Patch Tuesday — May 2026

2026-05-12 · 1770 CVEs

CVEs published or modified the week of 2026-05-12, partitioned by vendor.

Microsoft (180 CVEs)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42898Critical9.92026-05-12Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
CVE-2026-42823Critical9.92026-05-12Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
CVE-2026-8398Critical9.8KEV2026-05-15A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and…
CVE-2026-41096Critical9.82026-05-12Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.
CVE-2026-41089Critical9.82026-05-12Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.
CVE-2026-8511Critical9.62026-05-14Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-41615Critical9.62026-05-14Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.
CVE-2026-40402Critical9.32026-05-12Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
CVE-2026-40379Critical9.32026-05-12Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42833Critical9.12026-05-12Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
CVE-2026-41103Critical9.12026-05-12Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-33117Critical9.12026-05-12The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly.
CVE-2026-8555High8.82026-05-14Use after free in GTK in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
CVE-2026-8544High8.82026-05-14Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8531High8.82026-05-14Heap buffer overflow in WebML in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2026-8529High8.82026-05-14Heap buffer overflow in Codecs in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted video file.
CVE-2026-8527High8.82026-05-14Insufficient validation of untrusted input in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
CVE-2026-8526High8.82026-05-14Out of bounds write in WebRTC in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8524High8.82026-05-14Out of bounds write in WebAudio in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8519High8.82026-05-14Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVE-2026-8518High8.82026-05-14Use after free in Blink in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8509High8.82026-05-14Heap buffer overflow in WebML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-41613High8.82026-05-12Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-41109High8.82026-05-12Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-41094High8.82026-05-12Improper control of generation of code ('code injection') in Microsoft Data Formulator allows an unauthorized attacker to execute code over a network.
CVE-2026-41086High8.82026-05-12Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-40420High8.82026-05-12Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40403High8.82026-05-12Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to execute code locally.
CVE-2026-40370High8.82026-05-12External control of file name or path in SQL Server allows an authorized attacker to execute code over a network.
CVE-2026-40365High8.82026-05-12Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-40357High8.82026-05-12Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-35439High8.82026-05-12Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-35436High8.82026-05-12Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-34329High8.82026-05-12Heap-based buffer overflow in Windows Message Queuing allows an unauthorized attacker to execute code over an adjacent network.
CVE-2026-33112High8.82026-05-12Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-33110High8.82026-05-12Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-40367High8.42026-05-12Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40366High8.42026-05-12Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40364High8.42026-05-12Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40363High8.42026-05-12Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40361High8.42026-05-12Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-40358High8.42026-05-12Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-8574High8.32026-05-14Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8573High8.32026-05-14Integer overflow in Codecs in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file.
CVE-2026-8542High8.32026-05-14Use after free in Core in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8530High8.32026-05-14Use after free in Network in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8523High8.32026-05-14Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8520High8.32026-05-14Race in Payments in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8515High8.32026-05-14Use after free in HID in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8514High8.32026-05-14Use after free in Aura in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8512High8.32026-05-14Use after free in FileSystem in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-35438High8.32026-05-12Missing authorization in Windows Admin Center allows an authorized attacker to elevate privileges over a network.
CVE-2026-33833High8.22026-05-12Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42897High8.1KEV2026-05-14Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-40415High8.12026-05-12Use after free in Windows TCP/IP allows an unauthorized attacker to execute code over a network.
CVE-2026-40368High8.02026-05-12Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-34332High8.02026-05-12Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to execute code over a network.
CVE-2026-44470High7.82026-05-13The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side.
CVE-2026-34690High7.82026-05-12After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-42896High7.82026-05-12Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CVE-2026-42831High7.82026-05-12Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
CVE-2026-41611High7.82026-05-12Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.
CVE-2026-41095High7.82026-05-12Use after free in Data Deduplication allows an authorized attacker to elevate privileges locally.
CVE-2026-41088High7.82026-05-12Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-40419High7.82026-05-12Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40418High7.82026-05-12Use after free in Microsoft Office allows an authorized attacker to elevate privileges locally.
CVE-2026-40417High7.82026-05-12Weak authentication in Dynamics Business Central allows an authorized attacker to elevate privileges locally.
CVE-2026-40408High7.82026-05-12Use after free in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.
CVE-2026-40407High7.82026-05-12Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-40399High7.82026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CVE-2026-40398High7.82026-05-12Heap-based buffer overflow in Windows Remote Desktop allows an authorized attacker to elevate privileges locally.
CVE-2026-40397High7.82026-05-12Heap-based buffer overflow in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-40382High7.82026-05-12Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
CVE-2026-40381High7.82026-05-12Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-40377High7.82026-05-12Heap-based buffer overflow in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally.
CVE-2026-40369High7.82026-05-12Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-40362High7.82026-05-12Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-40360High7.82026-05-12Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
CVE-2026-40359High7.82026-05-12Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
CVE-2026-35421High7.82026-05-12Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally.
CVE-2026-35420High7.82026-05-12Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-35418High7.82026-05-12Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-35417High7.82026-05-12Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2026-35415High7.82026-05-12Integer overflow or wraparound in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.
CVE-2026-34687High7.82026-05-12Illustrator versions 29.8.6, 30.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34661High7.82026-05-12Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34638High7.82026-05-12Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34637High7.82026-05-12Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34636High7.82026-05-12Premiere Pro versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34351High7.82026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CVE-2026-34344High7.82026-05-12Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-34343High7.82026-05-12Heap-based buffer overflow in Windows Application Identity (AppID) Subsystem allows an authorized attacker to elevate privileges locally.
CVE-2026-34338High7.82026-05-12Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
CVE-2026-34337High7.82026-05-12Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-34336High7.82026-05-12Integer overflow or wraparound in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
CVE-2026-34334High7.82026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CVE-2026-34333High7.82026-05-12Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2026-34330High7.82026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2026-33841High7.82026-05-12Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.
CVE-2026-33840High7.82026-05-12Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.
CVE-2026-33838High7.82026-05-12Double free in Windows Message Queuing allows an authorized attacker to elevate privileges locally.
CVE-2026-33837High7.82026-05-12Heap-based buffer overflow in Windows TCP/IP allows an authorized attacker to elevate privileges locally.
CVE-2026-33835High7.82026-05-12Use after free in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
CVE-2026-33834High7.82026-05-12Improper access control in Windows Event Logging Service allows an authorized attacker to elevate privileges locally.
CVE-2026-32204High7.82026-05-12External control of file name or path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-7432High7.82026-05-12A race condition in Ivanti Secure Access Client before 22.8R6 allows a locally authenticated user to escalate privileges to SYSTEM
CVE-2026-42832High7.72026-05-12Improper access control in Microsoft Office allows an unauthorized attacker to perform spoofing locally.
CVE-2026-33821High7.72026-05-12Improper privilege management in Microsoft Dynamics 365 Customer Insights allows an authorized attacker to elevate privileges over a network.
CVE-2026-8547High7.52026-05-14Insufficient policy enforcement in Passwords in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page.
CVE-2026-8521High7.52026-05-14Use after free in Tab Groups in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via malicious network traffic.
CVE-2026-8510High7.52026-05-14Integer overflow in Skia in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page.
CVE-2026-42899High7.52026-05-12Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVE-2026-40406High7.52026-05-12Use after free in Windows TCP/IP allows an unauthorized attacker to disclose information over a network.
CVE-2026-40405High7.52026-05-12Null pointer dereference in Windows TCP/IP allows an unauthorized attacker to deny service over a network.
CVE-2026-35424High7.52026-05-12Missing release of memory after effective lifetime in Windows Internet Key Exchange (IKE) Protocol allows an unauthorized attacker to deny service over a network.
CVE-2026-32161High7.52026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.
CVE-2026-45539High7.42026-05-15Microsoft APM is an open-source, community-driven dependency manager for AI agents.
CVE-2026-42893High7.42026-05-12Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to perform tampering over a network.
CVE-2026-41107High7.42026-05-12External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVE-2026-40414High7.42026-05-12Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40413High7.42026-05-12Windows TCP/IP Denial of Service Vulnerability
CVE-2026-35433High7.32026-05-12Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.
CVE-2026-32177High7.32026-05-12Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.
CVE-2026-44641High7.12026-05-15Microsoft APM is an open-source, community-driven dependency manager for AI agents.
CVE-2026-41102High7.12026-05-12Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.
CVE-2026-41101High7.12026-05-12Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.
CVE-2026-40401High7.12026-05-12Windows TCP/IP Denial of Service Vulnerability
CVE-2026-42825High7.02026-05-12Use after free in Windows Telephony Service allows an authorized attacker to elevate privileges locally.
CVE-2026-40410High7.02026-05-12Use after free in Windows SMB Client allows an authorized attacker to elevate privileges locally.
CVE-2026-35416High7.02026-05-12Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-34347High7.02026-05-12Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2026-34345High7.02026-05-12Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
CVE-2026-34342High7.02026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.
CVE-2026-34341High7.02026-05-12Double free in Windows Link-Layer Discovery Protocol (LLDP) allows an authorized attacker to elevate privileges locally.
CVE-2026-34340High7.02026-05-12Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.
CVE-2026-34331High7.02026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2026-33839High7.02026-05-12Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.
CVE-2026-41097Medium6.72026-05-12Reliance on a component that is not updateable in Windows Secure Boot allows an authorized attacker to bypass a security feature locally.
CVE-2026-32170Medium6.72026-05-12Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.
CVE-2026-21530Medium6.72026-05-12Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.
CVE-2026-8550Medium6.52026-05-14Use after free in Google Lens in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2026-42891Medium6.52026-05-12User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-42830Medium6.52026-05-12Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
CVE-2026-40374Medium6.52026-05-12Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.
CVE-2026-35422Medium6.52026-05-12Authentication bypass using an alternate path or channel in Windows TCP/IP allows an authorized attacker to bypass a security feature over a network.
CVE-2026-34350Medium6.52026-05-12Null pointer dereference in Windows Storport Miniport Driver allows an unauthorized attacker to deny service over a network.
CVE-2026-41610Medium6.32026-05-12Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.
CVE-2026-41614Medium6.22026-05-12Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
CVE-2026-40380Medium6.22026-05-12Heap-based buffer overflow in Volume Manager Extension Driver allows an authorized attacker to execute code with a physical attack.
CVE-2026-46383Medium5.52026-05-15Microsoft APM is an open-source, community-driven dependency manager for AI agents.
CVE-2026-41612Medium5.52026-05-12Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.
CVE-2026-35440Medium5.52026-05-12Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-35419Medium5.52026-05-12Out-of-bounds read in Windows DWM Core Library allows an authorized attacker to disclose information locally.
CVE-2026-34663Medium5.52026-05-12Illustrator versions 29.8.6, 30.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory.
CVE-2026-34662Medium5.52026-05-12Illustrator versions 29.8.6, 30.3 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service.
CVE-2026-34339Medium5.52026-05-12Null pointer dereference in Windows LDAP - Lightweight Directory Access Protocol allows an authorized attacker to deny service locally.
CVE-2026-32185Medium5.52026-05-12Files or directories accessible to external parties in Microsoft Teams allows an unauthorized attacker to perform spoofing locally.
CVE-2026-8561Medium5.42026-05-14Incorrect security UI in Fullscreen in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2026-42838Medium5.42026-05-12Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network.
CVE-2026-35423Medium5.42026-05-12Out-of-bounds read in Telnet Client allows an unauthorized attacker to disclose information over a network.
CVE-2026-8546Medium5.32026-05-14Out of bounds read in GPU in Google Chrome on Mac and Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML pag…
CVE-2026-8543Medium5.32026-05-14Out of bounds read in FileSystem in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process memory via a crafted…
CVE-2026-8541Medium5.32026-05-14Out of bounds read in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2026-8516Medium5.32026-05-14Insufficient validation of untrusted input in DataTransfer in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to obtain potentially sensitive information from process m…
CVE-2026-41100Medium4.42026-05-12Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.
CVE-2026-32209Medium4.42026-05-12Improper access control in Windows Filtering Platform (WFP) allows an authorized attacker to bypass a security feature locally.
CVE-2026-7431Medium4.42026-05-12An incorrect permission assignment for critical resource of Ivanti Secure Access Client   before 22.8R6 allows a local authenticated user to read or modify sensitive log data via write access to a shared memory section.
CVE-2026-8567Medium4.32026-05-14Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVE-2026-8563Medium4.32026-05-14Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
CVE-2026-8562Medium4.32026-05-14Side-channel information leakage in Navigation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2026-8559Medium4.32026-05-14Integer overflow in Internationalization in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVE-2026-8528Medium4.32026-05-14Insufficient validation of untrusted input in SiteIsolation in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass Site Isolation via a crafted HTML page.
CVE-2026-40421Medium4.32026-05-12Files or directories accessible to external parties in Microsoft Office Word allows an unauthorized attacker to disclose information locally.
CVE-2026-40416Medium4.32026-05-12User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-35429Medium4.32026-05-12User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-32175Medium4.32026-05-12A tampering vulnerability exists when .NET Core improperly handles specially crafted files.
CVE-2026-8556Low3.12026-05-14Inappropriate implementation in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVE-2026-8554Low3.12026-05-14Type Confusion in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page.
CVE-2026-8545Low3.12026-05-14Object corruption in Compositing in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVE-2026-445032026-05-14The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host or scheme.

Other vendors (1590 CVEs across 479 vendors)

N/a · 130 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-31239Critical9.82026-05-12The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub.
CVE-2026-31238Critical9.82026-05-12The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component.
CVE-2026-31237Critical9.82026-05-12The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method.
CVE-2026-31236Critical9.82026-05-12The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument.
CVE-2026-31235Critical9.82026-05-12The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module.
CVE-2026-31234Critical9.82026-05-12Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component.
CVE-2026-31233Critical9.82026-05-12Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism.
CVE-2026-31231Critical9.82026-05-12Cognee thru v0.4.0 contains a critical remote code execution vulnerability in its notebook cell execution API endpoint.
CVE-2026-31230Critical9.82026-05-12The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py).
CVE-2026-31229Critical9.82026-05-12The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains an insecure deserialization vulnerability (CWE-502) in its Kubeflow component's model loading functionality.
CVE-2025-65719Critical9.82026-05-12An issue in Open Source Kubectl MCP Server v1.1.1 allows attackers to execute arbitrary code on a victim system via user interaction with a crafted HTML page.
CVE-2026-31228Critical9.82026-05-12The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component.
CVE-2026-31226Critical9.82026-05-12The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities.
CVE-2026-31220Critical9.82026-05-12PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code.
CVE-2026-31217Critical9.82026-05-12The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution.
CVE-2026-31214Critical9.82026-05-12The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502).
CVE-2026-38567Critical9.82026-05-11HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints.
CVE-2026-31216Critical9.12026-05-12The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API.
CVE-2026-31215Critical9.12026-05-12The nexent v1.7.5.2 backend service contains an unauthorized arbitrary file deletion vulnerability in its ElasticSearch service interface.
CVE-2026-6637High8.82026-05-14Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database.
CVE-2026-6477High8.82026-05-14Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-lar…
CVE-2026-6475High8.82026-05-14Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g.
CVE-2026-6473High8.82026-05-14Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds.
CVE-2026-31232High8.82026-05-12The CosyVoice project thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading process.
CVE-2026-31225High8.82026-05-12The superduper project thru v0.10.0 contains a critical remote code execution vulnerability in its query parsing component.
CVE-2026-31224High8.82026-05-12The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class.
CVE-2026-31223High8.82026-05-12The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class.
CVE-2026-31222High8.82026-05-12The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class.
CVE-2026-31219High8.82026-05-12The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502).
CVE-2026-31218High8.82026-05-12The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) is vulnerable to insecure deserialization (CWE-502).
CVE-2026-36734High8.82026-05-11EDIMAX BR-6428nS V3 1.15 is vulnerable to Command Injection.
CVE-2026-34253High8.22026-05-15A buffer underflow vulnerability has been identified in the ogg123 utility from the vorbis-tools 1.4.3 package in function remotethread in remote.c.
CVE-2026-38568High8.12026-05-11HireFlow v1.2 is vulnerable to Incorrect Access Control.
CVE-2026-38566High8.12026-05-11HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint.
CVE-2026-30635High8.12026-05-11Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view_task (aka view) in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an exter…
CVE-2023-27753High8.02026-05-12An arbitrary file upload vulnerability in MK-Auth 23.01K4.9 allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2026-38728High7.52026-05-15An issue in Nodemailer smtp_server before v.3.18.3 allows a remote attacker to cause a denial of service via the SMTPStream._write, lib/smtp-stream.js components
CVE-2026-6479High7.52026-05-14Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service.
CVE-2025-28344High7.52026-05-13striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function AuxJack.
CVE-2025-28343High7.52026-05-13striso-control-firmware 54c9722 is vulnerable to Buffer Overflow in function ThreadReadButtons.
CVE-2026-31240High7.52026-05-12The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints.
CVE-2026-31248High7.52026-05-11Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0.
CVE-2026-31247High7.52026-05-11Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0.
CVE-2025-65418High7.52026-05-11docuFORM Managed Print Service Client 11.11c is vulnerable to a directory traversal allowing attackers to read arbitrary files via crafted url.
CVE-2026-39054High7.32026-05-15Oinone Pamirs 7.0.0 contains a command injection vulnerability in CommandHelper.executeCommands.
CVE-2026-24712High7.32026-05-14Northern.tech CFEngine Enterprise and Community before 3.21.8, 3.24.3, and 3.27.0 allows Command injection.
CVE-2024-55045High7.32026-05-13Firmament-Autopilot FMT-Firmware commit de5aec was discovered to contain a buffer overflow via the task_mavobc_entry function at /comm/task_comm.c.
CVE-2026-37430High7.32026-05-13An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2026-37630High7.32026-05-11An issue in QuickJS-NG v.0.12.1 allows an attacker to execute arbitrary code via the js_mapped_arguments_mark function
CVE-2026-8305High7.32026-05-11A vulnerability was detected in OpenClaw up to 2026.1.24.
CVE-2026-36962High7.32026-05-11SQL Injection in MuuCMF T6 v1.9.4.20260115 allows an unauthenticated attacker to compromise the entire database, achieve unauthorized administrative access, and potentially gain remote code execution by writing malicious files to the serve…
CVE-2026-31254High7.32026-05-11The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains a code injection vulnerability (CWE-94) in its training script.
CVE-2026-31253High7.32026-05-11The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 (2025-13-04) contains an insecure deserialization vulnerability (CWE-502) in its checkpoint loading mechanism.
CVE-2026-31251High7.32026-05-11CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its gRPC server component.
CVE-2026-31250High7.32026-05-11CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool.
CVE-2026-31249High7.32026-05-11CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool.
CVE-2025-61314High7.32026-05-11A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_orderopt.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via inj…
CVE-2025-61313High7.32026-05-11A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_markeralerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via…
CVE-2025-61312High7.32026-05-11A reflected cross-site scripted (XSS) vulnerability in the acc-menu_pricess.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via inje…
CVE-2025-61311High7.32026-05-11A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_alerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injec…
CVE-2026-6476High7.22026-05-14SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser.
CVE-2026-36741High7.22026-05-13U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection.
CVE-2026-36742Medium6.82026-05-13Hiseeu C90 v5.7.15 is vulnerable to Insecure Permissions.
CVE-2026-36738Medium6.82026-05-13U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Incorrect Access Control.
CVE-2026-39053Medium6.52026-05-15Oinone Pamirs 7.0.0 contains an XML External Entity (XXE) issue in its XStream-based XML parsing logic.
CVE-2026-39052Medium6.52026-05-15Oinone Pamirs 7.0.0 contains a code execution vulnerability via ScriptRunner.
CVE-2025-67437Medium6.52026-05-15Medical Management System a81df1ce700a9662cb136b27af47f4cbde64156b is vulnerable to Insecure Permissions, which allows arbitrary user password reset.
CVE-2026-6478Medium6.52026-05-14Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate.
CVE-2026-31156Medium6.52026-05-13A path injection vulnerability exists in OpenPLC v3 (2c82b0e79c53f8c1f1458eee15fec173400d6e1a) as the binary program compiled from glue_generator.cpp does not perform any validation on the file path parameters passed via the command line.
CVE-2026-37429Medium6.52026-05-13qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file.
CVE-2026-37428Medium6.52026-05-13qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file.
CVE-2026-31246Medium6.52026-05-11GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method.
CVE-2025-67031Medium6.32026-05-15ORSEE (Online Recruitment System for Economic Experiments) 3.1.0 contains an authenticated Remote Code Execution vulnerability in the participant profile field processing subsystem.
CVE-2025-69443Medium6.32026-05-14Remote Code Execution in coleam00 Archon 0.1.0.
CVE-2025-65416Medium6.32026-05-11docuFORM Managed Print Service Client 11.11c is vulnerable to arbitrary file upload via pmupdate.php.
CVE-2024-48519Medium6.22026-05-13Buffer Overflow vulnerability in Ardupilot rover commit v.c56439b045162058df0ff136afea3081fcd06d38 allows a local attacker to cause a denial of service via the AP_InertialSensor_ADIS1647x.cpp, ArduRover, ADIS1647x Sensor component.
CVE-2024-51395Medium6.22026-05-13Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_SmartAudio::loop, AP_SmartAudio, AP_SmartAudio.cpp components.
CVE-2026-24710Medium6.12026-05-14Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 allows XSS.
CVE-2026-36906Medium6.12026-05-11Cross Site Scripting vulnerability in iotgateway v.3.0.1 allows a remote attacker to execute arbitrary code via the Log Record Function
CVE-2025-65417Medium6.12026-05-11docuFORM Managed Print Service Client 11.11c is vulnerable to a reflected cross site scripting attack via the login page of the application.
CVE-2025-61310Medium6.12026-05-11A reflected cross-site scripted (XSS) vulnerability in the acc-menu_billings.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via inj…
CVE-2025-61309Medium6.12026-05-11A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_departments.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via…
CVE-2025-61308Medium6.12026-05-11A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via…
CVE-2025-61307Medium6.12026-05-11A reflected cross-site scripted (XSS) vulnerability in the acc-menu_papers.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injec…
CVE-2025-61306Medium6.12026-05-11A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_coveragealerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser v…
CVE-2025-61305Medium6.12026-05-11A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_firmware.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via inj…
CVE-2026-8261Medium5.92026-05-11A vulnerability was determined in Squirrel up to 3.2.
CVE-2026-31252Medium5.72026-05-11CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its model loading component.
CVE-2025-29338Medium5.62026-05-13NXP moal.ko Wi-Fi driver 5.1.7.10 FW version from v17.92.1.p149.43 To v17.92.1.p149.157 was discovered to contain a buffer overflow via the mod_para parameter in the woal_init_module_param function.
CVE-2024-51394Medium5.52026-05-13Buffer Overflow vulnerability in Ardupiot Copter Latest commit 92693e023793133e49a035daf37c14433e484778 allows a local attacker to cause a denial of service via the AP_MSP::loop, AP_MSP, AP_MSP.cpp components.
CVE-2026-6472Medium5.42026-05-14Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types.
CVE-2023-30059Medium5.42026-05-12An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request.
CVE-2025-70842Medium5.42026-05-12A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the File Management module of FluentCMS 1.2.3.
CVE-2026-38569Medium5.42026-05-11HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.
CVE-2025-65415Medium5.42026-05-11docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application.
CVE-2026-38740Medium5.32026-05-14Foscam VD1 Video Doorbell before V5.3.13_1072 is vulnerable to Cleartext Transmission of Sensitive Information.
CVE-2026-24711Medium5.32026-05-14Northern.tech CFEngine Enterprise before 3.21.8, 3.24.3, and 3.27.0 has Incorrect Access Control.
CVE-2026-8258Medium5.32026-05-11A flaw has been found in Squirrel up to 3.2.
CVE-2026-6575Medium4.32026-05-14Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array.
CVE-2026-6474Medium4.32026-05-14Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones.
CVE-2026-8292Medium4.32026-05-11A security vulnerability has been detected in Open5GS up to 2.7.7.
CVE-2026-8291Medium4.32026-05-11A weakness has been identified in Open5GS up to 2.7.7.
CVE-2026-8290Medium4.32026-05-11A security flaw has been discovered in Open5GS up to 2.7.7.
CVE-2026-8289Medium4.32026-05-11A vulnerability was identified in Open5GS up to 2.7.7.
CVE-2026-8288Medium4.32026-05-11A vulnerability was determined in Open5GS up to 2.7.7.
CVE-2026-8270Medium4.32026-05-11A vulnerability was determined in Open5GS up to 2.7.7.
CVE-2026-8269Medium4.32026-05-11A vulnerability was found in Open5GS up to 2.7.7.
CVE-2026-8268Medium4.32026-05-11A vulnerability has been found in Open5GS up to 2.7.7.
CVE-2026-8267Medium4.32026-05-11A flaw has been found in Open5GS up to 2.7.7.
CVE-2026-8266Medium4.32026-05-11A vulnerability was detected in Open5GS up to 2.7.7.
CVE-2026-8252Medium4.32026-05-11A vulnerability was determined in Open5GS up to 2.7.7.
CVE-2026-6638Low3.72026-05-14SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ...
CVE-2026-8276Low3.72026-05-11A flaw has been found in bettercap up to 2.41.5.
CVE-2026-8275Low3.72026-05-11A vulnerability was detected in bettercap up to 2.41.5.
CVE-2026-208872026-05-12Improper access control for some Intel Vision software for all versions within Ring 3: User Applications may allow a denial of service.
CVE-2026-208792026-05-12Out-of-bounds write for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow a denial of service.
CVE-2026-207942026-05-12Buffer overflow for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow an escalation of privilege.
CVE-2026-207722026-05-12Uncontrolled search path for some Intel(R) Connectivity Performance Suite software installers before version 50.25.1121.193 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2026-207542026-05-12Improper conditions check in some firmware for some Intel(R) NPU Drivers within Ring 1: Device Drivers may allow a denial of service.
CVE-2026-207532026-05-12Integer overflow in the UEFI firmware for the Slim Bootloader may allow an escalation of privilege.
CVE-2026-207512026-05-12Out-of-bounds read for the Intel(R) Data Center Graphics Driver for VMware ESXi software before version 2.0.2 within Ring 1: Device Drivers may allow a denial of service.
CVE-2026-207382026-05-12Untrusted pointer dereference for some Intel(R) QuickAssist Adapter 8960 software before version 1.13 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2026-207182026-05-12Incorrect default permissions for some Intel(R) NPU Driver software installers before version 32.0.100.4511 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-365152026-05-12Uncontrolled search path for some AI Playground software before version 3.0.0 alpha within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-365102026-05-12Improper buffer restrictions for some Display Virtualization for Windows OS driver software within Ring 2: Device Drivers may allow a denial of service.
CVE-2025-359912026-05-12Improper initialization in the UEFI firmware for some Intel platforms within Ring 0: Bare Metal OS may allow an information disclosure.
CVE-2025-359902026-05-12Improper input validation for some Intel Endpoint Management Assistant (EMA) software before version 1.14.5 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2025-359792026-05-12Exposure of sensitive information caused by shared microarchitectural predictor state that influences transient execution for some Intel(R) Processors within VMX non-root (guest) operation may allow an information disclosure.
CVE-2025-359692026-05-12Uncontrolled search path for some Intel(R) Server Firmware Update Utility Software before version 16.0.12.
CVE-2025-277232026-05-12Use after free for some Linux kernel driver for the Intel(R) Ethernet 800 series before version 2.3.14 within Ring 0: Kernel may allow a denial of service.

