SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense, Artificial Intelligence
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
VOLUME 26ISSUE 05
The Consensus Security Vulnerability Alert
Internet Storm Center Spotlight
ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html
Malicious Script Delivering More Maliciousness
Published: 2026-02-04
Last Updated: 2026-02-04 09:34:37 UTC
by Xavier Mertens (Version: 1)
Today, I received an interesting email with a malicious attachment. When I had a look at the automatic scan results, it seemed to be a malicious script to create a Chrome Injector to steal data. Because InfoStealers are very common these days, it looked “legit” but there was something different. The .bat file looks to be a fork of the one found in many GitHub repositories.
When the regular script is completed, it jumps to :EndScript:
A call to :show_msgbox was added at the script end:
Then, the magic begins ...
Read the full entry: https://isc.sans.edu/diary/Malicious+Script+Delivering+More+Maliciousness/32682/
Detecting and Monitoring OpenClaw (clawdbot, moltbot)
Published: 2026-02-03
Last Updated: 2026-02-03 12:41:53 UTC
by Johannes Ullrich (Version: 1)
Last week, a new AI agent framework was introduced to automate "live". It targets office work in particular, focusing on messaging and interacting with systems. The tool has gone viral not so much because of its features, which are similar to those of other agent frameworks, but because of a stream of security oversights in its design.
If you are looking to detect the use of OpenClaw in your environment, Knostic has created scripts to detect It, and, if you do want to use OpenClaw, to collect telemetry about its use.
openclaw-detect https://github.com/knostic/openclaw-detect
This script searches the system for filenames commonly associated with OpenClaw. For example, the presence of the state directory ~/.openclaw or for a Docker container running openclaw. If you have decent endpoint monitoring, this tool may not be needed, but it can give you some hints on which files to look for.
openclaw-telemetry https://github.com/knostic/openclaw-telemetry
If you do run OpenClaw, openclaw-detect will add additional meaningful logging. The tool captures "every tool call, LLM request, and agent session — with built-in redaction, tamper-proof hash chains, syslog/SIEM forwarding, and rate limiting". It is an OpenClaw plugin and installs like any other OpenClaw plugin
In addition, there are a few additional security tools and tips:
* The OpenClaw documentation now has a dedicated security section: https://docs.openclaw.ai/gateway/security
* OpenClaw's documentation explains how to set up OpenClaw inside a Docker sandbox: https://docs.openclaw.ai/cli/sandbox
* Do not provide OpenClaw with access to accounts you intend to lose.
* Do not expose OpenClaw to the Internet
* ACIP, the "Advanced Cognitive Inoculation Prompt", has a version for OpenClaw that intends to limit prompt injection. https://github.com/Dicklesworthstone/acip/tree/main/integrations/clawdbot
Read the full entry: https://isc.sans.edu/diary/Detecting+and+Monitoring+OpenClaw+clawdbot+moltbot/32678/
Scanning for exposed Anthropic Models
Published: 2026-02-02
Last Updated: 2026-02-02 15:14:47 UTC
by Johannes Ullrich (Version: 1)
Yesterday, a single IP address (204.76.203.210) scanned a number of our sensors for what looks like an anthropic API node. The IP address is known to be a Tor exit node.
The requests are pretty simple ...
It looks like this is scanning for locally hosted Anthropic models, but it is not clear to me if this would be successful. If anyone has any insights, please let me know. The API Key is a commonly used key in documentation, and not a key that anybody would expect to work.
At the same time, we are also seeing a small increase in requests for "/v1/messages". These requests have been more common in the past, but the URL may be associated with Anthropic (it is, however, somewhat generic, and it is likely other APIs use the same endpoint. These requests originate from ... an IP address with a bit a complex geolocation and routing footprint.
Read the full entry: https://isc.sans.edu/diary/Scanning+for+exposed+Anthropic+Models/32674/
OTHER INTERNET STORM CENTER ENTRIES
Google Presentations Abused for Phishing (2026.01.30)
https://isc.sans.edu/diary/Google+Presentations+Abused+for+Phishing/32668/
Recent CVEs
The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.
CVE-2026-1281 & CVE-2026-1340 - Code injection vulnerabilities in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.
Product: Ivanti Endpoint Manager Mobile
CVSS Score: 9.8
** CVE-2026-1281 KEV since 2026-01-29 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1281
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1340
ISC Podcast: https://isc.sans.edu/podcastdetail/9790
NVD References:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-1281
CVE-2025-40551 through CVE-2025-40554 - Multiple vulnerabilities in SolarWinds Web Help Desk (authentication bypass, untrusted data deserialization)
Product: Solarwinds Web Help Desk
CVSS Score: 9.8
** CVE-2025-40551 KEV since 2026-02-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40551 (untrusted data deserialization)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40552 (authentication bypass)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40553 (untrusted data deserialization)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40554 (authentication bypass)
NVD References:
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40554
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551
CVE-2026-24858 - Fortinet FortiAnalyzer, FortiManager, and FortiOS allow unauthorized access to devices registered to other accounts by exploiting an Authentication Bypass vulnerability when FortiCloud SSO authentication is enabled.
Product: Fortinet FortiAnalyzer
CVSS Score: 9.8
** KEV since 2026-01-27 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24858
NVD References:
- https://fortiguard.fortinet.com/psirt/FG-IR-26-060
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-24858
- https://www.fortinet.com/blog/psirt-blogs/analysis-of-sso-abuse-on-fortios
CVE-2021-39935 - GitLab CE/EE versions 10.5 to 14.5.2 are vulnerable to unauthorized external users performing Server Side Requests via the CI Lint API.
Product: Gitlab
CVSS Score: 0
** KEV since 2026-02-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-39935
CVE-2019-19006 - Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197.13 and below have Incorrect Access Control.
Product: Sangoma FreePBX
CVSS Score: 0
** KEV since 2026-02-03 **
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-19006
CVE-2026-21962 - The vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in allows unauthenticated attackers to compromise critical data and all accessible information.
Product: Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in
CVSS Score: 0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21962
ISC Podcast: https://isc.sans.edu/podcastdetail/9786
CVE-2026-24830 - Integer Overflow or Wraparound vulnerability in Ralim IronOS.This issue affects IronOS: before v2.23-rc2.
Product: Ralim IronOS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24830
CVE-2026-1470 - n8n has a critical Remote Code Execution (RCE) vulnerability allowing authenticated attackers to execute arbitrary code with process privileges.
Product: n8n
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1470
CVE-2020-36940 - Easy CD & DVD Cover Creator 4.13 is vulnerable to a buffer overflow in the serial number input field that allows attackers to crash the application by pasting a 6000-byte payload.
Product: Easy CD & DVD Cover Creator 4.13
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36940
CVE-2020-36941 - Knockpy 4.1.1 is vulnerable to CSV injection, enabling attackers to embed malicious formulas into CSV reports by manipulating unfiltered server headers.
Product: Knockpy 4.1.1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36941
CVE-2020-36948 - VestaCP 0.9.8-26 is vulnerable to a session token flaw in the LoginAs module that enables remote attackers to manipulate authentication tokens and gain unauthorized access to user accounts.
Product: VestaCP 0.9.8-26
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36948
CVE-2021-47900 - Gila CMS versions prior to 2.0.0 have a remote code execution vulnerability enabling unauthenticated attackers to execute system commands via manipulated HTTP headers.
Product: Gila CMS
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-47900
CVE-2021-47901 - Dirsearch 0.4.1 is vulnerable to CSV injection when using the --csv-report flag, enabling attackers to inject formulas through redirected endpoints and manipulate the generated CSV report.
Product: Dirsearch 0.4.1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2021-47901
CVE-2025-15467 - OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0 are vulnerable to a stack buffer overflow when parsing CMS AuthEnvelopedData messages with maliciously crafted AEAD parameters.
Product: OpenSSL
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15467
CVE-2025-68670 - xrdp is an open source RDP server with an unauthenticated stack-based buffer overflow vulnerability in versions prior to 0.10.5, allowing remote attackers to execute arbitrary code on the target system.
Product: xrdp RDP server
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-68670
CVE-2025-69565 - code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php.
Product: Fabian Mobile Shop Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69565
CVE-2025-69559 - code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php.
Product: Carmelo Computer Book Store
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69559
CVE-2025-69562, CVE-2025-69563, & CVE-2025-69564 - code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter.
Product: Fabian Mobile Shop Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69562
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69563
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69564
CVE-2026-24832 - Out-of-bounds Write vulnerability in ixray-team ixray-1.6-stcop.This issue affects ixray-1.6-stcop: before 1.3.
Product: ixray-team ixray-1.6-stcop
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24832
CVE-2026-24872 - Improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548.This issue affects SkyFire_548: before 5.4.8-stable5.
Product: ProjectSkyfire SkyFire_548
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24872
CVE-2026-24874 - Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.
Product: themrdemonized xray-monolith
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24874
CVE-2026-22039 - Kyverno has a critical authorization boundary bypass in versions prior to 1.16.3 and 1.15.3, allowing authenticated users to perform Kubernetes API requests with Kyverno's admission controller identity across namespaces.
Product: Kyverno
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22039
CVE-2025-21589 - Juniper Networks Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Routers are vulnerable to an authentication bypass allowing a network-based attacker to take administrative control of the device.
Product: Juniper Networks Session Smart Router
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21589
CVE-2026-24736 - Squidex's webhook configuration allows for SSRF attacks due to lack of IP address validation in versions up to 7.21.0.
Product: Squidex Headless content management system
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24736
CVE-2026-24770 - RAGFlow is vulnerable to a "Zip Slip" attack in version 0.23.1 and earlier, allowing remote code execution via malicious ZIP archive.
Product: Infiniflow RAGflow
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24770
CVE-2026-23830 - SandboxJS versions prior to 0.8.26 have a sandbox escape vulnerability allowing for Remote Code Execution due to the lack of isolation for `AsyncFunction` within `SandboxFunction`.
Product: SandboxJS JavaScript sandboxing library
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23830
CVE-2026-24838 - NN (formerly DotNetNuke) prior to versions 9.13.10 and 10.2.0 allows for script execution through richtext module titles.
Product: DNN (formerly DotNetNuke)
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24838
CVE-2026-24841 - Dokploy, a self-hostable PaaS, is vulnerable to a critical command injection flaw in versions prior to 0.26.6, allowing authenticated attackers to execute arbitrary commands on the host server via the `/docker-container-terminal` WebSocket endpoint.
Product: Dokploy
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24841
CVE-2025-61140 - The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Product: jsonpath lib/index.js
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61140
CVE-2020-36961 - 10-Strike Network Inventory Explorer 8.65 is vulnerable to a buffer overflow in exception handling, enabling remote attackers to execute arbitrary code by crafting a malicious file with specific parameters.
Product: 10-Strike Network Inventory Explorer
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36961
CVE-2020-36962 - Tendenci 12.3.1 is vulnerable to a CSV formula injection attack in the contact form message field, potentially resulting in arbitrary command execution when opened in spreadsheet applications.
Product: Tendenci
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36962
CVE-2020-36964 - YATinyWinFTP is vulnerable to a denial of service attack that crashes the FTP service through a buffer overflow caused by a malformed command.
Product: YATinyWinFTP FTP service
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36964
CVE-2020-36967 - Zortam Mp3 Media Studio 27.60 is vulnerable to a buffer overflow in the library creation file selection process, allowing remote code execution via a crafted malicious text file.
Product: Zortam Mp3 Media Studio 27.60
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36967
CVE-2025-57792, CVE-2025-57794, & CVE-2025-57795 - Multiple vulnerabilities in Explorance Blue
Product: Explorance Blue
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57792 (SQL Injection)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57794 (Unrestricted Upload of File with Dangerous Type)
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57795 (Unrestricted Upload of File with Dangerous Type)
CVE-2025-69602 - 66biolinks v62.0.0 by AltumCode is vulnerable to session fixation, enabling attackers to hijack authenticated sessions through reused session identifiers.
Product: AltumCode 66biolinks
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69602
CVE-2026-24897 - Erugo allows low-privileged users to upload and execute arbitrary code, leading to remote code execution, in versions up to 0.2.14.
Product: Erugo self-hosted file-sharing platform
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24897
CVE-2020-36997 - BacklinkSpeed 2.4 has a buffer overflow vulnerability that can be exploited by attackers to execute arbitrary code and take control of the application.
Product: BacklinkSpeed 2.4
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36997
CVE-2020-37000 - Free MP3 CD Ripper 2.8 is vulnerable to remote code execution due to a stack buffer overflow when processing a malicious WAV file.
Product: NowSmart Free MP3 CD Ripper
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37000
CVE-2020-37002 - Ajenti 2.1.36 has an authentication bypass vulnerability that enables remote attackers to execute arbitrary commands through the /api/terminal/create endpoint.
Product: Ajenti 2.1.36
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37002
CVE-2020-37010 - BearShare Lite 5.2.5 is vulnerable to a buffer overflow in the Advanced Search feature, enabling attackers to execute arbitrary code by inputting malicious content into the search keywords field.
Product: BearShare Lite 5.2.5
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37010
CVE-2020-37012 - Tea LaTex 1.0 has a remote code execution vulnerability in its /api.php endpoint, allowing unauthenticated attackers to run arbitrary shell commands via a crafted LaTeX payload.
Product: Tea LaTex 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37012
CVE-2026-1453 - KiloView Encoder Series is vulnerable to a missing authentication flaw that enables unauthorized users to create or delete admin accounts, ultimately granting them full administrative control.
Product: KiloView Encoder Series
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1453
NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01
CVE-2025-69929 - N3uron Web User Interface v.1.21.7-240207.1047 is vulnerable to privilege escalation due to a predictable string format in client-side password hashing with MD5 algorithm.
Product: N3uron Web User Interface
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69929
CVE-2026-22806 - vCluster Platform prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 allows bypassing of limited access key scopes, potentially exposing resources beyond intended access levels, with a fix available in later versions.
Product: vCluster Platform
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22806
CVE-2026-0963 - Crafty Controller is vulnerable to a remote attacker performing file tampering and remote code execution through path traversal in the File Operations API Endpoint component.
Product: Crafty Controller File Operations API Endpoint
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0963
CVE-2026-1699 - The Eclipse Theia Website repository had a vulnerability that allowed any GitHub user to execute arbitrary code with access to repository secrets and extensive write permissions.
Product: Eclipse Theia Website
CVSS Score: 10.0
Recent CVEs Continued
CVE-2025-51958 - aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php.
Product: aelsantex DokuWiki
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-51958
CVE-2026-25130 - CAI (Cybersecurity AI) framework in versions up to and including 0.5.10 is vulnerable to multiple argument injection exploits, allowing attackers to achieve Remote Code Execution (RCE) by manipulating user-controlled input.
Product: Cybersecurity AI CAI
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25130
CVE-2019-25232 - NetPCLinker 1.0.0.0 has a buffer overflow vulnerability in the Clients Control Panel DNS/IP field, enabling attackers to execute arbitrary shellcode via a crafted malicious payload.
Product: NetPCLinker Clients Control Panel DNS/IP field
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25232
CVE-2020-37027 - Sickbeard alpha is vulnerable to remote command injection, allowing unauthenticated attackers to execute arbitrary commands through the extra scripts configuration.
Product: Sickbeard alpha
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37027
CVE-2020-37043 - 10-Strike Bandwidth Monitor 3.9 is vulnerable to a buffer overflow that enables remote code execution via a malicious payload in the registration key input.
Product: 10-Strike Bandwidth Monitor 3.9
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37043
CVE-2020-37050 - Quick Player 1.3 is vulnerable to buffer overflow attacks through crafted .m3l files, allowing for remote code execution.
Product: Quick Player 1.3
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37050
CVE-2020-37052 - AirControl 1.4.2 is vulnerable to pre-authentication remote code execution through Java expression injection, allowing attackers to run system commands via a specially crafted URL at the /.seam endpoint.
Product: AirControl 1.4.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37052
CVE-2020-37056 - Crystal Shard http-protection 0.2.0 is vulnerable to IP spoofing, allowing attackers to bypass protection middleware by altering request headers.
Product: Crystal Shard http-protection
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37056
CVE-2026-25200 - MagicINFO 9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS and potential account takeover.
Product: MagicINFO 9 Server
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25200
CVE-2026-25202 - MagicINFO 9 Server: less than 21.1090.1 allows login with hardcoded database account and password, enabling manipulation of the database.
Product: MagicINFO 9 Server
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25202
CVE-2026-20407 - MediaTek WLAN STA driver has a vulnerability that allows for local privilege escalation without requiring user interaction.
Product: MediaTek chipsets WLAN STA driver
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20407
NVD References: https://corp.mediatek.com/product-security-bulletin/February-2026
CVE-2026-20418 - MediaTek Thread has a vulnerability that allows for a possible out-of-bounds write, leading to remote privilege escalation without requiring user interaction.
Product: MediaTek chipsets Thread Application
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20418
CVE-2022-50981 - VibroLine firmware allows unauthenticated remote attackers to gain full access due to default no password configuration and lack of enforced password setting.
Product: VibroLine firmware
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-50981
CVE-2025-66480 - Wildfire IM, an instant messaging and real-time audio/video solution, is vulnerable to remote code execution due to a critical flaw in the im-server component related to file upload functionality prior to version 1.4.3.
Product: Xiaoleilu Wildfire IM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66480
CVE-2026-22778 - vLLM is a serving engine for large language models that leaked a heap address when an invalid image was sent to its multimodal endpoint, allowing ASLR reduction and potential remote code execution until version 0.14.1.
Product: vLLM
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22778
CVE-2026-23515 - Signal K Server prior to version 1.5.0 allows authenticated and unauthenticated users to execute arbitrary shell commands through a command injection vulnerability, especially when the set-system-time plugin is enabled.
Product: Signal K Server
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-23515
CVE-2026-25137 - The NixOs Odoo package exposes the database manager without authentication, allowing unauthorized actors to delete and download the entire database.
Product: NixOs Odoo
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25137
CVE-2026-25142 - SandboxJS allows unauthorized access to prototypes before version 0.8.27, potentially leading to sandbox escape and remote code execution.
Product: SandboxJS JavaScript sandboxing library
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25142
CVE-2025-5319 - Efficiency Management System by Emit Information and Communication Technologies Industry and Trade Ltd. Co. is vulnerable to SQL Injection through 03022026, with no response from the vendor when notified.
Product: Emit Information and Communication Technologies Industry and Trade Ltd. Co Efficiency Management System
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5319
CVE-2026-1568 - InsightVM versions before 8.34.0 have a signature verification flaw on the ACS cloud endpoint, letting attackers access Security Console installations and take over accounts.
Product: Rapid7 InsightVM
CVSS Score: 9.6
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1568
NVD References: https://docs.rapid7.com/insight/command-platform-release-notes/
CVE-2025-70841 - Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 is vulnerable to unauthenticated remote attackers who can obtain sensitive application configuration data, leading to complete system compromise for all tenants.
Product: Dokan Multi-Tenancy Based eCommerce Platform SaaS 3.9.2
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-70841
CVE-2025-10878 - Fikir Odalari AdminPando 1.0.1 before 2026-01-26 is vulnerable to SQL injection in the login functionality, allowing unauthenticated attackers to bypass authentication and gain full administrative access.
Product: Fikir Odalari AdminPando
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10878
CVE-2020-37065 - StreamRipper32 version 2.6 has a buffer overflow vulnerability in the Station/Song Section, enabling attackers to overwrite memory with a crafted SongPattern input.
Product: StreamRipper32
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37065
CVE-2020-37066 - GoldWave 5.70 is vulnerable to a buffer overflow attack in the File Open URL dialog, enabling attackers to execute arbitrary code by manipulating input.
Product:GoldWave 5.70
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37066
CVE-2020-37067 - Filetto 1.0 FTP server is susceptible to a denial of service flaw in the FEAT command processing, which can be exploited by sending an oversized command to crash the service.
Product: Filetto 1.0 FTP server
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37067
CVE-2020-37068 & CVE-2020-37069 - Konica Minolta FTP Utility 1.0 buffer overflow vulnerabilities.
Product: Konica Minolta FTP Utility 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37068
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37069
CVE-2020-37070 - CloudMe 1.11.2 is vulnerable to remote code execution via a buffer overflow in network packets sent to port 8888.
Product: CloudMe 1.11.2
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37070
CVE-2020-37071 - CraftCMS 3 vCard Plugin 1.0.0 is susceptible to a deserialization vulnerability enabling unauthenticated attackers to execute arbitrary PHP code via a specially crafted payload.
Product: CraftCMS vCard Plugin 1.0.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37071
CVE-2020-37074 - Remote Desktop Audit 2.3.0.157 is susceptible to a buffer overflow vulnerability, enabling attackers to execute arbitrary code via a crafted payload file during the Add Computers Wizard file import process.
Product: Remote Desktop Audit 2.3.0.157
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37074
CVE-2020-37075 - LanSend 3.2 has a buffer overflow vulnerability in the Add Computers Wizard file import feature, enabling remote attackers to execute arbitrary code through a crafted payload file.
Product: Lan-secure LanSend
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37075
CVE-2020-37080 - webTareas 2.0.p8 is vulnerable to file deletion by authenticated attackers in the print_layout.php administration component.
Product: webTareas 2.0.p8
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37080
CVE-2020-37082 - webERP 4.15.1 vulnerability allows remote attackers to download database backup files without authentication.
Product: webERP 4.15.1
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37082
CVE-2020-37090 - School ERP Pro 1.0 has a file upload vulnerability that enables students to upload harmful PHP files, leading to potential server code execution by attackers.
Product: School ERP Pro 1.0
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37090
CVE-2020-37094 - EspoCRM 5.8.5 is vulnerable to authentication manipulation that enables attackers to access other user accounts and gain unauthorized administrative privileges.
Product: EspoCRM 5.8.5
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-37094
CVE-2026-25150 - Qwik is a performance focused javascript framework that contained a prototype pollution vulnerability in the formToObj() function within @builder.io/qwik-city middleware prior to version 1.19.0, allowing unauthenticated attackers to pollute Object.prototype through crafted HTTP POST requests.
Product: Builder.io @builder.io/qwik-city
CVSS Score: 9.3
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25150
CVE-2026-25510 - CI4MS is vulnerable to Remote Code Execution (RCE) pre-version 0.28.5.0 due to a flaw that allows authenticated users with file editor permissions to upload and execute arbitrary PHP code on the server.
Product: CodeIgniter CI4MS
CVSS Score: 9.9
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25510
CVE-2026-1632 - MOMA Seismic Station Version v2.4.2520 and prior allows unauthenticated attackers to access and modify device settings, data, and remotely reset the device.
Product: MOMA Seismic Station Version
CVSS Score: 9.1
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1632
CVE-2026-1633 - The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter is vulnerable to unauthorized access, enabling attackers to alter device settings without authentication.
Product: Synectix LAN 232 TRIO 3-Port serial to ethernet adapter
CVSS Score: 10.0
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1633
CVE-2026-1056 - The Snow Monkey Forms plugin for WordPress allows unauthenticated attackers to delete arbitrary files leading to possible remote code execution.
Product: Snow Monkey Forms plugin for WordPress
Active Installations: 20,000+
CVSS Score: 9.8
NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1056
NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve
CVE-2025-15030 - The User Profile Builder WordPress plugin before 3.15.2 allows unauthorized password resets, potentially granting access to any user account.
Product: User Profile Builder WordPress plugin
Active Installations: 50,000+
CVSS Score: 9.8
Sponsors
Picus Security Inc.
Traditional vulnerability assessments and annual penetration tests are no longer enough to stop modern adversaries. Exposure Validation acts as a filter, reducing overwhelming lists of theoretical exposures to a manageable set of critical, validated risks. Discover how to use automation to verify exploitability and improve your organization’s risk reduction efforts.
SANS
Take the 2026 SANS Detection Engineering Survey. Share your knowledge with the community and be entered to win a $250 Amazon Gift Card.
SANS
Webcast | Stop SIEM Cost Bloat: Expand Visibility Without Expanding Your Budget.
SANS
Free Event | SANS 2026 Winter Cyber Solutions Fest | February 11-12, 2026. Join us for this two-day event focused on finance, healthcare, and critical infrastructure. Register for one topic or for all three.