- CVE-2026-27290 - Adobe Framemaker | Untrusted Search Path (CWE-426)
- CVE-2026-40291 - Chamilo LMS has Privilege Escalation via API User Role Modification
- CVE-2026-27304 - ColdFusion | Improper Input Validation (CWE-20)
- CVE-2026-27305 - ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
- CVE-2026-27306 - ColdFusion | Improper Input Validation (CWE-20)
- CVE-2026-34615 - Adobe Connect | Deserialization of Untrusted Data (CWE-502)
- CVE-2026-34617 - Adobe Connect | Cross-site Scripting (XSS) (CWE-79)
- CVE-2026-33826 - Windows Active Directory Remote Code Execution Vulnerability
- CVE-2026-33120 - Microsoft SQL Server Remote Code Execution Vulnerability
- CVE-2026-32221 - Windows Graphics Component Remote Code Execution Vulnerability
- CVE-2026-32190 - Microsoft Office Remote Code Execution Vulnerability
- CVE-2026-32171 - Azure Logic Apps Elevation of Privilege Vulnerability
- CVE-2026-32162 - Windows COM Elevation of Privilege Vulnerability
- CVE-2026-32157 - Remote Desktop Client Remote Code Execution Vulnerability
- CVE-2026-32091 - Microsoft Brokering File System Elevation of Privilege Vulnerability
- CVE-2026-27928 - Windows Hello Security Feature Bypass Vulnerability
- CVE-2026-27912 - Windows Kerberos Elevation of Privilege Vulnerability
- CVE-2026-27246 - Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79)
- CVE-2026-27303 - Adobe Connect | Deserialization of Untrusted Data (CWE-502)
- CVE-2026-27243 - Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
- CVE-2026-27245 - Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)
- CVE-2026-26178 - Windows Advanced Rasterization Platform Elevation of Privilege Vulnerability
- CVE-2026-26167 - Windows Push Notifications Elevation of Privilege Vulnerability
- CVE-2026-26149 - Microsoft Power Apps Security Feature Bypass
- CVE-2026-0207 - Sensitive Information Logging Vulnerability in FlashBlade
- CVE-2026-34622 - Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
- CVE-2026-39815 - Fortinet FortiDDoS-F SQL Injection
- CVE-2026-39813 - Fortinet FortiSandbox Path Traversal Vulnerability
- CVE-2026-39808 - Fortinet FortiSandbox OS Command Injection
- CVE-2026-38526 - Krayin CRM PHP File Upload Code Execution Vulnerability
- CVE-2026-38527 - Webkul Krayin CRM SSRF
- CVE-2026-38529 - Krayin CRM Broken Object-Level Authorization (BOLA)
- CVE-2026-38530 - Webkul Krayin CRM Broken Object-Level Authorization (BOLA)
- CVE-2026-38532 - Webkul Krayin CRM Object-Level Authorization Bypass
- CVE-2026-22828 - Fortinet FortiAnalyzer Cloud/Manager Buffer Overflow
- CVE-2025-65135 - Manikandan580 School-management-system Blind SQL Injection
- CVE-2025-63939 - Anirudhkannan Grocery Store Management System SQL Injection Vulnerability
- CVE-2026-2449 - upKeeper Instant Privilege Access Command Injection Vulnerability
- CVE-2026-40313 - PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence
- CVE-2026-40288 - PraisonAI: Critical RCE via `type: job` workflow YAML
- CVE-2026-40289 - PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
- CVE-2026-40287 - PraisonAI has RCE via Automatic tools.py Import
- CVE-2026-4365 - LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion
- CVE-2026-27681 - SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse
- CVE-2026-6196 - Tenda F456 exeCommand fromexeCommand stack-based overflow
- CVE-2026-32316 - jq: Integer overflow in jvp_string_append() allows Heap-based Buffer Overflow
- CVE-2026-40044 - Pachno 1.0.6 FileCache Deserialization Remote Code Execution
- CVE-2026-40042 - Pachno 1.0.6 Wiki TextParser XML External Entity Injection
- CVE-2026-40040 - Pachno 1.0.6 Unrestricted File Upload Remote Code Execution
- CVE-2026-34186 - SQL Injection in Custom Fields leads to Database Compromise
- CVE-2026-30813 - SQL Injection in Module Search leads to Database Compromise
- CVE-2026-30804 - Unrestricted File Upload in Extension Uploader leads to Remote Code Execution
- CVE-2026-30806 - OS Command Injection in Network Report leads to Remote Code Execution
- CVE-2026-30809 - OS Command Injection in WebServerModuleDebug via Blacklist Bypass leads to Remote Code Execution
- CVE-2026-30811 - Missing Authorization in Configuration Ajax Endpoint leads to Information Disclosure
- CVE-2026-6157 - Totolink A800R app.so setAppEasyWizardConfig buffer overflow
- CVE-2026-6156 - Totolink A7100RU CGI cstecgi.cgi setIpQosRules os command injection
- CVE-2026-6155 - Totolink A7100RU CGI cstecgi.cgi setWanCfg os command injection
- CVE-2026-6154 - Totolink A7100RU CGI cstecgi.cgi setWizardCfg os command injection
- CVE-2026-6137 - Tenda F451 AdvSetWan fromAdvSetWan stack-based overflow
- CVE-2026-6138 - Totolink A7100RU CGI cstecgi.cgi setAccessDeviceCfg os command injection
- CVE-2026-6122 - Tenda F451 httpd L7Prot frmL7ProtForm stack-based overflow
- CVE-2026-6120 - Tenda F451 httpd DhcpListClient fromDhcpListClient stack-based overflow
- CVE-2026-6114 - Totolink A7100RU CGI cstecgi.cgi setNetworkCfg os command injection
- CVE-2026-6113 - Totolink A7100RU CGI cstecgi.cgi setTtyServiceCfg os command injection
- CVE-2026-6112 - Totolink A7100RU CGI cstecgi.cgi setRadvdCfg os command injection
- CVE-2026-4149 - Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability
- CVE-2026-40189 - goshs has a file-based ACL authorization bypass in goshs state-changing routes
- CVE-2026-40163 - Saltcorn has an Unauthenticated Path Traversal in sync endpoints allows arbitrary file write and directory read
- CVE-2026-5483 - Odh-dashboard: odh dashboard kubernetes service account exposure
- CVE-2026-31939 - Path Traversal (Arbitrary File Delete) in Chamilo LMS
- CVE-2026-32892 - OS Command Injection in Chamilo LMS 1.11.36
- CVE-2026-35595 - Vikunja Affected by Privilege Escalation via Project Reparenting
- CVE-2026-35669 - OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope
- CVE-2026-35666 - OpenClaw < 2026.3.22 - Allowlist Bypass via Unregistered Time Dispatch Wrapper
- CVE-2026-35663 - OpenClaw < 2026.3.25 - Privilege Escalation via Backend Reconnect Scope Self-Claim
- CVE-2026-35660 - OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset
- CVE-2026-35653 - OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
- CVE-2026-35643 - OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface
- CVE-2026-35641 - OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation
- CVE-2026-40217 - LiteLLM Arbitrary Code Execution Vulnerability
- CVE-2026-5777 - Security Misconfiguration Vulnerability in Atom 3x Projector
- CVE-2026-28704 - EmoCheck DLL Loading Vulnerability
- CVE-2026-5991 - Tenda F451 WrlExtraSet formWrlExtraSet stack-based overflow
- CVE-2026-5992 - Tenda F451 P2pListFilter fromP2pListFilter stack-based overflow
- CVE-2026-5981 - D-Link DIR-605L POST Request formAdvFirewall buffer overflow
- CVE-2026-5983 - D-Link DIR-605L POST Request formSetDDNS buffer overflow
- CVE-2026-5984 - D-Link DIR-605L POST Request formSetLog buffer overflow
- CVE-2026-40154 - PraisonAI Affected by Untrusted Remote Template Code Execution
- CVE-2026-5264 - DTLS 1.3 ACK heap buffer overflow
- CVE-2026-40113 - PraisonAI has an Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars
- CVE-2026-40111 - PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
- CVE-2026-35625 - OpenClaw < 2026.3.25 - Privilege Escalation via Silent Local Shared-Auth Reconnect
- CVE-2026-35618 - OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
- CVE-2026-33791 - Junos OS and Junos OS Evolved: Execution of crafted CLI commands allows for arbitrary shell injection as root
- CVE-2026-33793 - Junos OS and Junos OS Evolved: When an unsigned Python op script configuration is present, a local low privileged user can compromise the system
- CVE-2026-34512 - OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint
- CVE-2026-33790 - Junos OS: SRX Series: In a NAT64 configuration, receipt of a specific, malformed ICMPv6 packet will cause the srxpfe process to crash and restart.
- CVE-2026-33784 - JSI Virtual Lightweight Collector: Default password is not required to be changed which allows unauthorized high-privileged access
- CVE-2026-33785 - Junos OS: MX Series: Missing Authorization for specific 'request' CLI commands in a JDM/CSDS scenario
Franck Ridel