Apple · 103 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8587High8.82026-05-14Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension.
CVE-2026-8522High8.82026-05-14Use after free in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code via a crafted HTML page.
CVE-2026-8517High8.82026-05-14Object lifecycle issue in WebShare in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.
CVE-2025-43524High8.82026-05-12An access issue was addressed with additional sandbox restrictions.
CVE-2026-28995High8.82026-05-11A logic issue was addressed with improved restrictions.
CVE-2026-28978High8.82026-05-11A permissions issue was addressed with additional restrictions.
CVE-2026-28955High8.82026-05-11The issue was addressed with improved memory handling.
CVE-2026-28947High8.82026-05-11A use-after-free issue was addressed with improved memory management.
CVE-2026-28940High8.82026-05-11The issue was addressed with improved memory handling.
CVE-2026-28923High8.82026-05-11A logging issue was addressed with improved data redaction.
CVE-2026-28847High8.82026-05-11The issue was addressed with improved memory handling.
CVE-2026-8569High8.32026-05-14Out of bounds write in Codecs in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file.
CVE-2026-8525High8.32026-05-14Heap buffer overflow in ANGLE in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-28907High8.12026-05-11The issue was addressed with improved input validation.
CVE-2026-28951High7.82026-05-11An authorization issue was addressed with improved state management.
CVE-2026-28919High7.82026-05-11A consistency issue was addressed with improved state handling.
CVE-2026-28915High7.82026-05-11A parsing issue in the handling of directory paths was addressed with improved path validation.
CVE-2026-28840High7.82026-05-11A permissions issue was addressed with additional restrictions.
CVE-2026-8585High7.52026-05-14Inappropriate implementation in Media in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page.
CVE-2025-46311High7.52026-05-12An inconsistent user interface issue was addressed with improved state management.
CVE-2026-43668High7.52026-05-11A use after free issue was addressed with improved memory management.
CVE-2026-43661High7.52026-05-11A buffer overflow issue was addressed with improved memory handling.
CVE-2026-43660High7.52026-05-11A validation issue was addressed with improved logic.
CVE-2026-43658High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-43654High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-43652High7.52026-05-11A permissions issue was addressed with additional restrictions.
CVE-2026-39871High7.52026-05-11A path handling issue was addressed with improved logic.
CVE-2026-39870High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28991High7.52026-05-11An out-of-bounds read was addressed with improved bounds checking.
CVE-2026-28990High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28987High7.52026-05-11A logging issue was addressed with improved data redaction.
CVE-2026-28986High7.52026-05-11A race condition was addressed with additional validation.
CVE-2026-28983High7.52026-05-11A type confusion issue was addressed with improved checks.
CVE-2026-28976High7.52026-05-11An information leakage was addressed with additional validation.
CVE-2026-28974High7.52026-05-11This issue was addressed with improved checks to prevent unauthorized actions.
CVE-2026-28969High7.52026-05-11A use after free issue was addressed with improved memory management.
CVE-2026-28965High7.52026-05-11A privacy issue was addressed with improved checks.
CVE-2026-28964High7.52026-05-11An inconsistent user interface issue was addressed with improved state management.
CVE-2026-28962High7.52026-05-11This issue was addressed with improved access restrictions.
CVE-2026-28959High7.52026-05-11A buffer overflow was addressed with improved bounds checking.
CVE-2026-28954High7.52026-05-11A file quarantine bypass was addressed with additional checks.
CVE-2026-28953High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28952High7.52026-05-11An integer overflow was addressed with improved input validation.
CVE-2026-28944High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28943High7.52026-05-11A logging issue was addressed with improved data redaction.
CVE-2026-28936High7.52026-05-11The issue was addressed with improved checks.
CVE-2026-28930High7.52026-05-11A permissions issue was addressed with additional restrictions.
CVE-2026-28929High7.52026-05-11A logic issue was addressed with improved checks.
CVE-2026-28925High7.52026-05-11A buffer overflow was addressed with improved bounds checking.
CVE-2026-28924High7.52026-05-11A race condition was addressed with improved handling of symbolic links.
CVE-2026-28913High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28908High7.52026-05-11A denial of service issue was addressed by removing the vulnerable code.
CVE-2026-28906High7.52026-05-11This issue was addressed through improved state management.
CVE-2026-28905High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28904High7.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28883High7.52026-05-11A use-after-free issue was addressed with improved memory management.
CVE-2026-28873High7.52026-05-11This issue was addressed with additional entitlement checks.
CVE-2026-28872High7.52026-05-11A resource exhaustion issue was addressed with improved input validation.
CVE-2026-28860High7.52026-05-11The issue was addressed with improved input validation.
CVE-2026-28848High7.52026-05-11A buffer overflow was addressed with improved bounds checking.
CVE-2026-28846High7.52026-05-11A buffer overflow was addressed with improved bounds checking.
CVE-2026-43656High7.32026-05-11An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-43655High7.32026-05-11An out-of-bounds read was addressed with improved bounds checking.
CVE-2026-28941High7.12026-05-11The issue was addressed with improved checks.
CVE-2026-28972Medium6.52026-05-11An out-of-bounds write issue was addressed with improved input validation.
CVE-2026-28956Medium6.52026-05-11A memory corruption issue was addressed with improved input validation.
CVE-2026-28946Medium6.52026-05-11A use-after-free issue was addressed with improved memory management.
CVE-2026-28942Medium6.52026-05-11A use-after-free issue was addressed with improved memory management.
CVE-2026-28922Medium6.52026-05-11This issue was addressed through improved state management.
CVE-2026-28920Medium6.52026-05-11An information leakage was addressed with additional validation.
CVE-2026-28918Medium6.52026-05-11An out-of-bounds access issue was addressed with improved bounds checking.
CVE-2026-28903Medium6.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-28902Medium6.52026-05-11The issue was addressed with improved memory handling.
CVE-2026-43666Medium6.22026-05-11An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-43653Medium6.22026-05-11The issue was addressed with improved memory handling.
CVE-2026-28985Medium6.22026-05-11A null pointer dereference was addressed with improved input validation.
CVE-2026-28977Medium6.22026-05-11The issue was addressed with improved bounds checks.
CVE-2026-28897Medium6.22026-05-11A buffer overflow was addressed with improved input validation.
CVE-2026-28996Medium5.52026-05-11A race condition was addressed with additional validation.
CVE-2026-28993Medium5.52026-05-11This issue was addressed by adding an additional prompt for user consent.
CVE-2026-28988Medium5.52026-05-11A permissions issue was addressed with additional restrictions.
CVE-2026-28958Medium5.52026-05-11This issue was addressed with improved data protection.
CVE-2026-28914Medium5.52026-05-11A logic issue was addressed with improved file handling.
CVE-2026-20696Medium5.52026-05-11An authorization issue was addressed with improved state management.
CVE-2026-28819Medium5.42026-05-11An out-of-bounds write issue was addressed with improved bounds checking.
CVE-2026-28994Medium5.32026-05-11A use after free issue was addressed with improved memory management.
CVE-2026-28967Medium4.92026-05-11A denial-of-service issue was addressed with improved input validation.
CVE-2026-8565Medium4.72026-05-14Inappropriate implementation in Downloads in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to perform UI spoofing via a crafted Chrome Extension.
CVE-2026-43659Medium4.72026-05-11A race condition was addressed with additional validation.
CVE-2026-28992Medium4.72026-05-11A memory corruption vulnerability was addressed with improved locking.
CVE-2026-28830Medium4.72026-05-11A race condition was addressed with additional validation.
CVE-2026-28963Medium4.62026-05-11A privacy issue was addressed by removing the vulnerable code.
CVE-2026-28961Medium4.62026-05-11This issue was addressed with improved checks.
CVE-2026-8560Medium4.32026-05-14Heap buffer overflow in SwiftShader in Google Chrome on Mac and iOS prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2026-39869Medium4.32026-05-11The issue was addressed with improved memory handling.
CVE-2026-28971Medium4.32026-05-11The issue was addressed with improved UI handling.
CVE-2026-28917Medium4.32026-05-11The issue was addressed with improved input validation.
CVE-2026-28901Medium4.32026-05-11The issue was addressed with improved memory handling.
CVE-2026-8584Medium4.22026-05-14Inappropriate implementation in Views in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page.
CVE-2026-8564Medium4.22026-05-14Incorrect security UI in Downloads in Google Chrome on Android and Mac prior to 148.0.7778.168 allowed a remote attacker to perform UI spoofing via a crafted HTML page.
CVE-2026-28957Low3.32026-05-11An issue with app access to camera metadata was addressed with improved logic.
CVE-2026-28910Low3.32026-05-11This issue was addressed with improved permissions checking.
CVE-2026-8536Low3.12026-05-14Insufficient validation of untrusted input in ReadingMode in Google Chrome on Mac prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to bypass site Isolation via a crafted HTML page.

Open-webui · 59 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44551Critical9.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45672High8.82026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45315High8.72026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44552High8.72026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45401High8.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45400High8.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45331High8.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44570High8.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45665High8.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45301High8.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44565High8.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45402High8.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45675High8.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44554High8.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44553High8.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45671High8.02026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45338High7.72026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45303High7.72026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44555High7.62026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45398High7.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44567High7.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44566High7.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44549High7.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44721High7.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45395High7.22026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45350High7.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44569High7.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45399High7.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45349High7.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44556High7.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45667Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45666Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45351Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45345Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44571Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45339Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44562Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44560Medium6.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45314Medium6.12026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45365Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45346Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45318Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45299Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45396Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44564Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44563Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44561Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44558Medium5.42026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45397Medium5.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44550Medium5.02026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44568Medium4.82026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45317Medium4.62026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45347Medium4.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45387Medium4.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45386Medium4.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45385Medium4.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44559Medium4.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-44557Medium4.32026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.
CVE-2026-45316Low3.52026-05-15Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline.

