8.7
CVE-2025-64124 - Nuvation Energy Multi-Stack Controller OS Command Injection
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): before 2.5.1.
9.4
CVE-2025-64125 - Nuvation Energy nCloud Client-to-Client Communication
A vulnerability in Nuvation Energy nCloud VPN Service allowed Network Boundary Bridging.This issue affected the nCloud VPN Service and was fixed on 2025-12-1 (December, 2025). End users do not have to take any action to mitigate the issue.
7.9
CVE-2025-64123 - Nuvation Energy Multi-Stack Controller Proxy service allows arbitrary BMS access
Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1.
7.2
CVE-2025-64122 - Nuvation Energy Multi-Stack Controller Private Key Stored on Device
Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoofing by Key Theft.This issue affects Multi-Stack Controller (MSC): through 2.5.1.
10
CVE-2025-64121 - Nuvation Energy Multi-Stack Controller Authentication Bypass
Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.
9.4
CVE-2025-64120 - Nuvation Energy Multi-Stack Controller OS Command Injection
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows OS Command Injection.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.
9.3
CVE-2025-64119 - Nuvation Energy BMS Client-side Authentication
A vulnerability in Nuvation Battery Management System allows Authentication Bypass.This issue affects Battery Management System: through 2.3.9.
5.4
CVE-2026-21483 - listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, theβ¦
7.5
CVE-2026-21452 - MessagePack-Java Vulnerable to Remote Denial of Service via Malicious .msgpack Model File Triggerinβ¦
MessagePack for Java is a serializer implementation for Java. A denial-of-service vulnerability exists in versions prior to 0.9.11 when deserializing .msgpack files containing EXT32 objects with attacker-controlled payload lengths. While MessagePack-Java parses extension headers lazily, it later trβ¦
7.3
CVE-2026-21450 - Bagisto has SSTI in parameter that can lead to RCE
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue.