CVEs from 2026
Total
14,385
critical
critical 1,271
high
high 4,879
medium
medium 4,570
low
low 497
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.7%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- gcp 299
- firepower_threat_defense 298
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-9813 | critical | 9.9 | 9.9 | 8d ago | FlowIntel up to version 3.3.0 contains a server-side request forgery (SSRF) vulnerability in the external reference URL probe functionality in app/case/task.py. An attacker who can submit an external… | |||
| CVE-2026-45102 | critical | 9.9 | 9.9 | 9d ago | OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be esc… | |||
| CVE-2026-46425 | critical | 9.9 | 9.9 | 9d ago | Budibase is an open-source low-code platform. Prior to 3.38.2, packages/worker/src/api/routes/global/scim.ts attaches only two middlewares to the SCIM router: requireSCIM (checks the Enterprise featu… | |||
| CVE-2026-42757 | critical | 9.9 | 9.9 | 9d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects Webi… | |||
| CVE-2026-42756 | critical | 9.9 | 9.9 | 9d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp all… | |||
| CVE-2026-42748 | critical | 9.9 | 9.9 | 9d ago | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.… | |||
| CVE-2026-44450 | critical | 9.9 | 9.9 | 10d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the … | |||
| CVE-2026-46624 | critical | 9.9 | 9.9 | 10d ago | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. I… | |||
| CVE-2026-44723 | critical | 9.9 | 9.9 | 10d ago | Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate … | |||
| CVE-2026-7374 | critical | 9.9 | 9.9 | 10d ago | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation whe… | |||
| CVE-2026-40411 | critical | 9.9 | 9.9 | 13d ago | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | |||
| CVE-2026-4858 | critical | 9.9 | 9.9 | 15d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an… | |||
| CVE-2026-44050 | critical | 9.9 | 9.9 | 15d ago | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause… | |||
| CVE-2026-24425 | critical | 9.9 | 9.9 | 16d ago | Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PH… | |||
| CVE-2026-27130 | critical | 9.9 | 9.9 | 18d ago | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input… | |||
| CVE-2026-45625 | critical | 9.9 | 9.9 | 18d ago | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /a… | |||
| CVE-2026-44774 | critical | 9.9 | 9.9 | 21d ago | Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false | |||
| CVE-2026-44881 | critical | 9.9 | 9.9 | 22d ago | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before … | |||
| CVE-2026-44442 | critical | 9.9 | 9.9 | 22d ago | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permi… | |||
| CVE-2026-43999 | critical | 9.9 | 9.9 | 23d ago | vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape | |||
| CVE-2026-41050 | critical | 9.9 | 9.9 | 23d ago | Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering | |||
| CVE-2026-44015 | critical | 9.9 | 9.9 | 23d ago | Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services | |||
| CVE-2026-43948 | critical | 9.9 | 9.9 | 23d ago | wger: cross-tenant password reset and plaintext disclosure via gym=None bypass | |||
| CVE-2026-42898 | critical | 9.9 | 9.9 | 24d ago | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | |||
| CVE-2026-42823 | critical | 9.9 | 9.9 | 24d ago | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2026-42864 | critical | 9.9 | 9.9 | 25d ago | FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft | |||
| CVE-2026-42858 | critical | 9.9 | 9.9 | 25d ago | Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply … | |||
| CVE-2026-7813 | critical | 9.9 | 9.9 | 25d ago | pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules | |||
| CVE-2026-44477 | critical | 9.9 | 9.9 | 25d ago | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as t… | |||
| CVE-2026-42454 | critical | 9.9 | 9.9 | 27d ago | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate t… | |||
| CVE-2026-41512 | critical | 9.9 | 9.9 | 28d ago | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomati… | |||
| CVE-2026-33109 | critical | 9.9 | 9.9 | 28d ago | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | |||
| CVE-2026-42812 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation issue | |||
| CVE-2026-42811 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation issue | |||
| CVE-2026-42810 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation Issue | |||
| CVE-2026-42809 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation Issue | |||
| CVE-2026-42368 | critical | 9.9 | 9.9 | 1mo ago | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attack… | |||
| CVE-2026-30893 | critical | 9.9 | 9.9 | 1mo ago | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchroniz… | |||
| CVE-2026-40453 | critical | 9.9 | 9.9 | 1mo ago | Apache Camel has an incomplete fix for CVE-2025-27636 | |||
| CVE-2026-41478 | critical | 9.9 | 9.9 | 1mo ago | Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) | |||
| CVE-2026-21515 | critical | 9.9 | 9.9 | 1mo ago | Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2026-40089 | critical | 9.9 | 9.9 | 2mo ago | Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API … | |||
| CVE-2026-32621 | critical | 9.9 | 9.9 | 3mo ago | Apollo Federation vulnerable to prototype pollution via incomplete key sanitization | |||
| CVE-2026-21708 | critical | 9.9 | 9.9 | 3mo ago | A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. | |||
| CVE-2026-21669 | critical | 9.9 | 9.9 | 3mo ago | A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | |||
| CVE-2026-6274 | critical | 9.8 | 9.8 | 29 min ago | Improper Authentication, Missing authentication for critical function, Weak Authentication vulnerability in DTS Electronics Industry and Trade Ltd. Co. Redline WR3200 allows Accessing Functionality N… | |||
| CVE-2026-25550 | critical | 9.8 | 9.8 | 15h ago | Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The serv… | |||
| CVE-2026-10880 | critical | 9.8 | 9.8 | 15h ago | OSNexus QuantaStor SDS Manager is vulnerable to SQL injection in the login endpoint. The username field is not properly sanitized before being incorporated into a SQL query, allowing an unauthenticat… | |||
| CVE-2026-4104 | critical | 9.8 | 9.8 | 21h ago | Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass allows SQL Injection. This issue affects TeknoPass: f… | |||
| CVE-2026-50211 | critical | 9.8 | 9.8 | 1d ago | Leftover engineering diagnostics and factory-level diagnostic software remain exposed on retail builds, giving malicious apps write privileges to internal NVRAM registers. | |||
| CVE-2026-49191 | critical | 9.8 | 9.8 | 1d ago | The production build of the M3WebServer hard-codes its backend API keys, which can be easily intercepted through verbose error handling pages. | |||
| CVE-2026-49186 | critical | 9.8 | 9.8 | 1d ago | The local MQTT broker does not enforce topic-level Access Control Lists (ACLs). This allows any client to subscribe using wildcard characters (# or +) to enumerate hidden network devices or publish r… | |||
| CVE-2026-49185 | critical | 9.8 | 9.8 | 1d ago | The FieldX MDM adb messaging topic passes unverified payloads directly into Runtime.exec(), allowing command/instruction injection. | |||
| CVE-2026-49188 | critical | 9.8 | 9.8 | 1d ago | The ai_cmd utility executes with full root permissions. It pipes socket inputs directly to popen(), paving the way for unauthenticated users to execute arbitrary root commands. | |||
| CVE-2026-36576 | critical | 9.8 | 9.8 | 2d ago | An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request. | |||
| CVE-2026-35075 | critical | 9.8 | 9.8 | 2d ago | An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices. | |||
| CVE-2026-47065 | critical | 9.8 | 9.8 | 2d ago | ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the ma… | |||
| CVE-2026-49448 | critical | 9.8 | 9.8 | 3d ago | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions … | |||
| CVE-2026-5076 | critical | 9.8 | 9.8 | 3d ago | The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset k… | |||
| CVE-2026-38967 | critical | 9.8 | 9.8 | 3d ago | CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values. | |||
| CVE-2026-0611 | critical | 9.8 | 9.8 | 3d ago | Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel expose… | |||
| CVE-2026-47117 | critical | 9.8 | 9.8 | 3d ago | OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied mode… | |||
| CVE-2026-7198 | critical | 9.8 | 9.8 | 3d ago | CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in f… | |||
| CVE-2026-8206 | critical | 9.8 | 9.8 | 3d ago | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plug… | |||
| CVE-2026-48879 | critical | 9.8 | 9.8 | 4d ago | Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. | |||