F5 · 51 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41225Critical9.12026-05-13A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.
CVE-2026-41957High8.82026-05-13An authenticated remote code execution vulnerability through undisclosed vectors exists in the BIG-IP and BIG-IQ Configuration utility.
CVE-2026-42930High8.72026-05-13When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system.
CVE-2026-42924High8.72026-05-13An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Sup…
CVE-2026-42406High8.72026-05-13A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.     Note: Software ver…
CVE-2026-41953High8.72026-05-13A vulnerability exists in BIG-IP systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can modify configuration objects resulting in privilege escalation.  Note: Software versions which hav…
CVE-2026-40698High8.72026-05-13A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Resource Administrator role can create SNMP configuration objects through iControl REST or the TMOS shell (tmsh) result…
CVE-2026-40631High8.72026-05-13An authenticated attacker with the Resource Administrator or Administrator role can modify configuration objects through iControl SOAP resulting in privilege escalation.  Note: Software versions which have reached End of Technical Support…
CVE-2026-40061High8.72026-05-13When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary…
CVE-2026-34176High8.72026-05-13When running in Appliance mode, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint.
CVE-2026-32673High8.72026-05-13A vulnerability exists in BIG-IP scripted monitors that may allow an authenticated attacker with the Resource Administrator or Administrator role to execute arbitrary system commands with higher privileges.
CVE-2026-32643High8.72026-05-13A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running arbitrary commands.  Note: Software versio…
CVE-2026-42945High8.12026-05-13NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module.
CVE-2026-20916High8.12026-05-13An authenticated iControl REST user with low privileges can create or modify arbitrary files through an undisclosed iControl REST endpoint on the BIG-IQ system.
CVE-2026-41217High7.92026-05-13A vulnerability exists in an undisclosed BIG-IP TMOS Shell (tmsh) command that may allow an authenticated attacker with resource administrator or administrator role to execute arbitrary system commands with higher privileges.
CVE-2026-42920High7.52026-05-13When a Client SSL profile is configured with Allow Dynamic Record Sizing on a UDP virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.
CVE-2026-42409High7.52026-05-13When an HTTP/2 profile and an iRule containing the HTTP::redirect or HTTP::respond command are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate.  Note: Software ve…
CVE-2026-41956High7.52026-05-13When a classification profile is configured on a UDP virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not…
CVE-2026-41227High7.52026-05-13On an HTTP/2 virtual server with Layer 7 DoS Protection configured, undisclosed traffic can result in an increase in memory consumption causing the Traffic Management Microkernel (TMM) process to terminate.  Note: Software versions which h…
CVE-2026-41218High7.52026-05-13When BIG-IP PEM iRules are configured on a virtual server (iRules using commands starting with CLASSIFICATION::, CLASSIFY::, PEM::, PSC::, and the urlcatquery command), undisclosed traffic can cause the Traffic Management Microkernel (TMM)…
CVE-2026-40629High7.52026-05-13When SSL profiles are configured on a virtual server, undisclosed traffic can cause the virtual server to stop processing new client connections.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated…
CVE-2026-40618High7.52026-05-13When an SSL profile is configured on a virtual server on BIG-IP Virtual Edition (VE) without Intel QuickAssist Technology (QAT) or on BIG-IP hardware platforms with the database variable crypto.hwacceleration set to disabled, undisclosed t…
CVE-2026-40423High7.52026-05-13When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.
CVE-2026-40067High7.52026-05-13When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause the apmd process to terminate.
CVE-2026-40060High7.52026-05-13When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests can cause the bd process to terminate.  Note: Software versions which have reached End of Technical Support (EoTS) are not evalu…
CVE-2026-39458High7.52026-05-13When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technical Support (…
CVE-2026-39455High7.52026-05-13When the BIG-IP Configuration utility is configured to use Lightweight Directory Access Protocol (LDAP) authentication, undisclosed traffic can cause the httpd process to exhaust the available file descriptors.  Note: Software versions whi…
CVE-2026-39459High7.22026-05-13A vulnerability exists in iControl REST and the TMOS Shell (tmsh) where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands.
CVE-2026-24464Medium6.82026-05-13When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cross a security boundary and delete files. …
CVE-2026-42919Medium6.72026-05-13A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative access to escalate their privileges.
CVE-2026-42946Medium6.52026-05-13A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data.
CVE-2026-42937Medium6.52026-05-13Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) arp and ndp commands, and in BIG-IP iControl REST.
CVE-2026-42781Medium6.52026-05-13When embedded Packet Velocity Acceleration (ePVA) acceleration is configured, undisclosed local ethernet traffic can cause an increase in ePVA and Traffic Management Microkernel (TMM) resource utilization.  Note: Software versions which ha…
CVE-2026-41959Medium6.52026-05-13Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST.
CVE-2026-41219Medium6.52026-05-13An improper sanitization vulnerability exists in the BIG-IP QKView utility that allows a low-privileged attacker to read sensitive information from a QKView file.  Note: Software versions which have reached End of Technical Support (EoT…
CVE-2026-40699Medium6.52026-05-13A vulnerability exists in the undisclosed pages in the Configuration utility that may allow a low-privileged authenticated attacker to access to undisclosed sensitive information.  Note: Software versions which have reached End of Technica…
CVE-2026-40462Medium6.52026-05-13Incorrect permission assignment vulnerabilities exist in iControl REST and TMOS shell (tmsh) undisclosed command which may allow an authenticated attacker to view sensitive information.  Note: Software versions which have reached End of Te…
CVE-2026-40460Medium6.52026-05-13When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limiting.  Note: Software versions which hav…
CVE-2026-35062Medium6.52026-05-13An authenticated iControl SOAP user may be able to obtain information of other accounts.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-42926Medium5.82026-05-13When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the upstream peer.  Note: Software versions…
CVE-2026-40703Medium5.42026-05-13A cross-site request forgery (CSRF) vulnerability exists in the dashboard of the BIG-IP Configuration utility.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-40435Medium5.32026-05-13When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2026-34019Medium5.32026-05-13When Bidirectional Forwarding Detection (BFD) is configured in Static and Dynamic routing protocols, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to stop processing BFD packets and cause the configured routing pro…
CVE-2026-42780Medium4.92026-05-13A directory traversal vulnerability exists in BIG-IP SSL Orchestrator that allows an authenticated attacker with high privilege to overwrite, delete or corrupt arbitrary local files.
CVE-2026-42063Medium4.92026-05-13A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files.  Note: Software versions which have reached End of Technical Support (EoTS) are not…
CVE-2026-41954Medium4.92026-05-13Sensitive information disclosure vulnerability exists in the undisclosed iControl REST endpoint and TMOS Shell (tmsh) command which may allow an authenticated attacker with resource administrator role privileges to view sensitive informati…
CVE-2026-42934Medium4.82026-05-13NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module.
CVE-2026-40701Medium4.82026-05-13NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or the leaf parameters are configured with…
CVE-2026-42408Medium4.42026-05-13When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell (tmsh) command that may allow a highly privileged authenticated attacker to view sensitive information.  Note: Software versions which have reached End of…
CVE-2026-28758Medium4.42026-05-13When BIG-IP DNS is provisioned, a vulnerability exists in the gtm_add and bigip_add iControl REST commands that return the ssh-password parameter in cleartext in the iControl REST response and is also logged in the audit log.
CVE-2026-42058Medium4.32026-05-13An authenticated attacker's undisclosed requests to BIG-IP iControl REST can lead to an information leak of BIG-IP local user account names.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Amd · 48 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2024-36333High7.82026-05-15A DLL hijacking vulnerability in the AMD Cleanup Utility could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution.
CVE-2025-54518High7.02026-05-15Improper isolation of shared resources within the CPU operation cache on Zen 2-based products could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation.
CVE-2026-04812026-05-15Unrestricted IP address binding in the AMD Device Metrics Exporter (ROCm ecosystem) could allow a remote attacker to perform unauthorized changes to the GPU configuration, potentially resulting in loss of availability
CVE-2025-525322026-05-15A race condition in the MxGPU-Virtualization driver’s ioctl path caused by concurrent unsynchronized access to the global variable amdgv_cmd in an unlocked ioctl handler could be exploited by an attacker to trigger a heap-based buffer over…
CVE-2024-363342026-05-15Improper verification of cryptographic signature in the Radeon RGB tool could allow a malicious file placed in the installation directory to be run with elevated privileges potentially leading to arbitrary code execution.
CVE-2024-363232026-05-15Improper isolation of VCN-JPEG HW register space could allow a malicious Guest Virtual Machine (VM) or a process to perform unauthorized access to the register space of the JPEG cores assigned a victim VM/process, potentially gaining arbit…
CVE-2024-219502026-05-15An out of bounds read in the remote management firmware could allow a privileged attacker read a limited section of memory outside of established bounds potentially resulting in loss of confidentiality or availability.
CVE-2026-04282026-05-15Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to issue a malformed DRV_SOC_CMD_ID_SRIOV_COPY_VF_CHIPLET_REGS to write invalid data to a remote Die, potentially resulting in unexpected behavior.
CVE-2026-04272026-05-15Improper cleanup of shared register resources in GPU firmware could allow an admin-privileged attacker from a Guest Virtual machine (VM) to access these shared resources from another Guest VM, potentially resulting in the loss of confident…
CVE-2025-666642026-05-15Insufficient parameter sanitization in AMD Secure Processor (ASP) TEE SOC Driver could allow an attacker to issue a malformed DRV_SOC_CMD_ID_LOAD_GFX_IP_FW SR-IOV command to cause out-of-bounds read, potentially resulting in SOC Driver mem…
CVE-2025-666602026-05-15Insufficient parameter sanitization in TEE SOC Driver could allow an attacker to issue a malformed DRV_SOC_CMD_ID_SRIOV_CHECK_TA_COMPAT to cause incorrect shared memory mapping, potentially resulting in unexpected behavior.
CVE-2025-545172026-05-15Out of bounds write in AMD AMDGV_CMD_GET_DIAG_DATA ioctl handler could allow a local user to escalate privileges via remote code execution.
CVE-2025-545112026-05-15Improper handling of insufficient privileges in the AMD Secure Processor (ASP) could allow an attacker to provide an input value to a function without sufficient privileges and successfully write data, potentially resulting in loss of inte…
CVE-2025-485162026-05-15Insecure default configuration state of DDR5 memory module by AGESA Bootloader Firmware could allow an attacker with local user privilege to abuse the unprotected PMIC interface to create a permanent denial of service condition or affect t…
CVE-2025-485132026-05-15Use of uninitialized resource within the AMD Platform Management Framework (PMF) could allow an attacker to read a uninitialized kernel memory resulting in loss of confidentiality or availability.
CVE-2025-299442026-05-15A buffer overflow vulnerability within AMD Sensor Fusion Hub Driver can allow a local attacker to write out of bounds, potentially resulting in denial of service or crash
CVE-2025-299382026-05-15An unchecked return value within the AMD Platform Management Framework (PMF) could allow an attacker to write to an arbitrary memory address resulting in denial of service or arbitrary code execution.
CVE-2025-299372026-05-15An out of bounds read within the AMD Platform Management Framework (PMF) could allow an attacker to trigger a read of an arbitrary memory location potentially resulting in loss of availability or confidentiality.
CVE-2025-299362026-05-15Improper input validation within the AMD Platform Management Framework (PMF) could allow an attacker to unmap arbitrary memory pages potentially impacting integrity and availability, or allowing privilege escalation resulting in loss of co…
CVE-2025-299352026-05-15An out of bounds write within the AMD Platform Management Framework (PMF) could allow an attacker to execute arbitrary code at an elevated privilege level potentially leading to loss of confidentiality integrity, or availability.
CVE-2025-00442026-05-15An out-of-bounds read in power management firmware by a malicious local attacker with low privileges could potentially lead to a partial loss of confidentiality and availability.
CVE-2025-00402026-05-15Improper access control between the Joint Test Action Group (JTAG) and Advanced Extensible Interface (AXI) could allow an attacker with physical access to read or overwrite the contents of cross-chip debug (XCD) registers potentially resul…
CVE-2025-00282026-05-15An unchecked return value within the AMD Platform Management Framework (PMF) could allow an attacker to read or modify an arbitrary address potentially resulting in loss of confidentiality, integrity, or availability.
CVE-2024-363322026-05-15Improper isolation of GPU HW register space could allow a privileged attacker in malicious Guest Virtual Machine (VM) to perform unauthorized access to specific victim range of GPU MMIO register space, potentially causing the host OS to re…
CVE-2024-219622026-05-15Improper Input Validation in the AMD RAID driver could allow an attacker to point to an arbitrary memory location potentially resulting in privilege escalation and arbitrary code execution.
CVE-2023-313172026-05-15Improper restriction of operations within the bounds of a memory buffer in the AMD secure processer (ASP) could allow an attacker to read or write to protected memory potentially resulting in arbitrary code execution.
CVE-2023-313162026-05-15Improperly preserved integrity of hardware configuration state during a power save/restore operation in the AMD Secure Processor (ASP) could allow an attacker with the ability to write outside the trusted memory range (TMR) to change the e…
CVE-2023-313092026-05-15Improper validation in Power Management Firmware (PMFW) may allow an attacker with privileges to pass malformed workload arguments when exporting table data from SMU to DRAM potentially resulting in a loss of confidentiality and/or availab…
CVE-2022-238262026-05-15A TOCTOU (Time-Of-Check to Time-Of-Use) in the graphics interface may allow an attacker to load registers repeatedly creating a race condition potentially leading to a loss of integrity.
CVE-2021-263802026-05-15A compromised Trusted OS (TOS) driver could issue a malformed call that could potentially allow memory access outside the intended range resulting in loss of integrity.
CVE-2026-04382026-05-15A System Management Mode (SMM) handler could perform a callout to code located in non-SMM/untrusted memory.
CVE-2026-04322026-05-15Incorrect default permissions in the installation directory for the AMD chipset driver could allow an attacker to achieve privilege escalation resulting in arbitrary code execution.
CVE-2025-525402026-05-15An improper input validation vulnerability within the AMD Platform Management Framework (PMF) Driver can allow a local attacker to write Out-of-Bounds, potentially resulting in privilege escalation.
CVE-2025-485212026-05-15Improper input validation in the AMD Secure Processor (ASP) PCI driver could allow a local attacker to trigger a Use-After-Free (UAF) condition, potentially resulting in a loss of platform integrity or crash.
CVE-2025-485202026-05-15An improper input validation vulnerability within the AMD Platform Management Framework (PMF) driver can allow a local attacker to read Out-of-Bounds potentially resulting in information disclosure or a crash
CVE-2025-485192026-05-15An improper input validation vulnerability within the AMD Platform Management Framework (PMF) driver can allow a local attacker to read or write Out-of-Bounds, potentially resulting in privilege escalation
CVE-2025-485122026-05-15Incorrect default permissions in the installation directory for the AMD general-purpose input/output controller (GPIO) could allow an attacker to achieve privilege escalation resulting in arbitrary code execution.
CVE-2025-00452026-05-15Improper Input validation in the AMD Secure Processor (ASP) PCI driver may allow a local attacker to create a buffer overflow condition, potentially resulting in a crash or denial of service
CVE-2024-363452026-05-15Improper input validation in the AMD OverDrive (AOD) System Management Mode (SMM) module could allow a privileged attacker to perform an out-of-bounds read, potentially resulting in loss of confidentiality.
CVE-2025-626282026-05-14Unsafe OpenSSL initialization within some AMD optional tools may allow a local user-privileged attacker to inject a malicious DLL, potentially resulting in arbitrary code execution.
CVE-2025-626252026-05-14Improper privilege management in the KVM key download component could allow an attacker to swap tokens and download sensitive keys, potentially resulting in unauthorized access to privileged resources and loss of confidentiality.
CVE-2025-626192026-05-14Missing authentication in the KVM key download endpoint could allow an unauthenticated attacker with knowledge of the exposed URL to retrieve sensitive keys, potentially leading to loss of confidentiality.
CVE-2025-626272026-05-13An untrusted pointer dereference in the ionic cloud driver for VMWare ESXi could allow an attacker with an unprivileged VM to read kernel memory or co-located guest VM memory, potentially resulting in loss of confidentiality or availabilit…
CVE-2025-626242026-05-13A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2025-626232026-05-13A heap-based buffer overflow in the ionic cloud driver for VMware ESXi could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVE-2025-619722026-05-13Missing lock bit protection for NBIO registers could allow a local admin-privileged attacker to gain arbitrary System Management Network (SMN) access, potentially resulting in arbitrary code execution in AMD Secure Processor (ASP) and loss…
CVE-2025-619712026-05-13Missing lock bit protection for NBIO registers could allow a local admin-privileged attacker to modify MMIO routing configurations, potentially resulting in loss of SEV-SNP guest integrity.
CVE-2024-363152026-05-13Improper enforcement of the LFENCE serialization property may allow an attacker to bypass speculation barriers and potentially disclose sensitive information, potentially resulting in loss of confidentiality.

Adobe · 43 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34659Critical9.62026-05-12Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34660Critical9.32026-05-12Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34686High8.72026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious sc…
CVE-2026-34653High8.72026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in arbit…
CVE-2026-34684High7.82026-05-12Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34683High7.82026-05-12Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34682High7.82026-05-12Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34681High7.82026-05-12Substance3D - Designer versions 15.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34676High7.82026-05-12Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34675High7.82026-05-12Substance3D - Painter versions 12.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34644High7.82026-05-12After Effects versions 26.0, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34643High7.82026-05-12After Effects versions 26.0, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34642High7.82026-05-12After Effects versions 26.0, 25.6.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34640High7.82026-05-12Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34639High7.82026-05-12Media Encoder versions 26.0.2, 25.6.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user.
CVE-2026-34665High7.52026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34652High7.52026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service.
CVE-2026-34651High7.52026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34650High7.52026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34649High7.52026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34648High7.52026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34646High7.52026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass.
CVE-2026-34645High7.52026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass.
CVE-2026-34647High7.42026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security feature bypass.
CVE-2026-34664Medium6.32026-05-12Substance3D - Designer versions 15.1.0 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read.
CVE-2026-34688Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service.
CVE-2026-34680Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service.
CVE-2026-34679Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service.
CVE-2026-34678Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34677Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34673Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service.
CVE-2026-34672Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service.
CVE-2026-34671Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service.
CVE-2026-34670Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service.
CVE-2026-34669Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service.
CVE-2026-34668Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service.
CVE-2026-34667Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service.
CVE-2026-34666Medium6.22026-05-12CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service.
CVE-2026-34654Medium5.32026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Dependency on Vulnerable Third-Party Component vulnerability that could result in an application denial-of-service.
CVE-2026-34658Medium4.82026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious s…
CVE-2026-34655Medium4.82026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious s…
CVE-2026-34656Medium4.32026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass.
CVE-2026-34685Low3.42026-05-12Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Security Feature Bypass'.

Google · 30 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8580Critical9.62026-05-14Use after free in Mojo in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8581High8.82026-05-14Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8577High8.82026-05-14Integer overflow in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8558High8.82026-05-14Out of bounds write in Fonts in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8551High8.82026-05-14Use after free in Downloads in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.
CVE-2026-8549High8.82026-05-14Use after free in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8540High8.82026-05-14Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8532High8.82026-05-14Integer overflow in XML in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
CVE-2026-8575High8.32026-05-14Use after free in UI in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8571High8.32026-05-14Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8548High8.32026-05-14Out of bounds write in Media in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8534High8.32026-05-14Integer overflow in GPU in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8533High8.32026-05-14Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8513High8.32026-05-14Use after free in Input in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
CVE-2026-8557High7.52026-05-14Use after free in Accessibility in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform privilege escalation via a crafted HTML page.
CVE-2026-8570Medium6.52026-05-14Type Confusion in V8 in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2026-8586Medium5.52026-05-14Inappropriate implementation in Chromoting in Google Chrome prior to 148.0.7778.168 allowed a local attacker to bypass discretionary access control via a malicious file.
CVE-2026-8539Medium5.42026-05-14Script injection in SanitizerAPI in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page.
CVE-2026-8583Medium5.32026-05-14Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted H…
CVE-2026-8582Medium5.32026-05-14Object lifecycle issue in Dawn in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
CVE-2026-8538Medium5.32026-05-14Insufficient validation of untrusted input in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform a denial of service via a crafted HTML page.
CVE-2026-8535Medium5.32026-05-14Out of bounds read in Media in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted JPE…
CVE-2026-8576Medium4.32026-05-14Inappropriate implementation in CORS in Google Chrome on Linux and ChromeOS prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2026-8566Medium4.32026-05-14Insufficient policy enforcement in Payments in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to bypass discretionary access control via a crafted HTML page.
CVE-2026-8552Medium4.32026-05-14Heap buffer overflow in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
CVE-2026-8537Medium4.32026-05-14Insufficient policy enforcement in ViewTransitions in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2026-8579Low3.12026-05-14Insufficient validation of untrusted input in Skia in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted print file.
CVE-2026-8578Low3.12026-05-14Out of bounds read in GPU in Google Chrome on Linux prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVE-2026-8572Low3.12026-05-14Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
CVE-2026-8553Low3.12026-05-14Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page.

Arubanetworks · 27 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23827High7.52026-05-12A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow an unauthenticated remote attacker to achieve remote code execution.
CVE-2026-23826High7.52026-05-12A vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker to exploit this vulnerability by sending specially crafted network packets to the affected device, potentially resulti…
CVE-2026-23825High7.52026-05-12Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems.
CVE-2026-23824High7.52026-05-12Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44871High7.22026-05-12Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44872High7.22026-05-12A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44870High7.22026-05-12Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44869High7.22026-05-12Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44868High7.22026-05-12Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44867High7.22026-05-12Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44866High7.22026-05-12Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44865High7.22026-05-12Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44864High7.22026-05-12SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol.
CVE-2026-44863High7.22026-05-12SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol.
CVE-2026-44862High7.22026-05-12SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol.
CVE-2026-44861High7.22026-05-12SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol.
CVE-2026-44860High7.22026-05-12SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol.
CVE-2026-44859High7.22026-05-12Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems.
CVE-2026-44858High7.22026-05-12Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems.
CVE-2026-44857High7.22026-05-12Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems.
CVE-2026-44856High7.22026-05-12Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems.
CVE-2026-44855High7.22026-05-12Stack-based buffer overflow vulnerabilities exist in several underlying management service components accessed through the command-line interface of the AOS-8 and AOS-10 Operating Systems.
CVE-2026-44854High7.22026-05-12Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44853High7.22026-05-12Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems.
CVE-2026-44852High7.22026-05-12An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface.
CVE-2026-44873Medium5.42026-05-12A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled.
CVE-2026-44874Medium4.92026-05-12A vulnerability exists in the web-based management interface of an AOS-10 Gateway that could allow an authenticated remote attacker to access sensitive files on the underlying operating system.

