CVEs from 2026
Total
14,122
critical
critical 1,246
high
high 4,695
medium
medium 4,475
low
low 488
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.8%
Top vendors
Top products
- chrome 522
- firepower_threat_defense_software 300
- firepower_threat_defense 298
- gcp 247
- openclaw 172
- commerce 104
- netweaver_application_server_abap 102
- commerce_b2b 89
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42757 | critical | 9.9 | 9.9 | 8d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects Webi… | |||
| CVE-2026-42756 | critical | 9.9 | 9.9 | 8d ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp all… | |||
| CVE-2026-42748 | critical | 9.9 | 9.9 | 8d ago | Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.… | |||
| CVE-2026-44450 | critical | 9.9 | 9.9 | 8d ago | Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the … | |||
| CVE-2026-46624 | critical | 9.9 | 9.9 | 9d ago | Twenty is an open source CRM. From 1.7.7 through 1.16.7, a critical Remote Code Execution (RCE) vulnerability exists in Twenty CRM via a chained SQL Injection and PostgreSQL COPY TO PROGRAM attack. I… | |||
| CVE-2026-44723 | critical | 9.9 | 9.9 | 9d ago | Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate … | |||
| CVE-2026-7374 | critical | 9.9 | 9.9 | 9d ago | A flaw was found in KubeVirt's virt-handler component. This vulnerability allows an authenticated OpenShift user with edit permissions in a single namespace to exploit improper symlink validation whe… | |||
| CVE-2026-40411 | critical | 9.9 | 9.9 | 12d ago | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | |||
| CVE-2026-4858 | critical | 9.9 | 9.9 | 14d ago | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an… | |||
| CVE-2026-44050 | critical | 9.9 | 9.9 | 14d ago | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause… | |||
| CVE-2026-24425 | critical | 9.9 | 9.9 | 15d ago | Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PH… | |||
| CVE-2026-27130 | critical | 9.9 | 9.9 | 16d ago | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input… | |||
| CVE-2026-45625 | critical | 9.9 | 9.9 | 17d ago | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, Arcane's huma-based REST API exposes nine endpoints under /api/customize/git-repositories and /a… | |||
| CVE-2026-44774 | critical | 9.9 | 9.9 | 20d ago | Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false | |||
| CVE-2026-44881 | critical | 9.9 | 9.9 | 21d ago | Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before … | |||
| CVE-2026-44442 | critical | 9.9 | 9.9 | 21d ago | ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permi… | |||
| CVE-2026-43999 | critical | 9.9 | 9.9 | 22d ago | vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape | |||
| CVE-2026-41050 | critical | 9.9 | 9.9 | 22d ago | Fleet: Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering | |||
| CVE-2026-44015 | critical | 9.9 | 9.9 | 22d ago | Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services | |||
| CVE-2026-43948 | critical | 9.9 | 9.9 | 22d ago | wger: cross-tenant password reset and plaintext disclosure via gym=None bypass | |||
| CVE-2026-42898 | critical | 9.9 | 9.9 | 23d ago | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | |||
| CVE-2026-42823 | critical | 9.9 | 9.9 | 23d ago | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2026-42864 | critical | 9.9 | 9.9 | 24d ago | FireFighter has unauthenticated SSRF in its Raid jira_bot endpoint that allows IAM credential theft | |||
| CVE-2026-42858 | critical | 9.9 | 9.9 | 24d ago | Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply … | |||
| CVE-2026-7813 | critical | 9.9 | 9.9 | 24d ago | pgAdmin 4 server mode has an authorization vulnerability affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules | |||
| CVE-2026-44477 | critical | 9.9 | 9.9 | 24d ago | CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as t… | |||
| CVE-2026-42454 | critical | 9.9 | 9.9 | 26d ago | Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, all Docker container management endpoints in Termix interpolate t… | |||
| CVE-2026-41512 | critical | 9.9 | 9.9 | 27d ago | ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomati… | |||
| CVE-2026-33109 | critical | 9.9 | 9.9 | 27d ago | Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network. | |||
| CVE-2026-42812 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation issue | |||
| CVE-2026-42811 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation issue | |||
| CVE-2026-42810 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation Issue | |||
| CVE-2026-42809 | critical | 9.9 | 9.9 | 1mo ago | Apache Polaris has an Improper Input Validation Issue | |||
| CVE-2026-42368 | critical | 9.9 | 9.9 | 1mo ago | A privilege escalation vulnerability exists in the Web Interface functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted HTTP request can lead to execute priviledged operation. An attack… | |||
| CVE-2026-30893 | critical | 9.9 | 9.9 | 1mo ago | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.4.0 to before version 4.14.4, a path traversal vulnerability in Wazuh's cluster synchroniz… | |||
| CVE-2026-40453 | critical | 9.9 | 9.9 | 1mo ago | Apache Camel has an incomplete fix for CVE-2025-27636 | |||
| CVE-2026-41478 | critical | 9.9 | 9.9 | 1mo ago | Saltcorn: SQL Injection via Unparameterized Sync Endpoints (maxLoadedId) | |||
| CVE-2026-21515 | critical | 9.9 | 9.9 | 1mo ago | Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. | |||
| CVE-2026-40089 | critical | 9.9 | 9.9 | 2mo ago | Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API … | |||
| CVE-2026-32621 | critical | 9.9 | 9.9 | 3mo ago | Apollo Federation vulnerable to prototype pollution via incomplete key sanitization | |||
| CVE-2026-21708 | critical | 9.9 | 9.9 | 3mo ago | A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. | |||
| CVE-2026-21669 | critical | 9.9 | 9.9 | 3mo ago | A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | |||
| CVE-2026-36576 | critical | 9.8 | 9.8 | 15h ago | An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request. | |||
| CVE-2026-35075 | critical | 9.8 | 9.8 | 18h ago | An unauthenticated remote attacker can recover a default, hard coded password from a firmware image and thus gain full access to all affected devices. | |||
| CVE-2026-47065 | critical | 9.8 | 9.8 | 20h ago | ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the ma… | |||
| CVE-2026-49448 | critical | 9.8 | 9.8 | 1d ago | authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions … | |||
| CVE-2026-5076 | critical | 9.8 | 9.8 | 1d ago | The ARMember Premium plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 7.3.1. The plugin stores a plaintext copy of the password reset k… | |||
| CVE-2026-38967 | critical | 9.8 | 9.8 | 1d ago | CrowCpp Crow through v1.3.1 HTTP is vulnerable to response header injection via unvalidated response header values. | |||
| CVE-2026-0611 | critical | 9.8 | 9.8 | 2d ago | Spacelabs Healthcare Sentinel versions 10.5.x and higher and 11.x.x before 11.6.0 contain an unauthenticated remote code execution vulnerability through a deprecated .NET Remoting HTTP channel expose… | |||
| CVE-2026-47117 | critical | 9.8 | 9.8 | 2d ago | OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied mode… | |||
| CVE-2026-7198 | critical | 9.8 | 9.8 | 2d ago | CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in f… | |||
| CVE-2026-8206 | critical | 9.8 | 9.8 | 2d ago | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plug… | |||
| CVE-2026-48879 | critical | 9.8 | 9.8 | 3d ago | Incorrect Privilege Assignment vulnerability in Sergey AIWU allows Privilege Escalation. This issue affects AIWU: from n/a through 1.4.17. | |||
| CVE-2026-42680 | critical | 9.8 | 9.8 | 3d ago | Incorrect Privilege Assignment vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery Pro allows Privilege Escalation. This issue affects Contest Gallery Pro: from n/a through … | |||
| CVE-2026-7858 | critical | 9.8 | 9.8 | 3d ago | A Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x thr… | |||
| CVE-2026-10187 | critical | 9.8 | 9.8 | 4d ago | A vulnerability was detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web Management Interface. Perfo… | |||
| CVE-2026-45700 | critical | 9.8 | 9.8 | 5d ago | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's planar bitmap decoder has an out-of-bounds heap write when decoding RLE planar data. In libfreerdp/codec/pl… | |||
| CVE-2026-7786 | critical | 9.8 | 9.8 | 6d ago | Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter device firmware contains plaintext administrative credentials embedded in the firmware image. These credentials … | |||
| CVE-2026-10064 | critical | 9.8 | 9.8 | 6d ago | A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetPortTr of the file /goform/formSetPortTr. Performing a manipulation of the argument special_name r… | |||
| CVE-2026-10063 | critical | 9.8 | 9.8 | 6d ago | A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formWPS of the file /goform/formWPS. Such manipulation of the argument peerPin leads to stack-bas… | |||
| CVE-2026-10062 | critical | 9.8 | 9.8 | 6d ago | A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSetRoute of the file /goform/formSetRoute. This manipulation of the argument ip/mask/… | |||
| CVE-2026-10042 | critical | 9.8 | 9.8 | 6d ago | manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{… | |||
| CVE-2026-46376 | critical | 9.8 | 9.8 | 6d ago | FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if … | |||
| CVE-2026-10061 | critical | 9.8 | 9.8 | 6d ago | A vulnerability was found in TRENDnet TEW-432BRP 3.10B20. Affected is the function formWPS of the file /goform/formWPS. The manipulation of the argument peerPin results in command injection. The atta… | |||
| CVE-2026-10060 | critical | 9.8 | 9.8 | 6d ago | A vulnerability has been found in TRENDnet TEW-432BRP 3.10B20. This impacts the function formSetRoute of the file /goform/formSetRoute. The manipulation of the argument ip/mask/gateway leads to comma… | |||
| CVE-2026-10071 | critical | 9.8 | 9.8 | 6d ago | DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code exec… | |||
| CVE-2026-3655 | critical | 9.8 | 9.8 | 6d ago | The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `… | |||
| CVE-2026-8732 | critical | 9.8 | 9.8 | 6d ago | The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJ… | |||
| CVE-2026-8809 | critical | 9.8 | 9.8 | 6d ago | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the … | |||
| CVE-2026-46817 | critical | 9.8 | 9.8 | 6d ago | Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allo… | |||
| CVE-2026-34311 | critical | 9.8 | 9.8 | 6d ago | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19… | |||
| CVE-2026-45039 | critical | 9.8 | 9.8 | 7d ago | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The functi… | |||
| CVE-2026-9097 | critical | 9.8 | 9.8 | 7d ago | Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken() function in object/token_oauth.go validates the JWT signature and pa… | |||
| CVE-2026-9094 | critical | 9.8 | 9.8 | 7d ago | Casdoor versions 2.362.0 and earlier contain a vulnerability enabling cross-organization token exchange. The GetTokenExchangeToken function in object/token_oauth.go validates JWT signatures but does … | |||
| CVE-2026-9093 | critical | 9.8 | 9.8 | 7d ago | In Casdoor versions 2.362.0 and earlier, the SAML service provider implementation does not validate the AudienceRestriction element in SAML assertions. The buildSp function in object/saml_sp.go never… | |||
| CVE-2026-38707 | critical | 9.8 | 9.8 | 7d ago | A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier ve… | |||
| CVE-2026-38704 | critical | 9.8 | 9.8 | 7d ago | A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlie… | |||
| CVE-2026-38703 | critical | 9.8 | 9.8 | 7d ago | A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier… | |||
| CVE-2026-38702 | critical | 9.8 | 9.8 | 7d ago | A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier… | |||
| CVE-2026-24444 | critical | 9.8 | 9.8 | 7d ago | SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that a… | |||
| CVE-2026-46195 | critical | 9.8 | 9.8 | 7d ago | In the Linux kernel, the following vulnerability has been resolved: smb: client: validate dacloffset before building DACL pointers parse_sec_desc(), build_sec_desc(), and the chown path in id_mode_… | |||
| CVE-2026-46137 | critical | 9.8 | 9.8 | 7d ago | In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: ADD_ADDR rtx: fix potential data-race This mptcp_pm_add_timer() helper is executed as a timer callback in softirq cont… | |||
| CVE-2026-46135 | critical | 9.8 | 9.8 | 7d ago | In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: fix race between ICReq handling and queue teardown nvmet_tcp_handle_icreq() updates queue->state after sending an Init… | |||
| CVE-2026-46115 | critical | 9.8 | 9.8 | 7d ago | In the Linux kernel, the following vulnerability has been resolved: block: add pgmap check to biovec_phys_mergeable biovec_phys_mergeable() is used by the request merge, DMA mapping, and integrity … | |||
| CVE-2026-8364 | critical | 9.8 | 9.8 | 7d ago | Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo,… | |||
| CVE-2026-8363 | critical | 9.8 | 9.8 | 7d ago | A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources: | |||
| CVE-2026-8362 | critical | 9.8 | 9.8 | 7d ago | A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome | |||
| CVE-2026-25879 | critical | 9.8 | 9.8 | 8d ago | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When… | |||
| CVE-2026-44887 | critical | 9.8 | 9.8 | 8d ago | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. S… | |||
| CVE-2026-44888 | critical | 9.8 | 9.8 | 8d ago | Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly… | |||
| CVE-2026-8175 | critical | 9.8 | 9.8 | 8d ago | IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affecte… | |||
| CVE-2026-7524 | critical | 9.8 | 9.8 | 8d ago | IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction. | |||
| CVE-2026-46039 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: rxgk: Fix potential integer overflow in length check Fix potential integer overflow in rxgk_extract_token() when checking the len… | |||
| CVE-2026-45988 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix re-decryption of RESPONSE packets If a RESPONSE packet gets a temporary failure during processing, it may end up in a … | |||
| CVE-2026-45972 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF and double free in smb2_open_file() Zero out @err_iov and @err_buftype before retrying SMB2_open()… | |||
| CVE-2026-45898 | critical | 9.8 | 9.8 | 8d ago | In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix workqueue list corruption by removing work_list The commit e1168f0 ("RDMA/iwcm: Simplify cm_event_handler()") chan… | |||
| CVE-2026-42758 | critical | 9.8 | 9.8 | 8d ago | Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through < 4.08.253. | |||
| CVE-2026-42731 | critical | 9.8 | 9.8 | 8d ago | Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a… | |||
| CVE-2026-8760 | critical | 9.8 | 9.8 | 8d ago | The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout c… | |||
| CVE-2026-8401 | critical | 9.8 | 9.8 | 8d ago | Important: thunderbird security update |