ECV 2026  January

ECV 2026  January(17) February(28) March(23) April(29) May(14) June(11) July(0) August(0) September(0) October(0) November(0) December(0)


29.1.26 CVE-2026-1281 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution. Ivanti | Endpoint Manager Mobile (EPMM)  CWE-94
27.1.26 CVE-2026-24858 Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability: Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy contain an authentication bypass using an alternate path or channel that could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. Fortinet | Multiple Products CWE-288
26.1.26 CVE-2026-21509 Microsoft Office Security Feature Bypass Vulnerability: Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could allow an unauthorized attacker to bypass a security feature locally. Microsoft | Office CWE-807
26.1.26 CVE-2026-24061 GNU InetUtils Argument Injection Vulnerability: GNU InetUtils contains an argument injection vulnerability in telnetd that could allow for remote authentication bypass via a "-f root" value for the USER environment variable. GNU | InetUtils CWE-88
26.1.26 CVE-2026-23760 SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability: SmarterTools SmarterMail contains an authentication bypass using an alternate path or channel vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. This could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. SmarterTools | SmarterMail CWE-288
26.1.26 CVE-2025-52691 SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability: SmarterTools SmarterMail contains an unrestricted upload of file with dangerous type vulnerability that could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution. SmarterTools | SmarterMail CWE-434
26.1.26 CVE-2018-14634 Linux Kernel Integer Overflow Vulnerability: Linux Kernel contains an integer overflow vulnerability in the create_elf_tables() function which could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system. Linux | Kernal CWE-190
23.1.26 CVE-2024-37079 Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability: Broadcom VMware vCenter Server contains an out-of-bounds write vulnerability in the implementation of the DCERPC protocol. This could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution. Broadcom | VMware vCenter Server CWE-787
22.1.26 CVE-2025-54313 Prettier eslint-config-prettier Embedded Malicious Code Vulnerability: Prettier eslint-config-prettier contains an embedded malicious code vulnerability. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. Prettier | eslint-config-prettier CWE-506
22.1.26 CVE-2025-31125  Vite Vitejs Improper Access Control Vulnerability: Vite Vitejs contains an improper access control vulnerability that exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Vite | Vitejs  CWE-200| CWE-284
22.1.26 CVE-2025-34026 Versa Concerto Improper Authentication Vulnerability: Versa Concerto SD-WAN orchestration platform contains an improper authentication vulnerability in the Traefik reverse proxy configuration, allowing at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs. Versa | Concerto
 
CWE-288
22.1.26 CVE-2025-68645 Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability: Synacor Zimbra Collaboration Suite (ZCS) contains a PHP remote file inclusion vulnerability that could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory. Synacor | Zimbra Collaboration Suite (ZCS) CWE-98
21.1.26 CVE-2026-20045 Cisco Unified Communications Products Code Injection Vulnerability: Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance contain a code injection vulnerability that could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Cisco | Unified Communications Manager CWE-94
13.1.26 CVE-2026-20805 Microsoft Windows Information Disclosure Vulnerability: Microsoft Windows Desktop Windows Manager contains an information disclosure vulnerability that allows an authorized attacker to disclose information locally. Microsoft | Windows CWE-200
12.1.26 CVE-2025-8110 Gogs Path Traversal Vulnerability: Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution. Gogs | Gogs CWE-22
12.1.26 CVE-2025-37164 Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability: Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution. Hewlett Packard Enterprise (HPE) | OneView CWE-94
7.1.26 Microsoft Office PowerPoint Code Injection Vulnerability: Microsoft Office PowerPoint contains a code injection vulnerability that allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. Microsoft | Office CWE-94