Critical CVEs

Hardcoded default Password for Service Account

Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232

Environment Variable Resolution Vulnerability in mlflow/mlflow

An OS command injection vulnerability in the app

RockRMS v16

LibreChat Exfiltrates Server Secrets via MCP Server URL Injection

authentik: SourceStage bypass via empty POST

authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover

ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation

Spacelabs Healthcare Sentinel 10.5.x < 11.6.0 Unauthenticated RCE via .NET Remoting

OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input

OpenMed < 1.5.2 Remote Code Execution via PII Model Loading

CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity

CWE-284: Improper Access Control in web services in Progress Sitefinity

WordPress WP Job Portal plugin <= 2.5.1 - SQL Injection vulnerability

Server-Side Template Injection (SSTI) in Wirtualna Uczelnia

Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

CrowCpp Crow through v1

Langroid has Prompt to SQL Injection, Leading to RCE

Cloud Foundry UAA versions v76

IBM WebSphere Application Server is affected by a remote code execution vulnerability

IBM WebSphere Application Server is affected by remote code execution

IBM WebSphere Application Server is affected by an identity spoofing vulnerability

In addInputMethodListener of com

AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization

CloudPirates Open Source Helm Charts: GitHub Actions pull_request_target workflow allows secret exfiltration via fork pull requests

CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling

Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability

WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability

Poly Voice – Possible Remote Control of Certain Poly Devices

WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability

WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability

WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability

WordPress AIWU plugin <= 1.4.17 - Privilege Escalation vulnerability

Critical RCE vulnerability in Disig Web Signer

Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern

Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x

SQL Injection via MySQL Quote Method

Totolink N300RH Web Management wireless.so setWiFiBasicConfig stack-based overflow

cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection

Formie: Pre-authenticated server-side template injection in Hidden fields

Authentication Bypass Vulnerability in NI SystemLink Enterprise

Shopper: Authorization bypass and RBAC privilege escalation in team settings

SillyTavern: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

SillyTavern: Authentication Bypass via SSO Header Injection

Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled)

Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials

Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs

Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint

Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline