Recent Critical Vulnerabilities

CVE-2026-40317 Apr 18, 2026

NovumOS local privilege escalation to kernel (CVE-2026-40317)

CVSS 9.3

CVE-2026-40324 Apr 18, 2026

Hot Chocolate GraphQL server crash via stack overflow (CVE-2026-40324)

CVSS 9.1

CVE-2026-40484 Apr 18, 2026

ChurchCRM admin can upload webshell for RCE (CVE-2026-40484)

CVSS 9.1

CVE-2026-40572 Apr 18, 2026

NovumOS local privilege escalation (CVE-2026-40572)

CVSS 9

CVE-2026-37749 Apr 17, 2026

Simple Attendance System unauth SQLi bypass (CVE-2026-37749) [PoC]

CVSS 9.8

CVE-2026-40351 Apr 17, 2026

FastGPT NoSQL injection grants admin login (CVE-2026-40351)

CVSS 9.8

CVE-2026-40477 Apr 17, 2026

Thymeleaf SSTI allows server-side code execution (CVE-2026-40477)

CVSS 9

CVE-2026-40478 Apr 17, 2026

Thymeleaf server-side template injection, unauth (CVE-2026-40478)

CVSS 9

CVE-2026-31843 Apr 16, 2026

Pay-Uz Laravel package unauthenticated RCE (CVE-2026-31843)

CVSS 9.8

CVE-2026-37338 Apr 16, 2026

Simple Music Cloud SQL injection, unauthenticated (CVE-2026-37338)

CVSS 9.4

CVE-2026-37345 Apr 16, 2026

Vehicle Parking System SQL injection, unauthenticated (CVE-2026-37345)

CVSS 9.8

CVE-2026-37347 Apr 16, 2026

Payroll Management System SQL injection, unauth (CVE-2026-37347)

CVSS 9.1

CVE-2026-40322 Apr 16, 2026

SiYuan stored XSS leads to code execution (CVE-2026-40322)

CVSS 9

CVE-2026-20147 Apr 15, 2026

Cisco ISE authenticated command execution (CVE-2026-20147)

CVSS 9.9

CVE-2026-20180 Apr 15, 2026

Cisco ISE authenticated command injection to root (CVE-2026-20180)

CVSS 9.9

CVE-2026-20184 Apr 15, 2026

Webex SSO impersonates any user, unauth (CVE-2026-20184)

CVSS 9.8

CVE-2026-20186 Apr 15, 2026

Cisco ISE authenticated command injection (CVE-2026-20186)

CVSS 9.9

CVE-2026-6296 Apr 15, 2026

Chrome sandbox escape via heap overflow (CVE-2026-6296)

CVSS 9.6

CVE-2025-63939 Apr 14, 2026

Grocery Store Management System 1.0 SQL injection (CVE-2025-63939)

CVSS 9.8

CVE-2025-65135 Apr 14, 2026

School-management-system 1.0 unauthenticated SQL injection (CVE-2025-65135)

CVSS 9.8

CVE-2026-27243 Apr 14, 2026

Adobe Connect reflected XSS, unauthenticated (CVE-2026-27243)

CVSS 9.3

CVE-2026-27245 Apr 14, 2026

Adobe Connect reflected XSS, unauthenticated (CVE-2026-27245)

CVSS 9.3

CVE-2026-27246 Apr 14, 2026

Adobe Connect DOM XSS, patch now (CVE-2026-27246)

CVSS 9.3

CVE-2026-27681 Apr 14, 2026

SAP BPC/BW SQL injection, unauth data access (CVE-2026-27681)

CVSS 9.9

CVE-2026-33824 Apr 14, 2026

Windows IKE Extension unauthenticated RCE (CVE-2026-33824)

CVSS 9.8

CVE-2026-34457 Apr 14, 2026

OAuth2 Proxy authentication bypass, unauth (CVE-2026-34457)

CVSS 9.1

CVE-2026-39399 Apr 14, 2026

NuGet Gallery RCE via crafted nuspec file (CVE-2026-39399)

CVSS 9.6

CVE-2026-39808 Apr 14, 2026

FortiSandbox unauthenticated command injection (CVE-2026-39808)

CVSS 9.8

CVE-2026-39813 Apr 14, 2026

FortiSandbox path traversal grants admin (CVE-2026-39813)

CVSS 9.8

CVE-2026-40288 Apr 14, 2026

PraisonAI workflow engine unauthenticated RCE (CVE-2026-40288)

CVSS 9.8

CVE-2026-40289 Apr 14, 2026

PraisonAI unauthenticated remote session hijacking (CVE-2026-40289)

CVSS 9.1

CVE-2026-40313 Apr 14, 2026

PraisonAI leaks GitHub tokens in public artifacts (CVE-2026-40313)

CVSS 9.1

CVE-2026-22562 Apr 13, 2026

UniFi Play path traversal to RCE, patch now (CVE-2026-22562)

CVSS 9.8

CVE-2026-40044 Apr 13, 2026

Pachmo unauthenticated RCE via cache deserialization (CVE-2026-40044)

CVSS 9.8

CVE-2026-6139 Apr 13, 2026

CVE-2026-6139: Totolink A7100RU Command Injection - PoC Available

CVSS 9.8

CVE-2026-6112 Apr 12, 2026

CVE-2026-6112: Totolink A7100RU Command Injection - PoC Available

CVSS 9.8

CVE-2026-6113 Apr 12, 2026

CVE-2026-6113: Totolink A7100RU Command Injection - PoC Available

CVSS 9.8

CVE-2026-6114 Apr 12, 2026

CVE-2026-6114: Totolink A7100RU Command Injection - PoC Available

CVSS 9.8

CVE-2026-6115 Apr 12, 2026

CVE-2026-6115: Totolink A7100RU Command Injection - PoC Available

CVSS 9.8

CVE-2026-6116 Apr 12, 2026

CVE-2026-6116: Totolink A7100RU Command Injection - PoC Available

CVSS 9.8

CVE-2026-31845 Apr 11, 2026

CVE-2026-31845: Rukovoditel CRM XSS

CVSS 9.3

CVE-2026-4149 Apr 11, 2026

Sonos Era 300 unauthenticated SMB RCE (CVE-2026-4149)

CVSS 10

CVE-2026-5058 Apr 11, 2026

aws-mcp-server unauthenticated RCE (CVE-2026-5058)

CVSS 9.8

CVE-2026-5059 Apr 11, 2026

CVE-2026-5059: aws-mcp-server Command Injection RCE

CVSS 9.8

CVE-2026-1115 Apr 10, 2026

CVE-2026-1115: parisneo/lollms Stored XSS

CVSS 9.6

CVE-2026-32892 Apr 10, 2026

CVE-2026-32892: Chamilo LMS RCE

CVSS 9.1

CVE-2026-40175 Apr 10, 2026

Axios Prototype Pollution leads to RCE (CVE-2026-40175)

CVSS 10

CVE-2026-33784 Apr 9, 2026

Juniper Networks default password exposes admin

CVSS 9.8

CVE-2026-34424 Apr 9, 2026

CVE-2026-34424: Smart Slider 3 Pro RCE

CVSS 9.8

CVE-2026-39980 Apr 9, 2026

CVE-2026-39980: OpenCTI Remote Code Execution

CVSS 9.1

NovumOS local privilege escalation to kernel (CVE-2026-40317)

Hot Chocolate GraphQL server crash via stack overflow (CVE-2026-40324)

ChurchCRM admin can upload webshell for RCE (CVE-2026-40484)

NovumOS local privilege escalation (CVE-2026-40572)

Simple Attendance System unauth SQLi bypass (CVE-2026-37749) [PoC]

FastGPT NoSQL injection grants admin login (CVE-2026-40351)

Thymeleaf SSTI allows server-side code execution (CVE-2026-40477)

Thymeleaf server-side template injection, unauth (CVE-2026-40478)

Pay-Uz Laravel package unauthenticated RCE (CVE-2026-31843)

Simple Music Cloud SQL injection, unauthenticated (CVE-2026-37338)

Vehicle Parking System SQL injection, unauthenticated (CVE-2026-37345)

Payroll Management System SQL injection, unauth (CVE-2026-37347)

SiYuan stored XSS leads to code execution (CVE-2026-40322)

Cisco ISE authenticated command execution (CVE-2026-20147)

Cisco ISE authenticated command injection to root (CVE-2026-20180)

Webex SSO impersonates any user, unauth (CVE-2026-20184)

Cisco ISE authenticated command injection (CVE-2026-20186)

Chrome sandbox escape via heap overflow (CVE-2026-6296)

Grocery Store Management System 1.0 SQL injection (CVE-2025-63939)

School-management-system 1.0 unauthenticated SQL injection (CVE-2025-65135)

Adobe Connect reflected XSS, unauthenticated (CVE-2026-27243)

Adobe Connect reflected XSS, unauthenticated (CVE-2026-27245)

Adobe Connect DOM XSS, patch now (CVE-2026-27246)

SAP BPC/BW SQL injection, unauth data access (CVE-2026-27681)

Windows IKE Extension unauthenticated RCE (CVE-2026-33824)

OAuth2 Proxy authentication bypass, unauth (CVE-2026-34457)

NuGet Gallery RCE via crafted nuspec file (CVE-2026-39399)

FortiSandbox unauthenticated command injection (CVE-2026-39808)

FortiSandbox path traversal grants admin (CVE-2026-39813)

PraisonAI workflow engine unauthenticated RCE (CVE-2026-40288)

PraisonAI unauthenticated remote session hijacking (CVE-2026-40289)

PraisonAI leaks GitHub tokens in public artifacts (CVE-2026-40313)

UniFi Play path traversal to RCE, patch now (CVE-2026-22562)

Pachmo unauthenticated RCE via cache deserialization (CVE-2026-40044)

CVE-2026-6139: Totolink A7100RU Command Injection - PoC Available

CVE-2026-6112: Totolink A7100RU Command Injection - PoC Available

CVE-2026-6113: Totolink A7100RU Command Injection - PoC Available

CVE-2026-6114: Totolink A7100RU Command Injection - PoC Available

CVE-2026-6115: Totolink A7100RU Command Injection - PoC Available

CVE-2026-6116: Totolink A7100RU Command Injection - PoC Available

CVE-2026-31845: Rukovoditel CRM XSS

Sonos Era 300 unauthenticated SMB RCE (CVE-2026-4149)

aws-mcp-server unauthenticated RCE (CVE-2026-5058)

CVE-2026-5059: aws-mcp-server Command Injection RCE

CVE-2026-1115: parisneo/lollms Stored XSS

CVE-2026-32892: Chamilo LMS RCE

Axios Prototype Pollution leads to RCE (CVE-2026-40175)

Juniper Networks default password exposes admin

CVE-2026-34424: Smart Slider 3 Pro RCE

CVE-2026-39980: OpenCTI Remote Code Execution

Never Miss a Critical Alert