The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Want More XWorm?

Published: 2026-03-04

Last Updated: 2026-03-04 09:48:39 UTC

by Xavier Mertens (Version: 1)

And another XWorm wave in the wild! This malware family is not new and heavily spread but delivery techniques always evolve and deserve to be described to show you how threat actors can be imaginative! This time, we are facing another piece of multi-technology malware.

Here is a quick overview ...

Read the full entry: https://isc.sans.edu/diary/Want+More+XWorm/32766/

Quick Howto: ZIP Files Inside RTF

Published: 2026-03-02

Last Updated: 2026-03-02 11:13:04 UTC

by Didier Stevens (Version: 1)

In diary entry "Quick Howto: Extract URLs from RTF files" I mentioned ZIP files.

There are OLE objects inside this RTF file ...

Read the full entry: https://isc.sans.edu/diary/Quick+Howto+ZIP+Files+Inside+RTF/32696/

Fake Fedex Email Delivers Donuts!

Published: 2026-02-27

Last Updated: 2026-02-27 12:22:12 UTC

by Xavier Mertens (Version: 1)

It’s Friday, let’s have a look at another simple piece of malware to close a busy week! I received a Fedex notification about a delivery. Usually, such emails are simple phishing attacks that redirect you to a fake login page to collect your credentials. Here, it was a bit different ...

Nothing really fancy but it is effective and uses interesting techniques ...

Read the full entry: https://isc.sans.edu/diary/Fake+Fedex+Email+Delivers+Donuts/32754/

Bruteforce Scans for CrushFTP (2026.03.03)

https://isc.sans.edu/diary/Bruteforce+Scans+for+CrushFTP/32762/

Wireshark 4.6.4 Released (2026.03.02)

https://isc.sans.edu/diary/Wireshark+464+Released/32758/

The CLAIR Model: A Synthesized Conceptual Framework for Mapping Critical Infrastructure Interdependencies [Guest Diary] (2026.02.25)

https://isc.sans.edu/diary/The+CLAIR+Model+A+Synthesized+Conceptual+Framework+for+Mapping+Critical+Infrastructure+Interdependencies+Guest+Diary/32748/

Finding Signal in the Noise: Lessons Learned Running a Honeypot with AI Assistance [Guest Diary] (2026.02.24)

https://isc.sans.edu/diary/Finding+Signal+in+the+Noise+Lessons+Learned+Running+a+Honeypot+with+AI+Assistance+Guest+Diary/32744/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2026-20127 - Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager are vulnerable to authentication bypass by an unauthenticated remote attacker.

Product: Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager

CVSS Score: 10.0

** KEV since 2026-02-25 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20127

ISC Podcast: https://isc.sans.edu/podcastdetail/9826

NVD References:

- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20127

CVE-2026-20129 - Cisco Catalyst SD-WAN Manager is vulnerable to an exploit that could allow an attacker to gain unauthorized access with netadmin privileges.

Product: Cisco Catalyst SD-WAN Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20129

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v

CVE-2026-21385 - Qualcomm Multiple Chipsets Memory Corruption Vulnerability: Multiple Qualcomm chipsets contain a memory corruption vulnerability while using alignments for memory allocation.

Product: Qualcomm

CVSS Score: 7.8

** KEV since 2026-03-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21385

ISC Podcast: https://isc.sans.edu/podcastdetail/9834

NVD References:

- https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html

- https://source.android.com/docs/security/bulletin/2026/2026-03-01

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21385

CVE-2026-22719 - VMware Aria Operations is vulnerable to command injection, allowing unauthenticated actors to execute arbitrary commands and potentially achieve remote code execution during support-assisted product migration.

Product: VMware Aria Operations

CVSS Score: 8.1

** KEV since 2026-03-03 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22719

NVD References:

- https://knowledge.broadcom.com/external/article/430349

- https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

- https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations/8-18/vmware-aria-operations-8186-release-notes.html

- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-22719

CVE-2024-4040 - CrushFTP VFS Sandbox Escape Vulnerability

Product: CrushFTP

CVSS Score: 0

** KEV since 2024-04-24 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4040

ISC Diary: https://isc.sans.edu/diary/32762

CVE-2025-31161 - CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows for authentication bypass and takeover of the crushadmin account, unless a DMZ proxy instance is used, through a race condition in the AWS4-HMAC authorization method of the FTP server.

