CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-22238 The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX admin APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP re... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-62582 Delta Electronics DIAView has multiple vulnerabilities. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1056 The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and includin... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-47552 Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-36967 Zortam Mp3 Media Studio 27.60 contains a buffer overflow vulnerability in the library creation file selection process that allows remote code execution. Attackers can craft a malicious text file with ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-46070 An issue in Automai BotManager v.25.2.0 allows a remote attacker to execute arbitrary code via the BotManager.exe component | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14236 Buffer overflow in Address Book attribute tag processing on Small Office Multifunction Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69329 Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2016-20052 Snews CMS 1.7 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files including PHP executables to the snews_files directory. Attackers can u... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-0892 Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14234 Buffer overflow in CPCA list processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsi... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14237 Buffer overflow in XPS font parse processing on Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unres... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22237 The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22708 Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-25296 The WP Cost Estimation plugin for WordPress is vulnerable to arbitrary file uploads and deletion due to missing file type validation in the lfb_upload_form and lfb_removeFile AJAX actions in versions ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69371 Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22852 FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a malicious RDP server can trigger a heap-buffer-overflow write in the FreeRDP client when processing Audio Input (AUD... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14502 The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenti... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-65482 An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25240 PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an arra... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-65552 D3D Wi-Fi Home Security System ZX-G12 v2.1.1 is vulnerable to RF replay attacks on the 433 MHz sensor communication channel. The system does not implement rolling codes, message authentication, or ant... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37125 Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-47891 Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by conne... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14301 The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function p... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-47781 Cmder Console Emulator 1.3.18 contains a buffer overflow vulnerability that allows attackers to trigger a denial of service condition through a maliciously crafted .cmd file. Attackers can create a sp... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1221 PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded da... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69382 Deserialization of Untrusted Data vulnerability in themesflat Themesflat Elementor themesflat-elementor allows Object Injection.This issue affects Themesflat Elementor: from n/a through <= 1.0.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-60021 Remote command injection vulnerability in heap profiler builtin service in Apache bRPC ((all versions < 1.15.0)) on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1021 Police Statistics Database System developed by Gotac has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attacker to upload and execute web shell backdoors, thereby enabling ar... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-1019 Police Statistics Database System developed by Gotac has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents by using a spec... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-47854 DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEA... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-62799 Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-12420 A vulnerability has been identified in the ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitle... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-47774 Kingdia CD Extractor 3.0.2 contains a buffer overflow vulnerability in the registration name field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload exceeding 25... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69766 Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the citytag stack buffer, which may result in memory corruption and remot... | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37002 Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoin... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14894 Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malic... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-66802 Sourcecodester Covid-19 Contact Tracing System 1.0 is vulnerable to RCE (Remote Code Execution). The application receives a reverse shell (php) into imagem of the user enabling RCE. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37012 Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious La... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-62877 Projects using the SUSE Virtualization (Harvester) environment mayΒ expose the OS default ssh login passwordΒ Β if they are using the 1.5.x or 1.6.x interactive installer to either create a new cluster o... | 9.8 | CRITICAL | β | 0 |
| CVE-2018-25254 NICO-FTP 3.0.1.19 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by sending crafted FTP commands. Attackers can connect to... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-68705 RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 to 1.0.0-alpha.78, RustFS contains a path traversal vulnerability in the /rustfs/rpc/read_file_stream endpoint. ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-69258 A LoadLibraryEX vulnerability in Trend Micro Apex Central could allow an unauthenticated remote attacker to load an attacker-controlled DLL into a key executable, leading to execution of attacker-supp... | 9.8 | CRITICAL | β | 0 |
| CVE-2019-25232 NetPCLinker 1.0.0.0 contains a buffer overflow vulnerability in the Clients Control Panel DNS/IP field that allows attackers to execute arbitrary shellcode. Attackers can craft a malicious payload in ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-51958 aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-37027 Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicio... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-0884 Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. | 9.8 | CRITICAL | β | 0 |
| CVE-2020-36912 Plexus anblick Digital Signage Management 3.1.13 contains an open redirect vulnerability in the 'PantallaLogin' script that allows attackers to manipulate the 'pagina' GET parameter. Attackers can cra... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22043 RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.13 through 1.0.0-alpha.78, a flawed `deny_only` short-circuit in RustFS IAM allows a restricted service account or ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-54339 Webgrind 1.1 contains a remote command execution vulnerability that allows unauthenticated attackers to inject OS commands via the dataFile parameter in index.php. Attackers can execute arbitrary syst... | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.