CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-32640 SimpleEval is a library for adding evaluatable expressions into python projects. Prior to 1.0.5, objects (including modules) can leak dangerous modules through to direct access inside the sandbox. If ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3060 SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70223 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formAdvNetwork. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70226 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formEasySetupWizard. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3584 The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-32232 ZeptoClaw is a personal AI assistant. Prior to 0.7.6, there is a Dangling Symlink Component Bypass, TOCTOU Between Validation and Use, and Hardlink Alias Bypass. This vulnerability is fixed in 0.7.6. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-21659 Unauthenticated Remote Code Execution and Information Disclosure due to Local File Inclusion (LFI) vulnerability in Johnson Controls Frick Controls Quantum HDΒ allow an unauthenticated attacker to exec... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-21660 Hardcoded Email Credentials Saved as Plaintext in Firmware (CWE-256: Plaintext Storage of a Password) vulnerability in Frick Controls Quantum HD version 10.22 and priorΒ lead to unauthorized access, ex... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22207 OpenViking through version 0.1.18, prior to commitΒ 0251c70,Β contains a broken access control vulnerability that allows unauthenticated attackers to gain ROOT privileges when the root_api_key configura... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-27997 A heap-based buffer overflow vulnerability [CWE-122] in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and b... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2026-26793 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the set_config function. This vulnerability allows attackers to execute arbitrary commands via a crafted inp... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70219 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the goform/formDeviceReboot. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70245 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formSetWizardSelectMode. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-46108 D-link Dir-513 A1FW110 is vulnerable to Buffer Overflow in the function formTcpipSetup. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70221 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formLogin. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70225 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curtime parameter to the goform/formEasySetupWWConfig component | 9.8 | CRITICAL | β | 0 |
| CVE-2025-70222 Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curTime parameter to goform/formLogin,goform/getAuthCode. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-3197 The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplie... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-7094 The JS Help Desk β The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2982 The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insuffi... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-29574 An SQL injection vulnerability in the WebAdmin of Cyberoam OS through 2020-12-04 allows unauthenticated attackers to execute arbitrary SQL statements remotely. | 9.8 | CRITICAL | KEV | 0 |
| CVE-2026-26795 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitr... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26002 Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory.... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26792 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain multiple command injection vulnerabilities in the set_upgrade function via the modem_url, target_version, current_version, firmware_upload, hash_t... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-26791 GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the string port parameter in the enable_echo_server function. This vulnerability allows attackers to execute... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-40926 Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the ep... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-6328 The MStore API β Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient ver... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3257 UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library. UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a ver... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3381 Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib. Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-4634 The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file pa... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-54001 Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-29859 An arbitrary file upload vulnerability in aaPanel v7.57.0 allows attackers to execute arbitrary code via uploading a crafted file. | 9.8 | CRITICAL | β | 0 |
| CVE-2016-10033 The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (bac... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2026-3059 SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27751 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attacke... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-31975 Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCom... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22474 Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: from n/a through <= 1.5. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22475 Deserialization of Untrusted Data vulnerability in axiomthemes Estate estate allows Object Injection.This issue affects Estate: from n/a through <= 1.3.4. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-59388 A use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22497 Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22501 Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through <= 1.3.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3207 Configuration issueΒ in Java Management Extensions (JMX) in TIBCO BPM Enterprise version 4.x allows unauthorised access. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-23767 ESC/POS, a printer control language designed by Seiko Epson Corporation, lacks mechanisms for user authentication and command authorization, does not provide controls to restrict sources or destinatio... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-3277 The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login fea... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-32136 AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-27755 SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a weak session identifier generation vulnerability that allows attackers to forge authenticated sessions by computing predictable MD5... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-25687 Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionalit... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-6972 The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmit... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30741 A remote code execution (RCE) vulnerability in OpenClaw Agent Platform v2026.2.6 allows attackers to execute arbitrary code via a Request-Side prompt injection attack. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-67035 An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An at... | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.