Product: CrushFTP

CVSS Score: 0

** KEV since 2025-04-07 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-31161

ISC Diary: https://isc.sans.edu/diary/32762

CVE-2025-54309 - CrushFTP 10 and 11 mishandle AS2 validation, allowing remote attackers to gain admin access via HTTPS.

Product: CrushFTP

CVSS Score: 0

** KEV since 2025-07-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54309

ISC Diary: https://isc.sans.edu/diary/32762

CVE-2024-58041 - Smolder versions through 1.51 for Perl rely on the insecure rand() function for cryptographic functions.

Product: WONKO Smolder

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-58041

CVE-2025-13942 - Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 is vulnerable to command injection through UPnP SOAP requests.

Product: Zyxel

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13942

NVD References: https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026

CVE-2026-26198 - Ormar is vulnerable to SQL injection when performing aggregate queries in versions 0.9.9 through 0.22.0, allowing unauthorized users to read the entire database contents by injecting a subquery as the column parameter.

Product: Collerek Ormar

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26198

CVE-2025-40538 through CVE-2025-40541 - Multiple vulnerabilities in SolarWinds Serv-U is vulnerable to a broken access control issue that allows a attacker to create a system admin user and execute arbitrary code with domain admin privileges.

Product: SolarWinds Serv-U

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40538 (broken access control)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40539 (type confusion)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40540 (type confusion)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40541 (Insecure Direct Object Reference (IDOR)

NVD References:

- https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm

- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40538

- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40539

- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40540

- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40541

CVE-2026-1229 - CIRCL ecc/p384 CombinedMult function in the secp384r1 curve generates incorrect values for specific inputs, resolved in v1.6.3.

Product: Cloudflare CIRCL

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1229

CVE-2025-11165 - DotCMS's Velocity scripting engine is susceptible to a sandbox escape vulnerability, allowing authenticated users with scripting privileges to bypass class and package restrictions and execute arbitrary system commands.

Product: DotCMS Velocity scripting engine

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11165

CVE-2025-14577 - Slican NCP/IPL/IPM/IPU devices are vulnerable to PHP Function Injection, allowing for remote attackers to execute arbitrary PHP commands via specially crafted requests to /webcti/session_ajax.php endpoint, fixed in versions 1.24.0190 (Slican NCP) and 6.61.0010 (Slican IPL/IPM/IPU).

Product: Slican NCP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-14577

NVD References: https://cert.pl/posts/2026/02/CVE-2025-14577

CVE-2026-2634 - Firefox for iOS < 147.4 is vulnerable to address bar desynchronization, allowing attacker-controlled pages to be presented under spoofed domains.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2634

CVE-2026-2757 through CVE-2026-2768, CVE-2026-2770 through CVE-2026-2782, CVE-2026-2784 through CVE-2026-2793, CVE-2026-2795 through CVE-2026-2797, CVE-2026-2799, CVE-2026-2800, CVE-2026-2805 through CVE-2026-2807 - Multiple vulnerabilities in Firefox and Thunderbird.

Product: Mozilla Firefox and Thunderbird

CVSS Scores: 9.8 - 10.0

NVD References:

- https://www.mozilla.org/security/advisories/mfsa2026-13/

- https://www.mozilla.org/security/advisories/mfsa2026-14/

- https://www.mozilla.org/security/advisories/mfsa2026-15/

- https://www.mozilla.org/security/advisories/mfsa2026-16/

- https://www.mozilla.org/security/advisories/mfsa2026-17/

CVE-2025-69985 - FUXA 1.2.8 and prior has an Authentication Bypass vulnerability in server/api/jwt-helper.js allowing for Remote Code Execution by spoofing the "Referer" header.

