📅 Weekly CVE Roundup
January 26 - February 1, 2026
🔴 Critical & High Severity Vulnerabilities
These are the most dangerous vulnerabilities disclosed this week. Prioritize patching these.
OpenClaw (also known as clawdbot or Moltbot) versions before 2026.1.29 automatically establish WebSocket connections using gatewayUrl values from quer...
Feb 1Mult-E-Cart Ultimate 2.4 contains SQL injection vulnerabilities in multiple modules (inventory, customer, vendor, order) where attackers with vendor o...
Feb 1PHP Melody 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to execute arbitrary SQL com...
Feb 1Simple CMS 2.1 contains a remote SQL injection vulnerability in the users module that allows authenticated attackers to execute arbitrary SQL commands...
Feb 1CVE-2020-37037 is an unquoted service path vulnerability in Avast SecureLine VPN client that allows local attackers to execute arbitrary code with SYS...
Feb 1CVE-2020-37045 is an unquoted service path vulnerability in Veritas NetBackup 7.0's INET Daemon service. This allows local attackers to place maliciou...
Feb 1CVE-2020-37047 is an unquoted service path vulnerability in Deep Instinct Windows Agent that allows local attackers to execute arbitrary code with Loc...
Feb 1CVE-2020-37048 is an unquoted service path vulnerability in Iskysoft Application Framework Service that allows local attackers to execute arbitrary co...
Feb 1CVE-2020-37055 is an unquoted service path vulnerability in SpyHunter 4 that allows local attackers to execute arbitrary code with SYSTEM privileges. ...
Feb 1CVE-2020-37061 is an unquoted service path vulnerability in BOOTP Turbo 2.0.1214 that allows local attackers to execute arbitrary code with SYSTEM pri...
Feb 1CVE-2020-37062 is an unquoted service path vulnerability in DHCP Turbo that allows local attackers to execute arbitrary code with elevated privileges....
Feb 1CVE-2020-37063 is an unquoted service path vulnerability in TFTP Turbo that allows local attackers to execute arbitrary code with elevated SYSTEM priv...
Feb 1CVE-2020-37064 is an unquoted service path vulnerability in EPSON EasyMP Network Projection software that allows local attackers to execute arbitrary ...
Feb 1🏢 Most Affected Vendors
🐛 Common Vulnerability Types
📋 All CVEs This Week
OpenClaw (also known as clawdbot or Moltbot) versions before 2026.1.29 automatically establish WebSocket connections usi...
Mult-E-Cart Ultimate 2.4 contains SQL injection vulnerabilities in multiple modules (inventory, customer, vendor, order)...
PHP Melody 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attacker...
Simple CMS 2.1 contains a remote SQL injection vulnerability in the users module that allows authenticated attackers to ...
CVE-2020-37037 is an unquoted service path vulnerability in Avast SecureLine VPN client that allows local attackers to e...
CVE-2020-37045 is an unquoted service path vulnerability in Veritas NetBackup 7.0's INET Daemon service. This allows loc...
CVE-2020-37047 is an unquoted service path vulnerability in Deep Instinct Windows Agent that allows local attackers to e...
CVE-2020-37048 is an unquoted service path vulnerability in Iskysoft Application Framework Service that allows local att...
CVE-2020-37055 is an unquoted service path vulnerability in SpyHunter 4 that allows local attackers to execute arbitrary...
CVE-2020-37061 is an unquoted service path vulnerability in BOOTP Turbo 2.0.1214 that allows local attackers to execute ...
CVE-2020-37062 is an unquoted service path vulnerability in DHCP Turbo that allows local attackers to execute arbitrary ...
CVE-2020-37063 is an unquoted service path vulnerability in TFTP Turbo that allows local attackers to execute arbitrary ...
CVE-2020-37064 is an unquoted service path vulnerability in EPSON EasyMP Network Projection software that allows local a...
Free Photo & Video Vault 0.0.2 contains a directory traversal vulnerability that allows remote attackers to manipulate w...
Webile 1.0.1 contains an unauthenticated directory traversal vulnerability that allows attackers to manipulate file path...
Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword...
Multiple payment terminal versions contain non-persistent cross-site scripting (XSS) vulnerabilities in billing and paym...
Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows atta...
PHP Melody 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user imp...
PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor's WYSIWYG component. Privile...
PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that a...
Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote atta...
Simple CMS 2.1 contains a reflected cross-site scripting vulnerability in the preview.php file's id parameter. Attackers...
The Stripe Green Downloads WordPress plugin version 2.03 contains a persistent cross-site scripting (XSS) vulnerability ...
Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting (XSS) vulnerability in the name parameter. Atta...
BootCommerce 3.2.1 contains persistent cross-site scripting (XSS) vulnerabilities in guest order checkout input fields. ...
WiFi File Transfer 1.0.8 has a persistent cross-site scripting vulnerability where attackers can inject malicious JavaSc...
Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the profile nam...
QWE DL 2.0.1 mobile web application has a persistent cross-site scripting (XSS) vulnerability in path parameters that al...
A stack overflow vulnerability in ESLint versions before 9.26.0 allows denial of service when processing test cases with...
Affiliate Pro 1.7 contains reflected cross-site scripting vulnerabilities in index module input fields (fullname, userna...
WebMO Job Manager 20.0 contains a reflected cross-site scripting vulnerability in search parameters that allows attacker...
CVE-2022-50942 is a client-side cross-site scripting vulnerability in Icinga Web 2.8.2 that allows attackers to inject m...
This CVE describes an improper authorization vulnerability in Zhong Bang CRMEB's store integration API endpoint. Attacke...
SunFounder Pironman Dashboard versions 1.3.13 and earlier contain an unauthenticated path traversal vulnerability in log...
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority, meaning it does not represent a valid securit...
