility into data the endpoint should have restricted.
- CVE-2026-10887HIGH 8.1
A use-after-free flaw in Chrome's Chromoting remote desktop feature on macOS allows attackers to execute arbitrary code by sending specially crafted network traffic. The vulnerability exists in versions prior to 149.0.7827.53 and requires no user interaction—an attacker on the network can trigger the bug remotely, making this a critical threat to any Mac user running an affected Chrome version.
- CVE-2026-10930HIGH 8.1
An out-of-bounds read vulnerability in ANGLE (the graphics translation layer used by Chrome on macOS) allows attackers to read sensitive memory from your system by tricking you into visiting a malicious website. The flaw affects Chrome versions before 149.0.7827.53 on Apple macOS. While the attacker cannot directly modify data or take control of your system through this specific vulnerability, they can extract confidential information—including passwords, encryption keys, or other sensitive data stored in memory—and cause Chrome to crash.
- CVE-2026-11011HIGH 8.1
A flaw in Google Chrome's Password Manager allows an attacker who has already compromised the browser's renderer process to sidestep site isolation—a critical security boundary that prevents one website from accessing data belonging to another. By crafting a malicious HTML page, the attacker could potentially access sensitive information across different sites. This vulnerability affects Chrome versions before 149.0.7827.53 and requires the attacker to first gain control of the renderer process, which typically happens through a separate exploit or malicious website.
- CVE-2026-11015HIGH 8.1
A memory reading flaw in Google Chrome's WebGPU component allows attackers to read data outside the intended memory boundaries when a user visits a specially crafted website. The vulnerability requires user interaction (visiting a malicious page) but does not require special privileges, and while the attacker cannot modify data or directly crash the browser, they can extract sensitive information from the process's memory—such as passwords, keys, or other confidential data stored there.
- CVE-2026-35076HIGH 8.1
A vulnerability in MBS Solutions gateway and protocol-conversion products allows authenticated users to delete files from the affected system without proper authorization. The flaw exists in the 'bac-scanresult' method, which fails to validate user-supplied input adequately. An attacker who has legitimate credentials can exploit this to remove critical files, potentially disrupting system operations or causing data loss.
- CVE-2026-35077HIGH 8.1
A vulnerability in MBS Solutions gateway products allows authenticated users to delete files they shouldn't have access to. An attacker with valid user credentials can exploit the ugw-delete-file method to remove arbitrary files from affected systems by bypassing input validation controls. This is especially concerning in industrial automation environments where these gateways often handle critical protocol conversions and data flows.
- CVE-2026-35078HIGH 8.1
A vulnerability in MBS Solutions gateway products allows authenticated users to delete files from affected systems without proper authorization. An attacker with valid user credentials can exploit the ugw-logstop method to remove arbitrary files, potentially disrupting system operations or destroying evidence. This is classified as a high-severity flaw because it requires only standard user access and can cause significant damage to system integrity and availability.
- CVE-2026-35079HIGH 8.1
CVE-2026-35079 is a file deletion vulnerability in MBS Solutions' Universal Gateway firmware and related gateway products. An attacker who already has valid user credentials can exploit the ugw-restore method to delete arbitrary files on the device. Because the vulnerability requires existing user access, the risk depends heavily on your organization's internal security posture and whether these devices are exposed to untrusted users.
- CVE-2026-35080HIGH 8.1
A flaw in MBS Solutions gateway firmware allows authenticated users to delete files they shouldn't have access to. An attacker with valid login credentials can exploit the ugw-restoreinfo method to remove arbitrary files from affected devices, potentially disrupting operations or destroying critical system data. The vulnerability requires existing user privileges but poses a serious risk to the integrity and availability of gateway-based infrastructure.
- CVE-2026-35081HIGH 8.1
A vulnerability in MBS Solutions' gateway and protocol conversion products allows authenticated users to remotely stop arbitrary processes on affected devices. An attacker who already has valid user credentials can exploit insufficient input validation in the ugw-logstop method to terminate critical services, potentially disrupting device functionality or causing a denial of service. This is a HIGH severity issue requiring prompt attention in networked industrial and building automation environments.
- CVE-2026-35277HIGH 8.1
Oracle REST Data Services contains a flaw that allows authenticated users with basic network access to read and modify sensitive data they shouldn't be able to access. An attacker with a low-privilege account can exploit this remotely without user interaction, potentially accessing, changing, or deleting critical information across the service. This is a significant risk because it bypasses normal data access controls.
- CVE-2026-36603HIGH 8.1
The Mercusys AC12G (EU) V1 router running firmware version AC12G(EU)_V1_200909 contains a critical authentication bypass vulnerability in its UPnP (Universal Plug and Play) implementation. Any device connected to the router's local network can manipulate port forwarding rules and retrieve WAN connection details without providing credentials. Since UPnP is enabled by default, attackers with LAN access gain the ability to redirect internet traffic, expose internal services, or exfiltrate data—creating a serious risk for home and small-office networks.
- CVE-2026-39550HIGH 8.1
Aperitif, a WordPress theme by Elated-Themes, contains a deserialization flaw that allows attackers to inject malicious objects into the application. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary code or compromise the integrity and confidentiality of affected websites. The vulnerability exists in versions 1.6 and earlier.
- CVE-2026-39551HIGH 8.1
A critical flaw in Elated-Themes' Töbel plugin allows attackers to inject malicious objects through unsafe deserialization. An unauthenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution, data theft, or system compromise. The attack requires some specific conditions to be met, but once exploited, grants full control over affected systems.
- CVE-2026-39552HIGH 8.1
Code Supply Co. Blueprint contains a vulnerability that allows attackers to include and execute arbitrary local files through PHP, provided they can craft specific requests to the affected application. While the vulnerability is classified as "remote" in nature due to network accessibility, exploitation requires specific conditions including high complexity in attack construction. Versions before 1.1.5 are affected. Organizations running Blueprint should prioritize upgrading to the patched version.
- CVE-2026-39553HIGH 8.1
A PHP Local File Inclusion (LFI) vulnerability exists in Select-Themes WaveRide versions up to and including 1.4. The flaw allows an attacker to manipulate filename parameters used in PHP include or require statements, potentially enabling unauthorized file access and code execution on affected systems. The vulnerability is triggered through network requests and does not require authentication or user interaction.
- CVE-2026-39555HIGH 8.1
A critical flaw has been discovered in Elated-Themes' Askka plugin (versions up to and including 1.3.1) that allows attackers to inject malicious objects through deserialization of untrusted data. When the plugin processes serialized data from an untrusted source without proper validation, an attacker can craft a specially designed payload that, when deserialized by the vulnerable code, instantiates arbitrary PHP objects. This object injection can lead to remote code execution, data theft, or system compromise depending on available gadget chains within the application environment.
- CVE-2026-41013HIGH 8.1
A flaw in how Cloud Foundry's Diego release handles SMB volume mounts allows a developer with basic access to a shared environment to bypass security restrictions and inject malicious mount commands. This could let them gain elevated privileges or circumvent security controls on multi-tenant systems where multiple teams share the same infrastructure.
- CVE-2026-42211HIGH 8.1
React Router versions 7.0.0 through 7.14.1 contain a high-severity vulnerability that could enable remote code execution when using Framework Mode. The attack is two-stage: it requires an application to already contain a prototype pollution flaw, which an attacker can then exploit to trigger unauthorized code execution on the server. Applications using the library's Declarative Mode or Data Mode routing are unaffected. The vulnerability was patched in version 7.14.2.
- CVE-2026-42588HIGH 8.1
Apache ActiveMQ's web console exposes a remote interface (Jolokia) that allows authenticated users to interact with the message broker's management functions. An attacker who has legitimate access credentials can craft a specially formed network connector request that tricks the broker into loading and executing arbitrary code hidden in a Spring XML configuration file. The vulnerability exists because the broker doesn't properly validate the input before processing it, and Spring automatically instantiates code within those XML files before any security checks occur.
- CVE-2026-44237HIGH 8.1
FreePBX versions before 17.0.8 contain a flaw in their OAuth2 implementation that allows an attacker to bypass credential verification. If an attacker discovers or guesses a valid client application ID, they can request OAuth2 access tokens without needing the corresponding secret passphrase. This grants them the ability to authenticate and interact with the FreePBX API as if they were a legitimate application, potentially enabling unauthorized access to voice, data, and configuration controls.
- CVE-2026-46138HIGH 8.1
A flaw in the Linux kernel's Bluetooth event handler can cause the kernel to read memory beyond the bounds of a data structure and enter an infinite loop. The vulnerability occurs when a Bluetooth controller sends a specific event (LE_Create_BIG_Complete) with mismatched or insufficient data. An attacker with local or adjacent network access to a vulnerable system could exploit this to cause a denial of service by freezing the kernel with a lock held, making the system unresponsive.
- CVE-2025-14773HIGH 8.0
ABB T-MAC Plus versions up to 4.0-24 contain a cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts into web pages. When another user views a page containing the injected script, the script executes in their browser with their privileges, potentially enabling attackers to steal sensitive information, hijack sessions, or perform unauthorized actions on behalf of victims. The vulnerability requires both user authentication and victim interaction, limiting but not eliminating its risk in multi-user environments.
- CVE-2026-0059HIGH 8.0
A heap buffer overflow vulnerability in Android's SDP (Session Description Protocol) discovery module allows an attacker on the same network segment to execute code with the privileges of the affected process. No user action is required, and the attacker needs only basic network access—the flaw can be triggered remotely through specially crafted SDP packets. This is a serious local/adjacent network attack vector that bypasses normal authentication and user interaction requirements.
- CVE-2026-0095HIGH 8.0
CVE-2026-0095 is a heap corruption flaw in Android's Bluetooth stack that allows a local attacker with limited privileges to escalate to higher system permissions. The vulnerability stems from an integer overflow in the l2c_fcr_clone_buf function, which can be manipulated to corrupt memory in the Bluetooth daemon process. Because this runs in a privileged context, successful exploitation grants elevated access without requiring additional tricks or user interaction.
- CVE-2026-0097HIGH 8.0
A logic error in Android's Bluetooth Low Energy (LE) pairing mechanism allows an attacker within wireless range to pair a device without requiring user approval or interaction. An attacker with local access to a Bluetooth-enabled Android device can escalate privileges by circumventing the normal pairing consent flow, potentially gaining full read, write, and execution access on the target device. This is particularly dangerous because it requires no user action to exploit.
- CVE-2026-20452HIGH 8.0
A heap buffer overflow vulnerability exists in MediaTek's wireless LAN access point driver that allows a nearby attacker with local user privileges to corrupt memory and achieve remote code execution. The flaw requires the attacker to be on the same local network segment but does not require any user interaction to trigger. Exploitation would grant the attacker the same privilege level as the user running the affected driver—typically limited, but sufficient to compromise the integrity and confidentiality of the device.
- CVE-2026-33245HIGH 8.0
React Router, a widely-used routing library for React applications, contains a cross-site scripting (XSS) vulnerability in its experimental React Server Components (RSC) feature. Versions 7.7.0 through 7.13.1 are affected. If an attacker can influence redirect instructions sent to your application—for example, through a compromised backend endpoint or man-in-the-middle scenario—malicious code could execute in users' browsers. The vulnerability is limited to applications actively using the unstable RSC APIs; standard React Router implementations are not impacted. A patch is available in version 7.13.2.
- CVE-2026-35482HIGH 8.0
alf.io, an open-source ticketing platform for conferences and events, contains a critical sandbox escape flaw in its extension script engine. An authenticated administrator can exploit this vulnerability to run arbitrary commands on the server. The flaw stems from an improperly protected Java object exposed to the sandboxed JavaScript environment, combined with gaps in code validation that allow attackers to use Java reflection to break out of the sandbox entirely. This requires administrator credentials to exploit, but once compromised, grants complete control over the underlying server.
- CVE-2026-35630HIGH 8.0
OpenClaw versions before 2026.5.18 have an authorization bypass flaw in the QQBot approval workflow. Users who are not designated approvers can click approval buttons to authorize pending requests for code execution or plugin installations—permissions they should not have. An attacker with basic OpenClaw access could escalate their capabilities by approving requests they have no business approving, effectively bypassing the system's governance controls.
- CVE-2026-37266HIGH 8.0
Responsive File Manager version 9.14.0 contains a remote code execution vulnerability in its force_download.php component. An authenticated attacker can exploit this flaw to execute arbitrary code on the server, potentially gaining full control of the application and underlying system. The vulnerability requires an attacker to have valid login credentials and user interaction (such as clicking a malicious link), but poses a significant risk in multi-user or publicly accessible deployments.
- CVE-2026-35266HIGH 7.9
Oracle REST Data Services contains a vulnerability that allows an attacker with low-level network access and user credentials to manipulate critical data or disrupt service availability. The attack requires tricking another user into taking action, making it moderately difficult to exploit in practice. Versions 24.2.0 through 26.1.0 are affected. Success can lead to unauthorized access, modification, or deletion of sensitive information, as well as partial service outages.
- CVE-2022-49036HIGH 7.8
Synology Active Backup for Business Recovery Media Creator versions prior to 2.5.0-2081 contain a flaw where untrusted OpenSSL configuration can be loaded during operation. A local user with standard privileges can exploit this to execute arbitrary code on the system. The vulnerability stems from the application trusting configuration from a location or source that should not be trusted, creating a path for privilege escalation or lateral movement within an affected environment.
- CVE-2022-49042HIGH 7.8
Synology Hyper Backup Explorer contains a vulnerability that allows authenticated local users to execute arbitrary code through a flaw in how the MinGW DLL component handles untrusted libraries or code. An attacker with local access to a system running vulnerable versions can leverage this weakness to run malicious code with the privileges of the user running the application, potentially compromising data or system integrity.
- CVE-2025-12694HIGH 7.8
A flaw in Forcepoint VPN Client for Windows allows any logged-in user without administrator rights to gain full system-level (SYSTEM) access. An attacker with a regular user account can exploit this locally to take complete control of the machine. The vulnerability affects VPN Client version 6.11.3 and all earlier versions.
- CVE-2025-22424HIGH 7.8
A vulnerability in Android allows a user with local access to view images that should be restricted to other users. The flaw stems from insufficient validation of user input across multiple code locations. While this requires someone already on the device and user interaction to exploit, it can lead to privilege escalation, meaning an attacker could gain elevated access to sensitive data and system resources.
- CVE-2025-22426HIGH 7.8
CVE-2025-22426 is a privilege escalation vulnerability in Android's ComputerEngine component that allows a local attacker with basic user-level access to bypass security boundaries and access resources (URIs) belonging to other users on the same device. The flaw stems from a logic error in multiple functions within ComputerEngine.java that fails to properly enforce cross-user access controls. An attacker needs only local access to the device and their own user account—no special permissions or user interaction required—making this a straightforward path to elevated privileges.
- CVE-2025-26418HIGH 7.8
A vulnerability in Android's device management system allows a local attacker with basic app permissions to bypass the user confirmation dialog that normally protects account additions on managed devices. This enables privilege escalation without requiring any special system access or user interaction. The flaw stems from a missing permission check in the CarDevicePolicyService component.
- CVE-2025-32348HIGH 7.8
CVE-2025-32348 is a privilege escalation vulnerability affecting Android that allows a local attacker to launch background activities without proper permission validation. An attacker with basic user-level access can exploit this flaw to gain elevated privileges on the device—no special capabilities or user interaction required. The vulnerability exists across multiple code paths where permission checks are missing, creating a consistent attack surface.
- CVE-2025-41278HIGH 7.8
A memory read vulnerability exists in Waterfall Security's WF-500 RX Host (version 7.10.0.0 R2601141040) that allows an attacker with access to the TX Host to execute arbitrary code. The flaw stems from improper memory access controls, enabling an authenticated insider to move laterally within the Waterfall appliance and gain control of the receive-side components. This is a serious concern for organizations using Waterfall's unidirectional security gateways, as it undermines the trust boundary between the TX and RX sides of the architecture.
- CVE-2025-41280HIGH 7.8
Waterfall Security's WF-500 RX Host contains a path traversal vulnerability (Zip Slip) that allows attackers who have already gained access to the TX Host to execute arbitrary code on the RX Host, provided MySQL connector functionality is configured and file compression is enabled. The vulnerability stems from improper handling of file paths during decompression operations, enabling attackers to write files outside their intended directory. This is a privilege escalation concern within an already-compromised environment rather than an initial access vector.
- CVE-2025-41281HIGH 7.8
Nozomi Networks Labs discovered a code execution vulnerability in Waterfall's WF-500 RX Host that allows attackers already inside a network to run arbitrary commands. The vulnerability is triggered when a MySQL connector is configured and an attacker with access to the connected TX Host sends malicious input. This is a local privilege escalation scenario where internal network access is the prerequisite for exploitation.
- CVE-2025-48570HIGH 7.8
A vulnerability in Android's PipTaskOrganizer component allows a malicious application with basic system privileges to launch activities from the background without user interaction. An attacker exploiting this flaw could escalate their privileges within the system, potentially gaining access to sensitive functionality or data. The vulnerability stems from a confused deputy issue—where a trusted system component is tricked into performing privileged actions on behalf of an unprivileged attacker.