| CVE-2026-42680 | critical | 9.8 | 9.8 | 4d ago | Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through … | |||
| CVE-2026-7858 | critical | 9.8 | 9.8 | 4d ago | A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x thr… | |||
| CVE-2026-10187 | critical | 9.8 | 9.8 | 5d ago | A vulnerability was detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web Management Interface. Perfo… | |||
| CVE-2026-45700 | critical | 9.8 | 9.8 | 7d ago | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/pl… | |||
| CVE-2026-7786 | critical | 9.8 | 9.8 | 7d ago | Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials … | |||
| CVE-2026-10064 | critical | 9.8 | 9.8 | 7d ago | A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetPortTr of the file /goform/formSetPortTr. Performing a manipulation of the argument special_name r… | |||
| CVE-2026-10063 | critical | 9.8 | 9.8 | 7d ago | A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formWPS of the file /goform/formWPS. Such manipulation of the argument peerPin leads to stack-bas… | |||
| CVE-2026-10062 | critical | 9.8 | 9.8 | 7d ago | A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSetRoute of the file /goform/formSetRoute. This manipulation of the argument ip/mask/… | |||
| CVE-2026-10042 | critical | 9.8 | 9.8 | 7d ago | manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{… | |||
| CVE-2026-46376 | critical | 9.8 | 9.8 | 7d ago | FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if … | |||
| CVE-2026-10061 | critical | 9.8 | 9.8 | 7d ago | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. Affected is the function formWPS of the file /goform/formWPS. The manipulation of the argument peerPin results in command injection. The atta… | |||
| CVE-2026-10060 | critical | 9.8 | 9.8 | 7d ago | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to comma… | |||
| CVE-2026-10071 | critical | 9.8 | 9.8 | 7d ago | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code exec… | |||
| CVE-2026-49199 | critical | 9.8 | 9.8 | 7d ago | Crafted MQTT messages can trigger command injection, resulting in root-level code execution on the target device. | |||
| CVE-2026-3655 | critical | 9.8 | 9.8 | 7d ago | The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `… | |||
| CVE-2026-8732 | critical | 9.8 | 9.8 | 7d ago | The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJ… | |||
| CVE-2026-8809 | critical | 9.8 | 9.8 | 7d ago | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the … | |||
| CVE-2026-46817 | critical | 9.8 | 9.8 | 8d ago | Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allo… | |||
| CVE-2026-34311 | critical | 9.8 | 9.8 | 8d ago | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19… | |||
| CVE-2026-45039 | critical | 9.8 | 9.8 | 8d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The functi… | |||
| CVE-2026-9097 | critical | 9.8 | 9.8 | 8d ago | Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and pa… | |||
| CVE-2026-9094 | critical | 9.8 | 9.8 | 8d ago | Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does … | |||
| CVE-2026-9093 | critical | 9.8 | 9.8 | 8d ago | In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never… | |||
| CVE-2026-38707 | critical | 9.8 | 9.8 | 8d ago | A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier ve… | |||
| CVE-2026-38704 | critical | 9.8 | 9.8 | 8d ago | A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlie… | |||
| CVE-2026-38703 | critical | 9.8 | 9.8 | 8d ago | A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier… | |||
| CVE-2026-38702 | critical | 9.8 | 9.8 | 8d ago | A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier… | |||
| CVE-2026-24444 | critical | 9.8 | 9.8 | 8d ago | SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that a… | |||
| CVE-2026-46195 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_… | |||
| CVE-2026-46137 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq cont… | |||
| CVE-2026-46135 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Init… | |||
| CVE-2026-46115 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity … | |||
| CVE-2026-8364 | critical | 9.8 | 9.8 | 9d ago | Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo,… | |||
| CVE-2026-8363 | critical | 9.8 | 9.8 | 9d ago | A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources: | |||
| CVE-2026-8362 | critical | 9.8 | 9.8 | 9d ago | A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome |