Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Coordinated Disclosures

Vulnerability Research

A catalog of CVEs and vulnerabilities disclosed by Praetorian's research teams across open-source projects, commercial software, and internal tooling.

Total Published
40
Criticals
18
Highs
16
Avg CVSS
8.4
Last 90 Days
12 advisories
/
Severity
Status
CVSS ≥ 0.0
Showing 40 of 40
Advisory CVSS Published
high CVE-2026-27190
Deno Land: Deno: Command Injection in node:child_process via Newline in Argv
8.1 Feb 19, 2026 2mo ago
critical CVE-2026-40477
Thymeleaf: Thymeleaf RESTRICTED Mode Bypass — Server-Side Template Injection (SSTI)
9.0 Apr 15, 2026 23d ago
critical CVE-2026-3630
Delta Electronics: Delta Electronics COMMGR2: Unauthenticated Stack-Based Buffer Overflow Enabling RCE
9.8 Mar 19, 2026 1mo ago
high CVE-2026-2581
Node.js: Undici: Unbounded Memory Consumption in DeduplicationHandler — DoS
5.9 Mar 13, 2026 1mo ago
critical CVE-2026-0953
themeum: Tutor LMS Pro (themeum): Authentication Bypass via Social Login Addon
9.8 Mar 10, 2026 1mo ago
high CVE-2026-3342
WatchGuard: WatchGuard Fireware OS: Authenticated Out-of-Bounds Write — Root Code Execution
7.2 Mar 1, 2026 2mo ago
critical CVE-2025-55315
Microsoft: ASP.NET Core Kestrel HTTP Request Smuggling via Chunk Extension Parsing
9.9 Oct 14, 2025 6mo ago
critical CVE-2025-48865
Fabio: Fabio Reverse Proxy: Connection-Header Abuse Strips Trusted X-Forwarded Headers
9.1 May 29, 2025 11mo ago
medium CVE-2025-52493
PagerDuty: PagerDuty Cloud Runbook: Client-Side Secret Exposure in Configuration Page
6.5 Nov 20, 2025 5mo ago
high CVE-2025-24362
github: CodeQLEAKED: github/codeql-action Uploaded GITHUB_TOKEN in Debug Artifacts
7.1 Jan 24, 2025 1y ago
high CVE-2025-33073
Microsoft: NTLM Reflection Against Windows SMB Client ("the One-Hop Problem")
8.8 Mar 27, 2026 1mo ago
high CVE-2024-25085
3CX: 3CX Phone Management System (Windows): Local Privilege Escalation in Version 18
7.8
high CVE-2024-26135
Ylianst: MeshCentral: Cross-Site WebSocket Hijacking in control.ashx
8.3 Feb 21, 2024 2y ago
medium CVE-2024-5540
Automated Logic: Automated Logic WebCTRL / Carrier i-Vu: Reflective XSS in Login Panel
6.9
high CVE-2024-6387
OpenSSH: OpenSSH sshd Signal-Handler Race ("regreSSHion") — Unauthenticated Pre-Auth RCE
8.1 Jul 1, 2024 1y ago
critical CVE-2023-50164
Apache Software Foundation: Apache Struts 2 File-Upload Path Traversal Leading to RCE (analysis blog)
9.8 Dec 7, 2023 2y ago
critical CVE-2024-5539
Automated Logic: Automated Logic WebCTRL / Carrier i-Vu: Access Control Bypass
9.2
critical CVE-2023-48365
Qlik: DoubleQlik: Bypassing the Original Fix for CVE-2023-41265 to Re-Achieve Unauthenticated RCE
9.6 Sep 20, 2023 2y ago
critical CVE-2023-49657
Apache Software Foundation: Apache Superset: Stored Cross-Site Scripting
9.6
critical CVE-2023-47174
Unknown: Thorn SFTP Gateway: Unauthenticated Java Deserialization RCE in OAuth2 Cookie Handler
9.8
critical CVE-2023-48178
M-Way Solutions: Relution: Java Deserialization in Inter-Cluster Communication
9.8
critical CVE-2023-46747
F5: F5 BIG-IP: Authentication Bypass via TMUI Request Smuggling
9.8 Oct 26, 2023 2y ago
critical CVE-2023-41265
Qlik: ZeroQlik: Unauthenticated RCE in Qlik Sense via HTTP Request Tunneling
9.6 Aug 29, 2023 2y ago
medium CVE-2023-41266
Qlik: ZeroQlik: Unauthenticated Path Traversal in Qlik Sense Enterprise
8.2 Aug 29, 2023 2y ago
critical CVE-2023-22515
Atlassian: Atlassian Confluence Data Center & Server: Broken Access Control (Praetorian analysis blog)
9.8 Oct 4, 2023 2y ago
critical CVE-2023-38433
Fujitsu: Fujitsu "IP series" Real-Time Video Transmission Gear: Hard-Coded Credentials
7.5 Jul 26, 2023 2y ago
high CVE-2021-3054
Palo Alto Networks: PAN-OS Web Interface: TOCTOU Race in Plugin Installation — Root Code Execution
7.2 Sep 8, 2021 4y ago
high CVE-2022-0016
Palo Alto Networks: PAN GlobalProtect App: SYSTEM via Embedded-Browser Escape on Connect Before Logon (SAML)
7.4 Feb 9, 2022 4y ago
high CVE-2019-11687
NEMA: ELFDICOM: Polyglot Malware in DICOM Part-10 File Format (Linux PoC)
7.8
high CVE-2009-3676
Microsoft: Microsoft Windows SMB Client: Denial of Service via Malformed Response
7.1 Feb 9, 2010 16y ago
medium CVE-2019-1166
Microsoft: Drop the MIC: Windows NTLM MIC Bypass
5.9 Oct 8, 2019 6y ago
critical CVE-2007-3483
Research in Motion: BlackBerry Enterprise Server: Default Configuration Permits Arbitrary App Install on Devices
10.0
critical CVE-2026-34977
AperiSolve: Unauthenticated RCE via JPSeek Analyzer Command Injection
9.8 Mar 31, 2026 1mo ago
high CVE-2026-28468
OpenClaw: Authentication Bypass in Sandbox Browser Bridge Server
7.7 Feb 18, 2026 2mo ago
medium CVE-2026-28389
OpenSSL: NULL Pointer Dereference in CMS KeyAgreeRecipientInfo Parsing
7.5 Apr 7, 2026 1mo ago
critical CVE-2025-66478
Next.js: Remote Code Execution via React Server Components (CVE-2025-66478, REJECTED — see CVE-2025-55182)
10.0 Dec 4, 2025 5mo ago
high CVE-2026-28462
OpenClaw: Path Traversal in Browser Trace/Download Output Paths
7.5 Feb 18, 2026 2mo ago
high CVE-2025-64484
OAuth2-Proxy: Header-Smuggling Auth Bypass in Front of Underscore-Sensitive Apps
8.5 Nov 12, 2025 5mo ago
high CVE-2024-32656
Ant Media Server: Local Privilege Escalation via Unauthenticated Localhost JMX
7.8 Apr 22, 2024 2y ago
medium CVE-2026-0147
OpenClaw: tools.exec.safeBins PATH-hijack allowed trojan binaries to bypass allowlist checks
6.7 Apr 2, 2026 1mo ago