Product: FUXA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69985

CVE-2026-27507 and CVE-2026-27515 - Binardat 10G08-0800GSM network switch firmware vulnerabilities

Product: Binardat

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27507 (hard-coded administrative credentials)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27515 (predictable session identifiers)

CVE-2026-27586 through CVE-2026-27588, CVE-2026-27590 - Vulnerabilities in Caddy, prior to version 2.11.1

Product: Caddyserver

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27586 (improper handling of exceptional conditions)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27587 (improper handling of case sensitivity)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27588 (improper handling of case sensitivity)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27590 (improper input validation / incorrect behavior order)

CVE-2026-26222 - Altec DocLink version 4.0.336.0 exposes insecure .NET Remoting endpoints over TCP and HTTP/SOAP, allowing remote attackers to read arbitrary files, coerce SMB authentication, and execute remote code or deny service.

Product: Altec Doclink

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26222

CVE-2026-26341 and CVE-2026-26342 - Vulnerabilities in Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior.

Product: Tattile Smart\\+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26341 (default credentials)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26342 (insufficient session expiration)

CVE-2026-21410 - Vulnerabilities in InSAT MasterSCADA BUK-TS.

Product: InSAT MasterSCADA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21410 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22553 (OS command injection)

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-01

CVE-2026-27593 - Statmatic has a vulnerability in its password reset feature that allows an attacker to reset a user's password if the user clicks on a malicious reset link.

Product: Statamic

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27593

CVE-2026-24849, CVE-2026-24908, CVE-2026-24898, CVE-2026-25146 - Multiple vulnerabilities in OpenEMR

Product: OpenEMR

CVSS Score: 9.6 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24849 (path traversal)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24908 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24898 (improper authentication)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25146 (exposure of sensitive information to an unauthorized actor)

CVE-2026-27606 - Rollup, a module bundler for JavaScript, is vulnerable to Arbitrary File Write via Path Traversal in versions prior to 2.80.0, 3.30.0, and 4.59.0, allowing attackers to overwrite files on the host filesystem and potentially achieve Remote Code Execution.

Product: Rollupjs

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27606

CVE-2026-27614 - Bugsink allows for JavaScript injection by unauthenticated attackers prior to version 2.0.13, potentially allowing privilege escalation upon administrator UI interaction.

Product: Bugsink

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27614

CVE-2026-27626 - OliveTin allows for unauthenticated remote code execution through two separate vectors, including injecting shell metacharacters via a `password`-typed argument and bypassing type safety checks with webhook-extracted JSON values.

Product: OliveTin

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27626

CVE-2026-27822 - RustFS Console in versions prior to 1.0.0-alpha.83 is vulnerable to Stored Cross-Site Scripting (XSS) that can lead to full system compromise.

Product: RustFS

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27822

CVE-2026-27637 - FreeScout allows for full account takeover due to a predictable authentication token vulnerability.

Product: FreeScout

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27637

CVE-2026-28289 - FreeScout 1.8.206 and earlier versions are vulnerable to a patch bypass vulnerability (CVE-2026-27636) that allows authenticated users with file upload permissions to execute Remote Code Execution (RCE) by uploading a malicious .htaccess file using a zero-width space character prefix, due to a flaw in the sanitizeUploadedFileName() function in app/Http/Helper.php before the invisible characters are removed in version 1.8.207.

Product: FreeScout

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28289

CVE-2025-62878 - Kubernetes allows a malicious user to manipulate parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, leading to potential data tampering or unauthorized access.

Product: Kubernetes

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62878

CVE-2026-0704 - Octopus Deploy allowed removal of files and contents on the host via an API endpoint due to lack of validation, potentially allowing for workflow circumvention.

Product: Octopus Server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0704

CVE-2026-27699 - The `basic-ftp` FTP client library for Node.js prior to version 5.2.0 is vulnerable to CWE-22 due to a path traversal issue in the `downloadToDir()` method, allowing malicious FTP servers to write files outside the intended directory.

Product: Basic-FTP

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27699

CVE-2025-1242 - Gardyn IoT Hub is vulnerable to credentials extraction through various methods, allowing attackers to gain full administrative access and control over connected devices.

Product: Gardyn IoT Hub

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-1242

CVE-2025-69771 - ASBPlayer v1.13.0 is vulnerable to an arbitrary file upload attack in the subtitle loading function, enabling remote code execution via a malicious subtitle file upload.

Product: ASBPlayer

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-69771

CVE-2026-27702 - Budibase has an unsafe `eval()` vulnerability in its view filtering implementation, allowing any authenticated user to execute arbitrary JavaScript code on the server in Budibase Cloud.

Product: Budibase

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27702

CVE-2026-27847 through CVE-2026-27849 - Vulnerabilities in Linksys MR9600 and MX4200.

Product: Linksys MR9600 and MX4200

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27847 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27848 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27849 (OS command injection)

CVE-2026-27728 - OneUptime had an OS command injection vulnerability in `NetworkPathMonitor.performTraceroute()` before version 10.0.7, allowing authenticated users to run arbitrary commands on the Probe server via shell metacharacters injected into the monitor's destination field.

Product: OneUptime

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27728

CVE-2026-21902 - Juniper Networks Junos OS Evolved on PTX Series is vulnerable to an Incorrect Permission Assignment for Critical Resource, allowing a remote attacker to execute code as root.

Product: Juniper Networks Junos OS Evolved on PTX Series

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21902

CVE-2026-25952, CVE-2026-25953, CVE-2026-25955, CVE-2026-25959, CVE-2026-25997 - Multiple Use After Free vulnerabilities in FreeRDP.

Product: FreeRDP

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25952

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25953

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25955

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25959

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25997

CVE-2026-27575 - Password-related vulnerabilities in Vikunja.

Product: Vikunja

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27575 (weak password requirements / insufficient session expiration)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28268 (weak password recovery mechanism for forgotten password)

CVE-2026-27495 - n8n is an open source workflow automation platform vulnerable to unauthorized code execution prior to versions 2.10.1, 2.9.3, and 1.123.22, requiring users to upgrade or implement temporary mitigations.

Product: n8n

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27495

CVE-2026-27804 - Parse Server is vulnerable to an unauthenticated attacker forging a Google authentication token with `alg: "none"` to log in as any user linked to a Google account.

Product: Parse-Server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27804

CVE-2026-27809 - psd-tools used to crash when encountering malformed RLE-compressed image data in PSD files, but version 1.12.2 fixed this issue by handling errors gracefully.

Product: Psd-Tools Project

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27809

CVE-2026-27941 - OpenLIT exposed sensitive secrets and write-privileged tokens in its GitHub workflows prior to version 1.37.1.

Product: OpenLIT

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27941

CVE-2026-27965 - Vitess allows for execution of arbitrary code during backup restoration prior to versions 23.0.3 and 22.0.4, granting unauthorized access to production environments, with a patch available and workarounds for external decompressor usage.

Product: Linux Foundation Vitess

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27965

CVE-2026-27966 - Langflow's CSV Agent node in versions prior to 1.8.0 exposes the Python REPL tool, allowing remote code execution via prompt injection.

Product: Langflow

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27966

CVE-2026-27975 - Ajenti had an unauthenticated access vulnerability in versions prior to 2.2.13, allowing attackers to execute arbitrary code on servers.

Product: Ajenti

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27975

CVE-2025-50857 - ZenTaoPMS v18.11 through v21.6.beta is susceptible to Directory Traversal in /module/ai/control.php, enabling attackers to run arbitrary code using a manipulated file upload.

Product: ZenTaoPMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50857

CVE-2026-27510 - The Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application (com.unitree.doggo2), are vulnerable to remote code execution.

Product: Unitree Go2

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27510

CVE-2026-22207 - OpenViking through version 0.1.18 has a broken access control vulnerability that enables unauthenticated attackers to gain ROOT privileges by omitting the root_api_key configuration.

Product: OpenViking

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22207

CVE-2026-28213 - EverShop's "Forgot Password" functionality in versions prior to 2.1.1 allows attackers to take over accounts by obtaining the password reset token from the API response.

Product: EverShop

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28213

CVE-2026-28215 - Hoppscotch is an open source API development ecosystem vulnerable to an unauthenticated attacker being able to overwrite the entire infrastructure configuration, including OAuth provider credentials and SMTP settings, prior to version 2026.2.0 with a single HTTP POST request.

Product: Hoppscotch

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28215

CVE-2026-20781, CVE-2026-24731, CVE-2026-25851, CVE-2026-27767, CVE-2026-27772, CVE-2026-27028 - WebSocket endpoints in OCPP lack authentication, allowing attackers to impersonate charging stations and manipulate backend data.

Products: Cloudcharge.Se, Ev2Go.Io, hargemap.Com, Swtchenergy.Com, Ev.Energy, Mobility46.Se

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-20781

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24731

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25851

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27767

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27772

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27028

CVE-2026-21718 and CVE-2026-24663 - Vulnerabilities in Copeland XWEB Pro version 1.12.1 and prior.

Product: Copeland XWEB Pro

CVSS Scores: 9.0 - 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21718 (authentication bypass)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24663 (OS command injection)

NVD References: https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10

CVE-2026-28363 - OpenClaw before 2026.2.23 may allow approval-free execution paths by bypassing tools.exec.safeBins validation for sort using GNU long-option abbreviations in allowlist mode.

Product: OpenClaw

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-28363

NVD References: https://github.com/openclaw/openclaw/security/advisories/GHSA-3c6h-g97w-fg78

CVE-2026-3301 - Totolink N300RH 6.1c.1353_B20190305 is vulnerable to remote os command injection via manipulation of the webWlanIdx argument in the setWebWlanIdx function of the /cgi-bin/cstecgi.cgi file in the Web Management Interface component, with an exploit publicly available for potential attacks.

Product: Totolink N300Rh_Firmware 6.1c.1353_b20190305

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3301

CVE-2026-21654 - Multiple vulnerabilities in Johnson Controls Frick Controls Quantum HD

Product: Johnson Controls Frick Controls Quantum HD

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21654 (OS command injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21656 (code injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21657 (code injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21658 (code injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21659 (path traversal)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-21660 (hardcoded email credentials saved as plaintext)

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-01

NVD References: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

CVE-2026-2251 - Xerox FreeFlow Core is vulnerable to path traversal, allowing unauthorized access to directories and leading to remote code execution in versions up to 8.0.7.

Product: Xerox FreeFlow Core

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2251

NVD References: https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-026-005-for-Xerox-Freeflow-Core.pdf

CVE-2026-24352 - PluXml CMS allows an attacker to fix a session ID for a victim and hijack an authenticated session due to a flaw in version range 5.8.21 to 5.9.0-rc7.

Product: PluXml

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24352

CVE-2026-2749 and CVE-2026-2750 - Vulnerabilities in Centreon Open Tickets on Central Server on Linux.

Product: Centreon Open Tickets

CVSS Scores: 9.1 - 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2749

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2750 (improper input validation)

CVE-2026-27751 and CVE-2026-27755 - Vulnerabilities in SODOLA SL902-SWTGW124AS firmware versions through 200.1.20.

Product: Sodola-Network Sl902-Swtgw124As

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27751 (use of default credentials)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27755 (use of insufficiently random values)

CVE-2026-2999 and CVE-2026-3000 - Download of Code Without Integrity Check vulnerabilities in IDExpert Windows Logon Agent

Product: Changing IDExpert Windows Logon Agent

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2999

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3000

NVD References: https://www.twcert.org.tw/en/cp-139-10741-daed4-2.html

CVE-2026-3422 - U-Office Force by e-Excellence is vulnerable to Insecure Deserialization, enabling remote attackers to run arbitrary code through specially crafted serialized content.

Product: e-Excellence U-Office Force

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3422

NVD References: https://www.twcert.org.tw/en/cp-139-10743-9a952-2.html

CVE-2026-3431 - SimStudio version below 0.5.74 allows attackers to connect to any MongoDB instance and execute unauthorized operations due to the tool's endpoints accepting arbitrary connection parameters without authentication or host restrictions.

Product: SimStudio

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3431

CVE-2025-50187, CVE-2025-50190, CVE-2025-50192, CVE-2025-50199, CVE-2025-52998 - Multiple vulnerabilities in Chamilo Learning Management System before version 1.11.28 allows remote code execution via unfiltered parameter in SOAP request.

Product: Chamilo LMS

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50187 (eval injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50190 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50192 (SQL injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50199 (server-side request forgery)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52998 (deserialization of untrusted data)

CVE-2026-24107 through CVE-2026-24115 - Multiple vulnerabilities in Tenda W20E V4.0br_V15.11.0.6.

Product: Tenda W20E

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24107 (code injection)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24108 (buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24109 (buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24110 (buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24111 (buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24112 (buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24113 (buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24114 (buffer overflow)

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24115 (buffer overflow)

CVE-2026-24101 and CVE-2026-24105 - Tenda AC15V1.0 V15.03.05.18_multi command injection vulnerabilities

Product: Tenda AC15

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24101

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-24105

CVE-2025-48609 - MmsProvider.java in MmsProvider has a path traversal error allowing for arbitrary file deletion impacting telephony, SMS, and MMS without user interaction needed.

Product: MmsProvider.java

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48609

NVD References: https://source.android.com/docs/security/bulletin/2026/2026-03-01

CVE-2026-0006 - Google Android has multiple out of bounds read and write issues in various locations, potentially leading to remote code execution without requiring user interaction.

Product: Google Android

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-0006

NVD References: https://source.android.com/docs/security/bulletin/2026/2026-03-01

CVE-2026-22886 - OpenMQ exposes a TCP-based management service with default credentials that could allow a remote attacker to gain full control.

Product: OpenMQ

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22886

CVE-2025-59059 - Apache Ranger versions <= 2.7.0 contain a Remote Code Execution Vulnerability in NashornScriptEngineCreator, users should upgrade to version 2.8.0 to fix the issue.

Product: Apache Ranger

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59059

NVD References: https://lists.apache.org/thread/z47q86rho80390lf2qcmoc2josvs0gtv

CVE-2026-22891 - The Biosig Project libbiosig is vulnerable to a heap-based buffer overflow via malicious Intan CLP files, allowing for arbitrary code execution.

Product: The Biosig Project libbiosig

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-22891

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2026-2361

CVE-2026-3485 - D-Link DIR-868L 110b03 has a vulnerability that allows for remote unauthorized os command injection due to a flaw in the SSDP Service component.

Product: D-Link DIR-868L

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-3485

CVE-2026-27012 - OpenSTAManager is vulnerable to privilege escalation and authentication bypass, allowing attackers to change user groups and potentially gain unauthorized access.

Product: OpenSTAManager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-27012

NVD References: https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v

CVE-2026-26266 - AliasVault Web Client versions 0.25.3 and lower are vulnerable to stored cross-site scripting (XSS) attacks through the email rendering feature.

Product: AliasVault Web Client

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26266

CVE-2026-26279 - Froxlor open source server administration software is vulnerable to full root-level Remote Code Execution due to a typo in input validation code.

Product: Froxlor

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26279

CVE-2025-15467 - OpenSSL versions 3.6, 3.5, 3.4, 3.3, and 3.0 are vulnerable to a stack buffer overflow when parsing CMS AuthEnvelopedData messages with maliciously crafted AEAD parameters.

Product: OpenSSL

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-15467

ISC Podcast: https://isc.sans.edu/podcastdetail/9826

CVE-2026-2628 - The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress allows unauthenticated attackers to bypass authentication and login as other users, including administrators.

Product: Microsoft All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress

Active Installations: 500+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-2628

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/5e15e36e-55f9-4095-a0ba-48ef9434606a?source=cve

CVE-2026-1492 - The User Registration & Membership plugin for WordPress is vulnerable to improper privilege management, allowing unauthenticated attackers to create administrator accounts.

Product: WordPress User Registration & Membership Plugin

Active Installations: 60,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-1492

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7e9fec92-f471-4ce9-9138-1c58ad658da2?source=cve

CVE-2025-12981 - The Listee theme for WordPress allows unauthenticated attackers to escalate privileges by registering as Administrator due to a validation check flaw in version 1.1.6 and earlier.

Product: WordPress Listee theme

Active Installations: Unknown. Update to version 1.1.7, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12981

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/d534feae-d1b7-4544-b1c5-c23f37dd5bab?source=cve