- CVE-2025-48649HIGH 7.8
CVE-2025-48649 is a local privilege escalation vulnerability affecting Google Android in which an attacker with limited user privileges can reset user-selected permission settings, effectively bypassing the permissions model that Android uses to protect sensitive device capabilities. Because no additional privileges are needed and user interaction is not required, any application with basic local access can trigger this issue to gain unauthorized access to protected device functions—a significant departure from Android's intended permission architecture.
- CVE-2025-48652HIGH 7.8
A logic flaw in Android's application installation validation code allows a local attacker to bypass Mobile Device Management (MDM) security policies. An attacker with local access to the device can exploit this vulnerability to gain elevated privileges without requiring additional permissions or user interaction. MDM policies are a key security control for organizations managing corporate Android devices, making this bypass a significant concern for enterprise environments.
- CVE-2025-59604HIGH 7.8
CVE-2025-59604 is a memory corruption vulnerability affecting Qualcomm Snapdragon processors across multiple generations. The flaw occurs during memory copy operations when a null pointer is dereferenced, causing invalid writes to memory. An attacker with local access to a device can exploit this to gain elevated privileges and potentially read or modify sensitive data. The vulnerability is rated HIGH severity and requires local execution context, meaning an attacker must already have a foothold on the device.
- CVE-2025-59605HIGH 7.8
CVE-2025-59605 is a memory corruption flaw affecting Qualcomm wireless and networking chipsets. When a device processes identifier strings longer than designed, the software fails to properly validate input length, allowing the overflow to corrupt adjacent memory regions. An attacker with local access and standard user privileges can exploit this to read sensitive data, modify system behavior, or crash the device. The vulnerability requires direct local access and cannot be exploited remotely.
- CVE-2025-59606HIGH 7.8
CVE-2025-59606 is a memory corruption vulnerability affecting multiple Qualcomm chipsets and wireless components. The flaw occurs when a device exhausts heap memory during secure data initialization, causing the firmware to write to invalid memory locations. An attacker with local access and limited privileges can exploit this to crash the system or potentially execute code with elevated permissions. This is a local privilege escalation risk rather than a remote attack vector.
- CVE-2026-0009HIGH 7.8
A logic error in Android allows a local attacker to hijack touch input through tapjacking attacks, potentially gaining elevated privileges on the device. No special permissions or user interaction are required for exploitation, making this a direct path to privilege escalation for any app already running on the compromised system.
- CVE-2026-0036HIGH 7.8
CVE-2026-0036 is a tapjacking vulnerability in Android's StageCoordinator animation handler that allows a malicious app to escalate privileges without requiring user interaction or special permissions. An attacker with a local account on the device can overlay transparent windows to intercept touch events or manipulate the animation state, gaining unauthorized access to sensitive device functions and data. The vulnerability affects multiple Android versions and is rated HIGH severity due to its direct path to privilege escalation.
- CVE-2026-0045HIGH 7.8
A logic error in Android's Bluetooth RFCOMM connection handling allows a local attacker to bypass the bonding requirement for secure connections. An attacker with local access can escalate privileges without needing special permissions or user interaction, potentially gaining full control over sensitive device functions protected by Bluetooth pairing.
- CVE-2026-0072HIGH 7.8
A missing permission check in Android's input method manager allows a local attacker with minimal privileges to escalate their access and take full control of the affected device. No user action is required to exploit this flaw, making it a practical risk in multi-user or compromised environments.
- CVE-2026-0076HIGH 7.8
CVE-2026-0076 is a local privilege escalation vulnerability in Android's ResourceTypes.cpp component. An attacker with local access to a device can trigger an out-of-bounds memory read through a flawed bounds check in the validateNode function. Successful exploitation allows the attacker to escalate privileges without requiring additional permissions or user interaction, potentially gaining elevated system access.
- CVE-2026-0077HIGH 7.8
CVE-2026-0077 is a privilege escalation vulnerability in Android's ActivityRecord component that allows a local attacker with limited user privileges to launch background applications and gain elevated system access. The flaw stems from a logic error in the resumeConfigurationDispatch function that fails to properly validate or constrain application launch permissions. No special privileges or user interaction are required for exploitation, making this a straightforward attack vector for any app running on an affected device.
- CVE-2026-0078HIGH 7.8
A flaw in Android's device policy management system allows a local user to escalate their privileges by exploiting improper validation of proxy configuration settings. The vulnerability exists in how the system persists global proxy changes, creating a state mismatch that can be leveraged without requiring special permissions or user interaction. An attacker with basic local access can trigger the flaw to gain elevated system privileges.