ECV 2026 January
ECV 2026 January(17) February(28) March(23) April(29) May(2) June(0) July(0) August(0) September(0) October(0) November(0) December(0)
| 29.1.26 | CVE-2026-1281 | Ivanti | Endpoint Manager Mobile (EPMM) | Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. | CWE-94 |
| 27.1.26 | CVE-2026-24858 | Fortinet | Multiple Products | Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability: Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. | CWE-288 |
| 26.1.26 | CVE-2026-21509 | Microsoft | Office | Microsoft Office Security Feature Bypass Vulnerability: Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. | CWE-807 |
| 26.1.26 | CVE-2026-24061 | GNU | InetUtils | GNU InetUtils Argument Injection Vulnerability: GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable. | CWE-88 |
| 26.1.26 | CVE-2026-23760 | SmarterTools | SmarterMail | SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability: SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. | CWE-288 |
| 26.1.26 | CVE-2025-52691 | SmarterTools | SmarterMail | SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability: SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. | CWE-434 |
| 26.1.26 | CVE-2018-14634 | Linux | Kernal | Linux Kernel Integer Overflow Vulnerability: Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system. | CWE-190 |
| 23.1.26 | CVE-2024-37079 | Broadcom | VMware vCenter Server | Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability: Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution. | CWE-787 |
| 22.1.26 | CVE-2025-54313 | Prettier | eslint-config-prettier | Prettier eslint-config-prettier Embedded Malicious Code Vulnerability: Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. | CWE-506 |
| 22.1.26 | CVE-2025-31125 | Vite | Vitejs | Vite Vitejs Improper Access Control Vulnerability: Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. | |
| 22.1.26 | CVE-2025-34026 |
Versa | Concerto |
Versa Concerto Improper Authentication Vulnerability: Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs. | CWE-288 |
| 22.1.26 | CVE-2025-68645 | Synacor | Zimbra Collaboration Suite (ZCS) | Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory. | CWE-98 |
| 21.1.26 | CVE-2026-20045 | Cisco | Unified Communications Manager | Cisco Unified Communications Products Code Injection Vulnerability: Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. | CWE-94 |
| 13.1.26 | CVE-2026-20805 | Microsoft | Windows | Microsoft Windows Information Disclosure Vulnerability: Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. | CWE-200 |
| 12.1.26 | CVE-2025-8110 | Gogs | Gogs | Gogs Path Traversal Vulnerability: Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution. | CWE-22 |
| 12.1.26 | CVE-2025-37164 | Hewlett Packard Enterprise (HPE) | OneView | Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability: Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution. | CWE-94 |
| 7.1.26 | Microsoft | Office | Microsoft Office PowerPoint Code Injection Vulnerability: Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. | CWE-94 | |