Palo Alto Networks · 26 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-0257Critical9.1KEV2026-05-13Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.
CVE-2026-02432026-05-13A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv…
CVE-2026-02622026-05-13Multiple denial of service vulnerabilities in Palo Alto Networks PAN-OS® software allow an unauthenticated attacker with network access to cause a denial of service (DoS) condition by sending specially crafted network traffic.
CVE-2026-02612026-05-13Multiple command injection vulnerabilities in Palo Alto Networks PAN-OS® software enable an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user.
CVE-2026-02592026-05-13An arbitrary File Read and Delete Vulnerability in Palo Alto Networks WildFire® WF-500 and WF-500-B appliances enables users to read sensitive information and delete arbitrary files.
CVE-2026-02582026-05-13A server-side request forgery (SSRF) vulnerability in the IKEv2 implementation of Palo Alto Networks PAN-OS® software allows an unauthenticated attacker to cause the firewall to send network requests to unintended destinations or cause a d…
CVE-2026-02562026-05-13A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.
CVE-2026-02512026-05-13Multiple local privilege escalation vulnerabilities in the Palo Alto Networks GlobalProtect™ app allow a local user to escalate their privileges to NT AUTHORITY\SYSTEM on Windows and root on macOS and Linux.
CVE-2026-02502026-05-13A buffer overflow vulnerability exists in the Palo Alto Networks GlobalProtect™ app that enables a man in the middle attacker to disrupt system processes and potentially execute arbitrary code with SYSTEM privileges.
CVE-2026-02492026-05-13Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect™ app enables an attacker to intercept encrypted communications and potentially compromise the endpoint.
CVE-2026-02482026-05-13An improper certificate validation vulnerability in the Prisma Access Agent® for Android and Chrome OS enables an attacker to perform a man-in-the-middle (MitM) attack to intercept VPN traffic.
CVE-2026-02472026-05-13Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations.
CVE-2026-02462026-05-13A vulnerability with a privilege management mechanism in the Palo Alto Networks Prisma Access Agent® enables a locally authenticated non-administrative user to escalate their privileges to root on macOS and Linux or NT AUTHORITY\SYSTEM on…
CVE-2026-02452026-05-13Multiple information disclosure vulnerabilities in Prisma Access Agent® allow a local user to access sensitive configuration data and credentials.
CVE-2026-02442026-05-13An improper certificate validation vulnerability in the Palo Alto Networks Prisma SD-WAN ION enables man-in-the-middle (MitM) attacker to impersonate the controller.
CVE-2026-02422026-05-13A SQL injection vulnerability in Trust Protection Foundation allows an authenticated attacker to execute arbitrary SQL commands against the product database.
CVE-2026-02412026-05-13Incorrect Authorization vulnerabilities in Trust Protection Foundation allow attackers to bypass access controls and perform unauthorized actions on restricted resources.
CVE-2026-02402026-05-13An information disclosure vulnerability in Trust Protection Foundation enables an authenticated attacker to obtain sensitive information from the server's vault.
CVE-2026-02392026-05-13An information disclosure vulnerability in the Chronosphere Chronocollector enables an unauthenticated attacker with network access to the collector service to retrieve sensitive information.
CVE-2026-02382026-05-13A vulnerability in Palo Alto Networks Broker VM allows an authenticated administrator to inject arbitrary content into certain Broker VM fields.
CVE-2026-02362026-05-13A code injection vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to its AppleScript interface allowing a locally authenticated non-admin user to leverage this exposed Apple Event handler to se…
CVE-2026-02352026-05-13A race condition vulnerability in Palo Alto Networks Prisma® Browser enables a locally authenticated non-admin user to bypass certain access and data control policies.
CVE-2026-02652026-05-13An authentication bypass vulnerability in Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to bypass authentication controls when Cloud Authentication Service (CAS) is enabled.
CVE-2026-02642026-05-13A buffer overflow vulnerability in the DNS proxy and DNS Server features of Palo Alto Networks PAN-OS® Software allows an unauthenticated attacker with network access to cause a denial of service (DoS) condition (all PAN-OS platforms excep…
CVE-2026-02632026-05-13A buffer overflow vulnerability in the IKEv2 processing of Palo Alto Networks PAN-OS® software allows an unauthenticated network-based attacker to execute arbitrary code with elevated privileges on the firewall, or cause a denial of servic…
CVE-2026-02372026-05-13An improper protection of alternate path vulnerability in Palo Alto Networks Prisma® Browser on macOS fails to properly restrict access to an internal automation bridge.

Gitlab · 24 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7481High8.72026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 16.4 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to execute arbitrary J…
CVE-2026-7377High8.72026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that, in customizable analytics dashboards, could have allowed an authenticated user to execute arbi…
CVE-2026-6073High8.72026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 18.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to execute arbitrary JavaScript in other users' browse…
CVE-2026-1659High7.52026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially cr…
CVE-2025-14870High7.52026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially c…
CVE-2025-14869High7.52026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.5 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by sending specially c…
CVE-2026-1322Medium6.82026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.0 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with a read_api scoped OAuth application to create…
CVE-2026-8280Medium6.52026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to cause denial of service through excessive memory…
CVE-2026-4527Medium6.52026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to create unauthorized Jira subscriptions for a…
CVE-2026-4524Medium6.52026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.9.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to access confidential issue content in public pr…
CVE-2026-1184Medium6.52026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 11.9 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to cause denial of service by uploading a specially…
CVE-2026-3160Medium5.82026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to view Jira issues outside the configured project…
CVE-2026-6335Medium5.42026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to impro…
CVE-2025-12669Medium5.42026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notificat…
CVE-2026-8144Medium4.32026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with project membership to enumerate private group…
CVE-2026-6063Medium4.32026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissi…
CVE-2026-3607Medium4.32026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass package p…
CVE-2026-3074Medium4.32026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an unauthenticated user to download private debugging symbols from inacce…
CVE-2026-3073Medium4.32026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.6 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to bypass PyPI pack…
CVE-2026-1338Medium4.32026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with developer-role permissions to delete protecte…
CVE-2025-13874Medium4.32026-05-14GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects t…
CVE-2026-7471Low3.52026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 18.8 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with control of a virtual registry upstream to make re…
CVE-2026-2900Low2.72026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authen…
CVE-2026-6883Low2.62026-05-14GitLab has remediated an issue in GitLab EE affecting all versions from 15.7 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to bypass merge request approval requirements due to i…

Openclaw · 21 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8634Critical9.12026-05-14Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens i…
CVE-2026-8621High8.82026-05-14Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers.
CVE-2026-45223High8.82026-05-11Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate pr…
CVE-2026-45006High8.82026-05-11OpenClaw before 2026.4.23 contains an improper access control vulnerability in the gateway tool's config.apply and config.patch operations that allows compromised models to write unsafe configuration changes by bypassing an incomplete deny…
CVE-2026-8629High8.12026-05-14Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints.
CVE-2026-45004High7.82026-05-11OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution.
CVE-2026-44995High7.32026-05-11OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code.
CVE-2026-45224High7.12026-05-11Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory.
CVE-2026-45001High7.12026-05-11OpenClaw before 2026.4.20 contains a guard bypass vulnerability in the agent-facing gateway config.patch and config.apply endpoints that fails to protect operator-trusted settings including sandbox policy, plugin enablement, gateway auth/T…
CVE-2026-45005Medium6.02026-05-11OpenClaw before 2026.4.23 caches resolved webhook route secrets backed by SecretRef values, allowing stale secrets to remain valid after rotation and reload.
CVE-2026-44998Medium5.42026-05-11OpenClaw before 2026.4.20 contains a tool policy bypass vulnerability allowing bundled MCP and LSP tools to circumvent configured tool restrictions.
CVE-2026-44993Medium5.42026-05-11OpenClaw before 2026.4.20 contains a message classification vulnerability in Feishu card-action callbacks that misclassifies direct messages as group conversations.
CVE-2026-45002Medium5.32026-05-11OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction.
CVE-2026-44999Medium5.32026-05-11OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events.
CVE-2026-44994Medium5.32026-05-11OpenClaw before 2026.4.22 contains an authentication bypass vulnerability in the Control UI bootstrap config endpoint that allows unauthenticated attackers to read sensitive configuration fields.
CVE-2026-45003Medium5.02026-05-11OpenClaw before 2026.4.22 allows workspace dotenv files to override connector endpoint hosts for Matrix, Mattermost, IRC, and Synology connectors.
CVE-2026-45000Medium5.02026-05-11OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in browser CDP profile creation that skips strict-mode SSRF policy checks.
CVE-2026-44992Medium5.02026-05-11OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST.
CVE-2026-44997Medium4.32026-05-11OpenClaw before 2026.4.22 contains a security envelope constraint bypass vulnerability allowing restricted subagents to spawn ACP child sessions that fail to inherit depth, child-count limits, control scope, or target-agent restrictions.
CVE-2026-44991Medium4.22026-05-11OpenClaw before 2026.4.21 contains an authorization bypass vulnerability in command-auth.ts that allows non-owner senders to execute owner-enforced slash commands when wildcard inbound senders are configured without explicit owner allowFro…
CVE-2026-44996Low3.72026-05-11OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks.

Siemens · 20 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41551Critical9.12026-05-12A vulnerability has been identified in ROS# (All versions < V2.2.2).
CVE-2026-25787Critical9.12026-05-12Affected devices do not properly validate and sanitize Technology Object (TO) name rendered on the "Motion Control Diagnostics" page of the web interface.
CVE-2026-25786Critical9.12026-05-12Affected devices do not properly validate and sanitize PLC/station name rendered on the "communication" parameters page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the…
CVE-2026-22924Critical9.12026-05-12A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0).
CVE-2025-40949Critical9.12026-05-12A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM…
CVE-2025-40946High8.32026-05-12A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions < V6.1.4.9), blueplanet 110 TL3 (All v…
CVE-2025-12659High7.82026-05-12Siemens Simcenter Femap contains a memory corruption vulnerability while parsing specially crafted IPT files.
CVE-2026-44412High7.82026-05-12A vulnerability has been identified in Solid Edge SE2026 (All versions < V226.0 Update 5).
CVE-2026-44411High7.82026-05-12A vulnerability has been identified in Solid Edge SE2026 (All versions < V226.0 Update 5).
CVE-2026-27662High7.72026-05-12Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser…
CVE-2026-33893High7.52026-05-12A vulnerability has been identified in Teamcenter V2312 (All versions < V2312.0014), Teamcenter V2406 (All versions < V2406.0012), Teamcenter V2412 (All versions < V2412.0009), Teamcenter V2506 (All versions < V2506.0005), Teamcenter V2512…
CVE-2026-22925High7.52026-05-12A vulnerability has been identified in SIMATIC CN 4100 (All versions < V5.0).
CVE-2025-40947High7.52026-05-12A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM…
CVE-2025-40833High7.52026-05-12The affected devices contain a null pointer dereference vulnerability while processing specially crafted IPv4 requests.
CVE-2026-33862High7.32026-05-12A vulnerability has been identified in Teamcenter V2312 (All versions < V2312.0014), Teamcenter V2406 (All versions < V2406.0012), Teamcenter V2412 (All versions < V2412.0009), Teamcenter V2506 (All versions < V2506.0005), Teamcenter V2512…
CVE-2026-25789High7.12026-05-12Affected devices do not properly validate and sanitize filenames on the Firmware Update page.
CVE-2025-40948Medium6.82026-05-12A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions < V2.17.1), RUGGEDCOM ROX MX5000RE (All versions < V2.17.1), RUGGEDCOM ROX RX1400 (All versions < V2.17.1), RUGGEDCOM ROX RX1500 (All versions < V2.17.1), RUGGEDCOM…
CVE-2026-41125Medium6.02026-05-12A vulnerability has been identified in blueplanet 100 NX3 M8 (All versions), blueplanet 100 TL3 GEN2 (All versions), blueplanet 105 TL3 (All versions), blueplanet 105 TL3 GEN2 (All versions), blueplanet 110 TL3 (All versions), blueplanet 1…
CVE-2026-42177Medium5.32026-05-12linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID.
CVE-2024-54017Medium5.32026-05-12A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V11.0), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V11.0), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5…

Linux · 16 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43490High8.82026-05-15In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate inherited ACE SID length smb_inherit_dacl() walks the parent directory DACL loaded from the security descriptor xattr.
CVE-2026-43481High7.82026-05-13In the Linux kernel, the following vulnerability has been resolved: net-shapers: don't free reply skb after genlmsg_reply() genlmsg_reply() hands the reply skb to netlink, and netlink_unicast() consumes it on all return paths, whether th…
CVE-2026-43476High7.82026-05-13In the Linux kernel, the following vulnerability has been resolved: iio: chemical: sps30_i2c: fix buffer size in sps30_i2c_read_meas() sizeof(num) evaluates to sizeof(size_t) (8 bytes on 64-bit) instead of the intended __be32 element siz…
CVE-2026-43500High7.82026-05-11In the Linux kernel, the following vulnerability has been resolved: rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_respo…
CVE-2026-43489Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: liveupdate: luo_file: remember retrieve() status LUO keeps track of successful retrieve attempts on a LUO file.
CVE-2026-43488Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Prevent interrupt storm on host controller error (HCE) The xHCI controller reports a Host Controller Error (HCE) in UAS Storage Device plug/unplug scenarios o…
CVE-2026-43487Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: Disable LPM on ST1000DM010-2EP102 According to a user report, the ST1000DM010-2EP102 has problems with LPM, causing random system freezes.
CVE-2026-43486Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: arm64: contpte: fix set_access_flags() no-op check for SMMU/ATS faults contpte_ptep_set_access_flags() compared the gathered ptep_get() value against the requested entry…
CVE-2026-43485Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: nouveau/gsp: drop WARN_ON in ACPI probes These WARN_ONs seem to trigger a lot, and we don't seem to have a plan to fix them, so just drop them, as they are most likely h…
CVE-2026-43484Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: mmc: core: Avoid bitfield RMW for claim/retune flags Move claimed and retune control flags out of the bitfield word to avoid unrelated RMW side effects in asynchronous c…
CVE-2026-43483Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Set/clear CR8 write interception when AVIC is (de)activated Explicitly set/clear CR8 write interception when AVIC is (de)activated to fix a bug where KVM leave…
CVE-2026-43482Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: sched_ext: Disable preemption between scx_claim_exit() and kicking helper work scx_claim_exit() atomically sets exit_kind, which prevents scx_error() from triggering fur…
CVE-2026-43480Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp3x-rt5682-max9836: Add missing error check for clock acquisition The acp3x_5682_init() function did not check the return value of clk_get(), which could le…
CVE-2026-43479Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Remove redundant netif_napi_del() call from disconnect path.
CVE-2026-43478Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: rt1011: Use component to get the dapm context in spk_mode_put The correct helper to use in rt1011_recv_spk_mode_put() to retrieve the DAPM context is snd_s…
CVE-2026-43477Medium5.52026-05-13In the Linux kernel, the following vulnerability has been resolved: drm/i915/vrr: Configure VRR timings after enabling TRANS_DDI_FUNC_CTL Apparently ICL may hang with an MCE if we write TRANS_VRR_VMAX/FLIPLINE before enabling TRANS_DDI_F…

Vercel · 15 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44578High8.62026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44574High8.12026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-46508High7.82026-05-15Turborepo is a high-performance build system for JavaScript and TypeScript codebases.
CVE-2026-45109High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44579High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44575High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44573High7.52026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-45773Medium6.52026-05-15Turborepo is a high-performance build system for JavaScript and TypeScript codebases.
CVE-2026-44580Medium6.12026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44577Medium5.92026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44479Medium5.52026-05-13Vercel’s AI Cloud is a unified platform for building modern applications.
CVE-2026-44576Medium5.42026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44581Medium4.72026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44582Low3.72026-05-13Next.js is a React framework for building full-stack web applications.
CVE-2026-44572Low3.72026-05-13Next.js is a React framework for building full-stack web applications.

Getgrav · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42613Critical9.42026-05-11Grav is a file-based Web platform.
CVE-2026-42608Critical9.12026-05-11Grav is a file-based Web platform.
CVE-2026-42607Critical9.12026-05-11Grav is a file-based Web platform.
CVE-2026-42611High8.92026-05-11Grav is a file-based Web platform.
CVE-2026-42844High8.82026-05-12Grav is a file-based Web platform.
CVE-2026-42843High8.82026-05-11Grav API Plugin is a RESTful API for Grav CMS that provides full headless access to your site's content, media, configuration, users, and system management.
CVE-2026-42612High8.52026-05-11Grav is a file-based Web platform.
CVE-2026-42609High8.12026-05-11Grav is a file-based Web platform.
CVE-2026-44738High7.72026-05-11Grav is a file-based Web platform.
CVE-2026-42610Medium6.52026-05-11Grav is a file-based Web platform.
CVE-2026-42842Medium5.42026-05-11The form plugin for Grav adds the ability to create and use forms.
CVE-2026-42841Medium4.82026-05-11Grav is a file-based Web platform.
CVE-2026-447372026-05-11grav-plugin-admin is the admin plugin for Grav is an HTML user interface that provides a convenient way to configure Grav and easily create and modify pages.
CVE-2026-428452026-05-11The form plugin for Grav adds the ability to create and use forms.

Patriksimek · 14 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44006Critical10.02026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44005Critical10.02026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-43997Critical10.02026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-43999Critical9.92026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-45411Critical9.82026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44009Critical9.82026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44008Critical9.82026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44007Critical9.12026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44001High8.62026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-43998High8.52026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44004High7.52026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44000Medium6.52026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44002Medium5.82026-05-13vm2 is an open source vm/sandbox for Node.js.
CVE-2026-44003Medium5.32026-05-13vm2 is an open source vm/sandbox for Node.js.

Thorsten · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46364Critical9.82026-05-15phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries.
CVE-2026-45010Critical9.12026-05-15phpMyFAQ before 4.1.2 contains an improper restriction of excessive authentication attempts vulnerability in the /admin/check endpoint, which accepts arbitrary user-id parameters without session binding or rate limiting.
CVE-2026-46367High7.62026-05-15phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments.
CVE-2026-46366High7.52026-05-15phpMyFAQ before 4.1.2 contains an information disclosure vulnerability in the getIdFromSolutionId() method that lacks permission filtering, allowing unauthenticated attackers to enumerate restricted FAQ entries and read their titles via th…
CVE-2026-46359High7.52026-05-15phpMyFAQ before 4.1.2 contains a sql injection vulnerability in CurrentUser::setTokenData that allows authenticated attackers to execute arbitrary SQL by injecting malicious OAuth token claims.
CVE-2026-46361Medium6.92026-05-15phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protection.
CVE-2026-46362Medium6.52026-05-15phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response.
CVE-2026-45008Medium6.52026-05-15phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories.
CVE-2026-46365Medium5.42026-05-15phpMyFAQ before 4.1.2 contains a missing authorization vulnerability in the DELETE /admin/api/content/tags/{tagId} endpoint that allows any authenticated user to delete tags.
CVE-2026-46363Medium5.42026-05-15phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in FAQ creation and update endpoints that bypass sanitization through encode-decode cycles.
CVE-2026-46360Medium5.42026-05-15phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in SvgSanitizer::decodeAllEntities() that limits recursive entity decoding to 5 iterations, allowing attackers to bypass sanitization.
CVE-2026-45009Medium4.32026-05-15phpMyFAQ before 4.1.2 contains an insufficient authorization vulnerability in admin-api routes that allows authenticated ordinary users to access administrative endpoints by only checking login status instead of verifying backend privilege…
CVE-2026-45007Medium4.32026-05-15phpMyFAQ before 4.1.2 contains missing permission checks in ConfigurationTabController.php where 12 endpoints use userIsAuthenticated() instead of userHasPermission(CONFIGURATION_EDIT).

Wwbn · 13 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43884High7.72026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43873High7.52026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43874High7.22026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43875Medium6.82026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43876Medium6.42026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43878Medium6.12026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43879Medium5.42026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43877Medium5.42026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43881Medium5.32026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43880Medium5.32026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43882Medium4.32026-05-11WWBN AVideo is an open source video platform.
CVE-2026-43883Medium4.22026-05-11WWBN AVideo is an open source video platform.
CVE-2026-438852026-05-11WWBN AVideo is an open source video platform.

Huawei · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41964High8.42026-05-15Permission control vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41970Medium6.82026-05-15Out-of-bounds write vulnerability in the distributed file system module. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41969Medium6.22026-05-15Permission control vulnerability in the projection module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-41968Medium5.92026-05-15Permission control vulnerability in the manufacturability design module. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41967Medium5.92026-05-15Permission control vulnerability in the manufacturability design module. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41961Medium5.92026-05-15Permission control vulnerability in contacts. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41960Medium5.82026-05-15Permission control vulnerability in calls. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41966Medium5.62026-05-15Permission control vulnerability in the smart sensing service. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-41965Medium5.62026-05-15Use-After-Free (UAF) vulnerability in the web. Impact: Successful exploitation of this vulnerability may affect availability.
CVE-2026-41971Medium5.52026-05-15Permission control vulnerability in the security control module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-41962Low3.62026-05-15Permission control vulnerability in the app management and control module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2026-41963Low2.82026-05-15Stack overflow vulnerability in the media platform. Impact: Successful exploitation of this vulnerability may affect availability.

Sap_se · 12 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34263Critical9.62026-05-12Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in arbitrary server-side code execution, leading to high impact on Confidentiality, Integrity…
CVE-2026-34260Critical9.62026-05-12SAP S/4HANA (SAP Enterprise Search for ABAP) contains a SQL injection vulnerability that allows an authenticated attacker to inject malicious SQL statements through user-controlled input.
CVE-2026-34259High8.22026-05-12Due to an OS Command Execution vulnerability in SAP Forecasting & Replenishment, an authenticated attacker with administrative authorizations could abuse a non-remote-enabled function to execute arbitrary operating system commands.
CVE-2026-40133Medium6.32026-05-12Due to missing authorization check in SAP S/4HANA Condition Maintenance, an authenticated attacker could gain unauthorized access to view and modify condition table records, resulting in low impact on the confidentiality and integrity of t…
CVE-2026-40137Medium6.12026-05-12SAP TAF_APPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive informatio…
CVE-2026-40132Medium5.42026-05-12Due to missing authorization check in SAP Strategic Enterprise Management (Scorecard Wizard in Business Server Pages), an authenticated attacker could access information that they are otherwise unauthorized to view.
CVE-2026-0502Medium5.42026-05-12Due to insufficient CSRF protection in SAP BusinessObjects Business Intelligence Platform ,an authenticated user could be tricked by an attacker to send unintended requests to the web server.
CVE-2026-34258Medium4.72026-05-12SAPUI5 (Search UI) allows an unauthenticated attacker to manipulate specific URL parameters on the Search UI to include malicious content.
CVE-2026-40136Medium4.32026-05-12SAP Financial Consolidation allows an authenticated attacker to disconnect other users by terminating their sessions temporarily preventing access.
CVE-2026-40134Medium4.32026-05-12Due to insufficient authorization checks in the SAP Incentive and Commission Management application, authenticated users could invoke a remote-enabled function module to perform table update operations.
CVE-2026-40129Medium4.32026-05-12Due to a Code Injection vulnerability in SAP Application Server ABAP for SAP NetWeaver and ABAP Platform, an authenticated attacker could send specially crafted inputs to the application.
CVE-2026-40131Low3.42026-05-12SQL injection vulnerability exists in @sap/hdi-deploy package, where SQL queries are dynamically constructed using user input without proper parameterization or prepared statements.

Apache · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43512Critical9.82026-05-12DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
CVE-2026-41293Critical9.82026-05-12Improper Input Validation vulnerability in Apache Tomcat.
CVE-2026-43515Critical9.12026-05-12Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
CVE-2026-35194High8.12026-05-15Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries.
CVE-2026-43513High7.52026-05-12Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.
CVE-2026-41284High7.52026-05-12Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
CVE-2026-42498High7.32026-05-12Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.
CVE-2026-43826Medium6.52026-05-11The OpenSearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs.
CVE-2026-41018Medium6.52026-05-11The Elasticsearch logging provider, when configured with a `host` URL that embeds credentials (for example `https://user:password@server.example.com:9200`), wrote the full host URL — including the embedded credentials — into task logs.
CVE-2026-45205Medium5.32026-05-14Uncontrolled Recursion vulnerability in Apache Commons.
CVE-2026-43514Low3.72026-05-12Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.

Fortinet · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44277Critical9.82026-05-12A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or comma…
CVE-2026-26083Critical9.82026-05-12A missing authorization vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.1, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox Cloud 5.0.2 through 5.0.5, FortiSandbox PaaS 23.4 all versions, FortiSandbox PaaS 23.3 all versions, FortiSa…
CVE-2025-53844High8.82026-05-12A out-of-bounds write vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11 allows attacker to execute unauthorized code or commands via specially crafted packets.
CVE-2025-53681High7.22026-05-12An improper neutralization of special elements used in an SQL Command ("SQL Injection&") vulnerability [CWE-89] vulnerability in Fortinet FortiMail 7.6.0 through 7.6.3, FortiMail 7.4.0 through 7.4.5, FortiMail 7.2.0 through 7.2.8 allows an…
CVE-2025-53870Medium6.72026-05-12An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiAP 7.6.0 through 7.6.2, FortiAP 7.4.0 through 7.4.5, FortiAP 7.2 all versions, FortiAP 7.0 all versions, FortiAP 6…
CVE-2025-53680Medium6.72026-05-12An improper neutralization of special elements used in an OS command ("OS Command Injection") vulnerability [CWE-78] vulnerability in Fortinet FortiAP 7.6.0 through 7.6.2, FortiAP 7.4.0 through 7.4.5, FortiAP 7.2 all versions, FortiAP 7.0…
CVE-2026-44279Medium5.52026-05-12An improper export of android application components vulnerability in Fortinet FortiTokenAndroid 6.2 all versions, FortiTokenAndroid 6.1 all versions, FortiTokenAndroid 5.2 all versions may allow attacker to disclose information via an exp…
CVE-2026-25088Medium5.42026-05-12An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiNDR 7.6.0 through 7.6.2, FortiNDR 7.4.0 through 7.4.9, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7…
CVE-2025-67604Medium5.32026-05-12A use of potentially dangerous function vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer 6.4 all versions, FortiMa…
CVE-2026-25690Medium4.32026-05-12An improper neutralization of argument delimiters in a command ('argument injection') vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all…
CVE-2026-44278Low2.32026-05-12A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.2, FortiClientWindows 7.2 all versions may allow attacker to information disclosure via <insert attack vector here>

Givanz · 11 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46407High8.12026-05-15Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores.
CVE-2026-46408High7.62026-05-15Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores.
CVE-2026-44826High7.52026-05-15Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores.
CVE-2026-41937High7.22026-05-14Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file.
CVE-2026-41935High7.12026-05-14Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite recursion until PHP memory limits are exhau…
CVE-2026-44366Medium6.12026-05-15Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores.
CVE-2026-41932Medium6.12026-05-14Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name field before sanitization occurs.
CVE-2026-41933Medium5.32026-05-14Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking proper index directives in .htaccess files.
CVE-2026-458002026-05-15Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores.
CVE-2026-456222026-05-15Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores.
CVE-2026-456162026-05-15Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores.

Gotenberg · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42589Critical9.82026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42596Critical9.42026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42595High8.62026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42591High8.22026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42590High8.22026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-40893High8.22026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42594High7.52026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42597Medium5.92026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42593Medium5.32026-05-14Gotenberg is a Docker-powered stateless API for PDF files.
CVE-2026-42592Medium5.32026-05-14Gotenberg is a Docker-powered stateless API for PDF files.

Grafana · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33376High7.42026-05-13When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses.
CVE-2026-33377High7.12026-05-13An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard.
CVE-2026-33378Medium6.52026-05-13Using the $__timeGroup macro, one can achieve an OOM by overloading the server.
CVE-2026-28383Medium6.52026-05-13A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory.
CVE-2026-28380Medium6.52026-05-13Any Editor could delete any snapshot, even if they have no access to read or write them.
CVE-2026-28379Medium6.52026-05-13A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal map access error.
CVE-2026-28376Medium6.52026-05-13The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory conditions.
CVE-2026-33380Medium6.32026-05-13A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem.
CVE-2026-33381Medium5.92026-05-13When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event.
CVE-2026-28374Medium4.32026-05-13Editors could delete any annotation, even those they do not have read access to.

Protobufjs · 10 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44293High8.82026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.
CVE-2026-44295High8.72026-05-13protobufjs-cli is the command line add-on for protobuf.js.
CVE-2026-44291High8.12026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.
CVE-2026-42290High7.82026-05-13protobufjs-cli is the command line add-on for protobuf.js.
CVE-2026-44290High7.52026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.
CVE-2026-44289High7.52026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.
CVE-2026-45740Medium5.32026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.
CVE-2026-44294Medium5.32026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.
CVE-2026-44292Medium5.32026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.
CVE-2026-44288Medium5.32026-05-13protobufjs compiles protobuf definitions into JavaScript (JS) functions.

Cubecart · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45714Critical9.12026-05-13CubeCart is an ecommerce software solution.
CVE-2026-45053Critical9.12026-05-13CubeCart is an ecommerce software solution.
CVE-2026-44377Critical9.12026-05-13CubeCart is an ecommerce software solution.
CVE-2026-45055High8.12026-05-13CubeCart is an ecommerce software solution.
CVE-2026-45708High7.22026-05-13CubeCart is an ecommerce software solution.
CVE-2026-39358High7.22026-05-13CubeCart is an ecommerce software solution.
CVE-2026-44376Medium6.12026-05-13CubeCart is an ecommerce software solution.
CVE-2026-45054Medium4.92026-05-13CubeCart is an ecommerce software solution.
CVE-2026-39428Medium4.82026-05-13CubeCart is an ecommerce software solution.

Hcl · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-62313Medium5.42026-05-14HCL AION is affected by a vulnerability where adequate protections against brute-force attempts are not enforced.
CVE-2025-62310Medium5.42026-05-14HCL AION is affected by a vulnerability where encryption is not enforced for certain data transmissions or operations.
CVE-2025-62308Medium5.12026-05-14HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed.
CVE-2025-62305Medium5.12026-05-14HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information.
CVE-2025-62311Medium4.32026-05-14HCL AION is affected by a vulnerability where backend service details may be transmitted over insecure HTTP channels.
CVE-2025-62312Low3.02026-05-14HCL AION is affected by a vulnerability where basic authorization tokens are used for authentication.
CVE-2025-62317Low2.62026-05-14HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters.
CVE-2025-62309Low2.62026-05-14HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields.
CVE-2025-62316Low2.32026-05-14HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured.

Intel · 9 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-20767High7.82026-05-12Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow an escalation of privilege.
CVE-2026-20714High7.82026-05-12Out-of-bounds write for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a escalation of privilege.
CVE-2026-20905Medium6.62026-05-12Improper input validation for some Intel(R) QAT software drivers for Windows before version 2.6 within Ring 3: User Applications may allow a denial of service.
CVE-2026-20782Medium6.62026-05-12Buffer overflow for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service.
CVE-2026-20717Medium6.62026-05-12Improper input validation for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service.
CVE-2026-20771Medium6.12026-05-12Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service.
CVE-2026-20914Medium5.52026-05-12Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 2.6.0 within Ring 3: User Applications may allow a denial of service.
CVE-2026-20881Medium5.52026-05-12Divide by zero for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service.
CVE-2026-20793Low3.32026-05-12Unchecked return value for some Intel(R) QAT software drivers for Windows before version 1.13 within Ring 3: User Applications may allow a denial of service.

Academysoftwarefoundation · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43909High8.82026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.
CVE-2026-43908High8.82026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.
CVE-2026-43907High8.32026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.
CVE-2026-43906High7.82026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.
CVE-2026-43905High7.82026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.
CVE-2026-43904High7.82026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.
CVE-2026-43903High7.82026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.
CVE-2026-43996Medium5.52026-05-14OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation.

Curl · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6276High7.52026-05-13Using libcurl, when a custom `Host:` header is first set for an HTTP request and a second request is subsequently done using the same *easy handle* but without the custom `Host:` header set, the second request would use stale information a…
CVE-2026-5773High7.52026-05-13libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.
CVE-2026-5545Medium6.52026-05-13libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.
CVE-2026-6253Medium5.92026-05-13curl might erroneously pass on credentials for a first proxy to a second proxy.
CVE-2026-4873Medium5.92026-05-13A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool.
CVE-2026-7168Medium5.32026-05-13Successfully using libcurl to do a transfer over a specific HTTP proxy (`proxyA`) with **Digest** authentication and then changing the proxy host to a second one (`proxyB`) for a second transfer, reusing the same handle, makes libcurl wron…
CVE-2026-7009Medium5.32026-05-13When curl is told to use the Certificate Status Request TLS extension, often referred to as *OCSP stapling*, to verify that the server certificate is valid, it fails to detect OCSP problems and instead wrongly consider the response as fine.
CVE-2026-6429Medium5.32026-05-13When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

Io.netty · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42587High7.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42583High7.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42582High7.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42584High7.32026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42586Medium6.82026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42585Medium6.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42580Medium6.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-44248Medium5.32026-05-13Netty is an asynchronous, event-driven network application framework.

Mediawiki · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34092High7.52026-05-11Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
CVE-2026-34091High7.52026-05-11Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
CVE-2026-34090High7.52026-05-11Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser.
CVE-2026-34088High7.52026-05-11Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
CVE-2026-34087High7.52026-05-11Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth.
CVE-2026-34095Medium6.12026-05-11Vulnerability in Wikimedia Foundation MediaWiki.
CVE-2026-34093Medium5.32026-05-11Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.
CVE-2026-34094Low3.82026-05-11Vulnerability in Wikimedia Foundation MediaWiki.

Pgadmin · 8 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7813Critical9.92026-05-11Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules.
CVE-2026-7816High8.82026-05-11OS command injection (CWE-78) vulnerability in pgAdmin 4 Import/Export query export.
CVE-2026-7815High8.82026-05-11SQL injection vulnerability in pgAdmin 4 Maintenance Tool.
CVE-2026-7819High8.12026-05-11Symbolic-link path traversal (CWE-61, CWE-22) in pgAdmin 4 File Manager.
CVE-2026-7818High7.02026-05-11Deserialization of untrusted data (CWE-502) in pgAdmin 4 FileBackedSessionManager.
CVE-2026-7820Medium6.52026-05-11Improper restriction of excessive authentication attempts (CWE-307) in pgAdmin 4.
CVE-2026-7817Medium6.52026-05-11Local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities in pgAdmin 4 LLM API configuration endpoints.
CVE-2026-7814Medium4.82026-05-11Stored cross-site scripting (XSS) vulnerability in pgAdmin 4 Browser Tree and Explain Visualizer modules.
CVESeverityCVSSKEVPublishedSummary
CVE-2026-8260High8.82026-05-11A vulnerability was found in D-Link DCS-935L up to 1.10.01.
CVE-2026-8346Medium6.32026-05-12A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210.
CVE-2026-8345Medium6.32026-05-11A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210.
CVE-2026-8344Medium6.32026-05-11A weakness has been identified in D-Link DIR-816 1.10CNB05_R1B011D88210.
CVE-2026-8273Medium4.72026-05-11A weakness has been identified in D-Link DNS-320 2.06B01.
CVE-2026-8272Medium4.72026-05-11A security flaw has been discovered in D-Link DNS-320 2.06B01.
CVE-2026-8271Medium4.72026-05-11A vulnerability was identified in D-Link DNS-320 2.06B01.

Dell · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40636Critical9.82026-05-11Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains a use of hard-coded credentials vulnerability.
CVE-2026-35071High8.22026-05-12Dell PowerScale InsightIQ, versions 6.0.0 through 6.2.0, contains an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability.
CVE-2026-32658High8.02026-05-11Dell Automation Platform versions prior to 2.0.0.0, contains a missing authorization vulnerability.
CVE-2026-40638Medium6.72026-05-12Dell PowerScale InsightIQ, versions 5.0.0 through 6.2.0, contains an execution with unnecessary privileges vulnerability.
CVE-2026-26946Medium6.72026-05-11Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper privilege management vulnerability in the OS.
CVE-2026-35157Medium5.82026-05-11Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an improper neutralization of formula elements in a CSV File vulnerability in the UI.
CVE-2025-43992Medium5.62026-05-11Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication.

Elecom Co.,ltd. · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42062Critical9.82026-05-13ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter.
CVE-2026-40621Critical9.82026-05-13ELECOM wireless LAN access point devices do not require authentication to access some specific URLs.
CVE-2026-35506High7.22026-05-13ELECOM wireless LAN access point devices contain an OS command injection vulnerability in processing of ping_ip_addr parameter.
CVE-2026-25107Medium6.52026-05-13ELECOM wireless LAN access point devices use a hard-coded cryptographic key when creating backups of configuration files.
CVE-2026-42948Medium4.82026-05-13Stored cross-site scripting vulnerability exists in ELECOM wireless LAN access point devices.
CVE-2026-42961Medium4.32026-05-13ELECOM wireless LAN access point devices implement CSRF protection mechanism, but with inadequate handling of CSRF tokens.
CVE-2026-42950Medium4.32026-05-13ELECOM wireless LAN access point devices do not check if language parameter has an appropriate value.

Frappe · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44442Critical9.92026-05-13ERPNext is a free and open source Enterprise Resource Planning tool.
CVE-2026-44447High8.82026-05-13ERPNext is a free and open source Enterprise Resource Planning tool.
CVE-2026-44446High8.82026-05-13ERPNext is a free and open source Enterprise Resource Planning tool.
CVE-2026-44445Medium6.52026-05-13ERPNext is a free and open source Enterprise Resource Planning tool.
CVE-2026-44440Medium6.52026-05-13ERPNext is a free and open source Enterprise Resource Planning tool.
CVE-2026-44448Medium5.92026-05-13ERPNext is a free and open source Enterprise Resource Planning tool.
CVE-2026-44441Medium5.02026-05-13ERPNext is a free and open source Enterprise Resource Planning tool.

Jqlang · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43896Medium6.22026-05-11jq is a command-line JSON processor.
CVE-2026-43894Medium6.22026-05-11jq is a command-line JSON processor.
CVE-2026-44777Medium5.52026-05-11jq is a command-line JSON processor.
CVE-2026-41257Medium5.52026-05-11jq is a command-line JSON processor.
CVE-2026-41256Medium5.52026-05-11jq is a command-line JSON processor.
CVE-2026-40612Medium5.52026-05-11jq is a command-line JSON processor.
CVE-2026-43895Medium4.42026-05-11jq is a command-line JSON processor.

M2team · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44215Medium4.42026-05-12NanaZip is an open source file archive.
CVE-2026-42446Medium4.42026-05-12NanaZip is an open source file archive.
CVE-2026-42445Low3.32026-05-12NanaZip is an open source file archive.
CVE-2026-42444Low3.32026-05-12NanaZip is an open source file archive.
CVE-2026-42443Low3.32026-05-12NanaZip is an open source file archive.
CVE-2026-42442Low3.32026-05-12NanaZip is an open source file archive.
CVE-2026-42355Low3.32026-05-12NanaZip is an open source file archive.

Siyuan-note · 7 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45375Critical9.02026-05-14SiYuan is an open-source personal knowledge management system.
CVE-2026-44586High8.32026-05-14SiYuan is an open-source personal knowledge management system.
CVE-2026-45148Medium4.32026-05-14SiYuan is an open-source personal knowledge management system.
CVE-2026-45147Medium4.32026-05-14SiYuan is an open-source personal knowledge management system.
CVE-2026-453712026-05-14SiYuan is an open-source personal knowledge management system.
CVE-2026-446702026-05-14SiYuan is an open-source personal knowledge management system.
CVE-2026-445882026-05-14SiYuan is an open-source personal knowledge management system.

Advplyr · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42883Medium6.52026-05-11Audiobookshelf is a self-hosted audiobook and podcast server.
CVE-2026-42886Medium4.92026-05-11Audiobookshelf is a self-hosted audiobook and podcast server.
CVE-2026-42887Medium4.52026-05-11Audiobookshelf is a self-hosted audiobook and podcast server.
CVE-2026-42885Medium4.32026-05-11Audiobookshelf is a self-hosted audiobook and podcast server.
CVE-2026-42884Medium4.32026-05-11Audiobookshelf is a self-hosted audiobook and podcast server.
CVE-2026-428882026-05-11Audiobookshelf is a self-hosted audiobook and podcast server.

Dnsmasq · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4892High8.42026-05-11A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet.
CVE-2026-4890High7.52026-05-11A Denial of Service (DoS) vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.
CVE-2026-5172High7.32026-05-11A buffer overflow in dnsmasq’s extract_addresses() function allows an attacker to trigger a heap out-of-bounds read and crash by exploiting a malformed DNS response, enabling extract_name() to advance the pointer past the record’s end.
CVE-2026-2291High7.32026-05-11dnsmasqs extract_name() function can be abused to cause a heap buffer overflow, allowing an attacker to inject false DNS cache entries, which could result in DNS lookups to redirect to an attacker-controlled IP address, or to cause a DoS.
CVE-2026-4893Medium5.32026-05-11An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet with RFC 7871 client subnet information.
CVE-2026-4891Medium5.32026-05-11A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to cause a denial of service via a crafted DNS packet.

Fleetdm · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-26191Critical9.82026-05-14Fleet is open source device management software.
CVE-2026-46356High7.52026-05-14Fleet is open source device management software.
CVE-2026-24899High7.52026-05-14Fleet is open source device management software.
CVE-2026-23998High7.52026-05-14Fleet is open source device management software.
CVE-2026-26062Medium6.52026-05-14Fleet is open source device management software.
CVE-2026-24000Medium5.32026-05-14Fleet is open source device management software.

Labredescefetrj · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45026Medium6.82026-05-11WeGIA is a web manager for charitable institutions.
CVE-2026-45025Medium6.82026-05-11WeGIA is a web manager for charitable institutions.
CVE-2026-42872Medium6.12026-05-11WeGIA is a web manager for charitable institutions.
CVE-2026-42873Unrated2026-05-11WeGIA is a web manager for charitable institutions.
CVE-2026-428702026-05-11WeGIA is a web manager for charitable institutions.
CVE-2026-428712026-05-11WeGIA is a web manager for charitable institutions.

Lfprojects · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2652High8.62026-05-15A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled (`--app-name basic-auth`) and served via uvicorn (ASGI).
CVE-2026-2614High7.52026-05-11A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem.
CVE-2026-2393High7.12026-05-11A Server-Side Request Forgery (SSRF) vulnerability exists in MLflow versions prior to 3.9.0.
CVE-2026-44429Medium5.42026-05-14The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers.
CVE-2026-44428Medium4.72026-05-14The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers.
CVE-2026-44430Medium4.02026-05-14The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers.

Mongodb · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8053High8.82026-05-13An issue in MongoDB Server's time-series collection implementation allows an authenticated user with database write privileges to trigger an out-of-bounds memory write in the mongod process.
CVE-2026-8336High7.52026-05-13After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $wh…
CVE-2026-8199Medium6.52026-05-13An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear.
CVE-2026-8201Medium6.42026-05-13A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared.
CVE-2026-8202Medium4.32026-05-13Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilization at 100% for an extended period of time.
CVE-2026-8200Low2.72026-05-13When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.  This issue impacts MongoDB Server v7.0 versions…

Samsung · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-21020High7.82026-05-13Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.
CVE-2026-21021Medium6.82026-05-13Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.
CVE-2026-21018Medium6.72026-05-13Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.
CVE-2026-21022Medium5.52026-05-13Improper handling of insufficient permissions in Routines prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
CVE-2026-21016Medium5.52026-05-13Incorrect privilege assignment in LocationManager prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
CVE-2026-21015Medium5.52026-05-13Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.

Webpros · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-29204Critical9.12026-05-12Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
CVE-2026-29205High8.62026-05-13Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
CVE-2026-32993High8.32026-05-13Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
CVE-2026-32992High8.22026-05-13SSL verification is disabled in the DNS Cluster system.
CVE-2026-29206High8.12026-05-13Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
CVE-2026-32991High7.12026-05-13Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

Wso2 · 6 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-10470High8.62026-05-11The Magic Link authentication flow accepts multiple invalid authentication requests without adequate rate limiting or resource control, leading to uncontrolled memory usage growth.
CVE-2025-10908High7.32026-05-11Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods.
CVE-2025-9973Medium6.42026-05-11Due to not validating the organization context when executing adaptive authentication flows, the WSO2 Identity Server allows adaptive authentication logic to be triggered on unintended organizations.
CVE-2025-8325Medium6.32026-05-11The software fails to enforce role-based access controls for certain Gateway API invocations.
CVE-2025-8154Medium5.32026-05-11In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses.
CVE-2024-0391Medium5.32026-05-11The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.

Artica · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34187Critical9.82026-05-12Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via graph container parameter.
CVE-2026-30805Critical9.12026-05-12Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access.
CVE-2026-30810High8.82026-05-12Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension.
CVE-2026-30807High8.82026-05-12Cross-Site Request Forgery vulnerability allows an attacker to perform unauthorized actions via crafted web page.
CVE-2026-30808High8.12026-05-12Session Fixation vulnerability allows Session Hijacking via crafted session ID.

Devs Palace · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8262Low2.42026-05-11A vulnerability was identified in Devs Palace ERP Online up to 4.0.0.
CVE-2026-8256Low2.42026-05-11A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0.
CVE-2026-8255Low2.42026-05-11A weakness has been identified in Devs Palace ERP Online up to 4.0.0.
CVE-2026-8254Low2.42026-05-11A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0.
CVE-2026-8253Low2.42026-05-11A vulnerability was identified in Devs Palace ERP Online up to 4.0.0.

Dovecot · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27851High7.42026-05-12When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped.
CVE-2026-33603Medium6.82026-05-12Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding.
CVE-2026-40016Medium5.32026-05-12Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit.
CVE-2026-42006Medium4.32026-05-12An attacker can cause uncontrolled memory usage with excessive bracing over IMAP.
CVE-2026-40020Low3.12026-05-12Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no.

Dragonmonk111 · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43992Critical9.82026-05-12JunoClaw is an agentic AI platform built on Juno Network.
CVE-2026-43989High8.52026-05-12JunoClaw is an agentic AI platform built on Juno Network.
CVE-2026-43991High8.42026-05-12JunoClaw is an agentic AI platform built on Juno Network.
CVE-2026-43990High8.42026-05-12JunoClaw is an agentic AI platform built on Juno Network.
CVE-2026-43993High8.22026-05-12JunoClaw is an agentic AI platform built on Juno Network.

Flightphp · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42550High8.82026-05-13Flight is an extensible micro-framework for PHP.
CVE-2026-42552High7.52026-05-13Flight is an extensible micro-framework for PHP.
CVE-2026-42551High7.52026-05-13Flight is an extensible micro-framework for PHP.
CVE-2026-42549Medium4.42026-05-13Flight is an extensible micro-framework for PHP.
CVE-2026-425482026-05-13Flight is an extensible micro-framework for PHP.

Hewlett Packard Enterprise (Hpe) · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23819High8.82026-05-12A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network.
CVE-2026-23823High7.22026-05-12A vulnerability in the command line interface of Access Points running AOS-10 could allow an authenticated remote attacker to perform command injection.
CVE-2026-23821High7.22026-05-12A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions.
CVE-2026-23820High7.22026-05-12A vulnerability in the command line interface of Access Points running AOS-10 and AOS-8 Instant could allow an authenticated remote attacker to execute system commands in a restricted shell environment.
CVE-2026-23822Medium5.32026-05-12A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition.

Hono · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44456Medium6.52026-05-13Hono is a Web application framework that provides support for any JavaScript runtime.
CVE-2026-44457Medium5.32026-05-13Hono is a Web application framework that provides support for any JavaScript runtime.
CVE-2026-44455Medium4.72026-05-13Hono is a Web application framework that provides support for any JavaScript runtime.
CVE-2026-44458Medium4.32026-05-13Hono is a Web application framework that provides support for any JavaScript runtime.
CVE-2026-44459Low3.82026-05-13Hono is a Web application framework that provides support for any JavaScript runtime.

Ivanti · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8043Critical9.62026-05-12External control of a file name in Ivanti Xtraction before version 2026.2 allows a remote authenticated attacker to read sensitive files and write arbitrary HTML files to a web directory, leading to information disclosure and possible clie…
CVE-2026-8111High8.82026-05-12SQL injection in the web console of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to achieve remote code execution.
CVE-2026-8110High7.82026-05-12Incorrect permissions assignment in the agent of Ivanti Endpoint Manager before version 2024 SU6 allows a local authenticated attacker to escalate their privileges.
CVE-2026-8051High7.22026-05-12OS command injection in Ivanti Virtual Traffic Manager before version 22.9r4 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
CVE-2026-8109Medium6.52026-05-12An exposed dangerous method on the Core Server of Ivanti Endpoint Manager before version 2024 SU6 allows a remote authenticated attacker to leak access credentials.

Meari · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33362High8.62026-05-11In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded and shared, including API signing material…
CVE-2026-33356High7.72026-05-11In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own.
CVE-2026-33361High7.52026-05-11In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes w…
CVE-2026-33359High7.52026-05-11In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement.
CVE-2026-33357High7.52026-05-11In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearicloud.com can be abused to retrieve WAN I…

Mem0 · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-31242Critical9.12026-05-12The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint.
CVE-2026-31244Medium6.52026-05-12The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories/{memory_id}).
CVE-2026-31243Medium6.52026-05-12The mem0 1.0.0 server lacks authentication and authorization controls for its memory reset and table re-creation functionality accessible via the DELETE /memories endpoint.
CVE-2026-31241Medium6.52026-05-12The mem0 1.0.0 server lacks authentication and authorization controls for its memory deletion API endpoint (DELETE /memories).
CVE-2026-31245Medium5.32026-05-12The mem0 1.0.0 server lacks authentication and authorization controls for its memory creation API endpoint (POST /memories).

Misp · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44380High7.22026-05-13MISP is an open source threat intelligence and sharing platform.
CVE-2026-44381Medium5.32026-05-13MISP is an open source threat intelligence and sharing platform.
CVE-2026-44379Medium5.32026-05-13MISP is an open source threat intelligence and sharing platform.
CVE-2026-443642026-05-13MISP modules are autonomous modules that can be used to extend MISP for new services.
CVE-2026-443632026-05-13MISP modules are autonomous modules that can be used to extend MISP for new services.

Mozilla · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8401Critical9.82026-05-12Sandbox escape in the Profile Backup component.
CVE-2026-8389High8.82026-05-12JIT miscompilation in the JavaScript Engine: JIT component.
CVE-2026-8390High7.32026-05-12Use-after-free in the JavaScript: WebAssembly component.
CVE-2026-8388Medium6.52026-05-12Incorrect boundary conditions in the JavaScript Engine: JIT component.
CVE-2026-8391Medium5.32026-05-12Other issue in the JavaScript Engine component.

Ninenines · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7790High7.52026-05-11Uncontrolled Resource Consumption vulnerability in ninenines cowlib (cow_http_te module) allows Excessive Allocation.
CVE-2026-43968Medium4.02026-05-11Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows SSE event splitting and injection via unvalidated field values.
CVE-2026-43969Low3.22026-05-11Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields.
CVE-2026-84662026-05-13Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing.
CVE-2026-439702026-05-13Improper Handling of Highly Compressed Data (Data Amplification) vulnerability in ninenines cowlib allows unauthenticated remote denial of service via memory exhaustion.

Outline · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43888High8.72026-05-11Outline is a service that allows for collaborative documentation.
CVE-2026-43886High8.22026-05-11Outline is a service that allows for collaborative documentation.
CVE-2026-43890High7.72026-05-11Outline is a service that allows for collaborative documentation.
CVE-2026-43887High7.32026-05-11Outline is a service that allows for collaborative documentation.
CVE-2026-43889Medium6.52026-05-11Outline is a service that allows for collaborative documentation.

Pyload · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42313High8.32026-05-11pyLoad is a free and open-source download manager written in Python.
CVE-2026-42315High8.12026-05-11pyLoad is a free and open-source download manager written in Python.
CVE-2026-42312Medium6.82026-05-11pyLoad is a free and open-source download manager written in Python.
CVE-2026-42314Medium6.52026-05-11pyLoad is a free and open-source download manager written in Python.
CVE-2026-44226Medium5.32026-05-11pyLoad is a free and open-source download manager written in Python.

Strapi · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-27886High7.52026-05-14Strapi is an open source headless content management system.
CVE-2026-22599High7.22026-05-14Strapi is an open source headless content management system.
CVE-2026-22706Medium6.52026-05-14Strapi is an open source headless content management system.
CVE-2026-22707Medium5.42026-05-14Strapi is an open source headless content management system.
CVE-2025-64526Medium5.32026-05-14Strapi is an open source headless content management system.

Torchbox · 5 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44200Medium6.52026-05-11Wagtail is an open source content management system built on Django.
CVE-2026-44199Medium6.52026-05-11Wagtail is an open source content management system built on Django.
CVE-2026-44197Medium6.52026-05-11Wagtail is an open source content management system built on Django.
CVE-2026-44201Medium5.32026-05-11Wagtail is an open source content management system built on Django.
CVE-2026-44198Medium4.32026-05-11Wagtail is an open source content management system built on Django.

Axis · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-0804Medium6.72026-05-12An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation.
CVE-2026-0541Medium6.72026-05-12ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation.
CVE-2026-0802Medium6.02026-05-12An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation.
CVE-2026-1185Medium5.42026-05-12A configuration file on the local file system had improper input validation which could allow code execution and potentially lead to privilege escalation.

Barebox · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-34963High8.42026-05-11barebox version prior to 2026.04.0 contains multiple memory-safety vulnerabilities in the EFI PE loader in efi/loader/pe.c where integer overflow in virtual image size computation using 32-bit arithmetic on section VirtualAddress and size…
CVE-2026-34960Medium6.52026-05-11barebox prior to version 2026.04.0 contains an out-of-bounds read vulnerability in DHCP option parsing within the dhcp_message_type() function that fails to verify the options pointer remains within received packet bounds.
CVE-2026-34962Medium6.22026-05-11barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero.
CVE-2026-34961Medium6.22026-05-11barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c.

Churchcrm · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42288Critical10.02026-05-12ChurchCRM is an open-source church management system.
CVE-2026-44547Critical9.62026-05-12ChurchCRM is an open-source church management system.
CVE-2026-42289High8.82026-05-12ChurchCRM is an open-source church management system.
CVE-2026-44548High8.12026-05-12ChurchCRM is an open-source church management system.

Cisco · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-20182Critical10.0KEV2026-05-14May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026.
CVE-2026-20224High8.62026-05-14A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to read arbitrary files that are stored in an affected system.
CVE-2026-20210Medium5.42026-05-14A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to modify configurations and perform unauthorized actions on an affected syst…
CVE-2026-20209Medium5.42026-05-14A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker with read-only permissions to elevate their privileges from low to high and perform actions as a high-pr…

Ckan · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42031Critical9.82026-05-13CKAN is an open-source DMS (data management system) for powering data hubs and data portals.
CVE-2026-42032Critical9.12026-05-13CKAN is an open-source DMS (data management system) for powering data hubs and data portals.
CVE-2026-41132High7.42026-05-13CKAN is an open-source DMS (data management system) for powering data hubs and data portals.
CVE-2026-41255Medium6.12026-05-13CKAN is an open-source DMS (data management system) for powering data hubs and data portals.

Dani-garcia · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43912High8.72026-05-11Vaultwarden is a Bitwarden-compatible server written in Rust.
CVE-2026-43913High8.12026-05-11Vaultwarden is a Bitwarden-compatible server written in Rust.
CVE-2026-43914High7.32026-05-11Vaultwarden is a Bitwarden-compatible server written in Rust.
CVE-2026-43911Medium6.82026-05-11Vaultwarden is a Bitwarden-compatible server written in Rust.

Efwgrp · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44260High8.12026-05-12efw4.X is an Enterprise Framework for Web.
CVE-2026-44259Medium4.62026-05-12efw4.X is an Enterprise Framework for Web.
CVE-2026-442582026-05-12efw4.X is an Enterprise Framework for Web.
CVE-2026-442572026-05-12efw4.X is an Enterprise Framework for Web.

Eugeny · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45035High8.82026-05-15Tabby (formerly Terminus) is a highly configurable terminal emulator.
CVE-2026-45038High7.82026-05-15Tabby (formerly Terminus) is a highly configurable terminal emulator.
CVE-2026-45037High7.12026-05-15Tabby (formerly Terminus) is a highly configurable terminal emulator.
CVE-2026-45036High7.02026-05-15Tabby (formerly Terminus) is a highly configurable terminal emulator.

Garmin · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-27851Critical9.32026-05-13The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack.
CVE-2025-27850High7.52026-05-13The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack.
CVE-2025-27853High7.32026-05-13The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed.
CVE-2025-27852Medium5.02026-05-13The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack.

Hashicorp · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7474High8.82026-05-12HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack.
CVE-2026-8052Medium6.02026-05-12HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack.
CVE-2026-6959Medium6.02026-05-12HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack.
CVE-2026-5061Medium4.72026-05-12The consul-template library before version 0.42.0 is vulnerable to a sandbox path bypass in the file template helper that may allow reading an out-of-sandbox file.

Infused Addons · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6510Critical9.82026-05-14The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2.
CVE-2026-6512Critical9.12026-05-14The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2.
CVE-2026-6506High8.82026-05-14The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2.
CVE-2026-6514High7.52026-05-14The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit.

Netty · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42579High7.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42578High7.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42577High7.52026-05-13Netty is an asynchronous, event-driven network application framework.
CVE-2026-42581Medium5.82026-05-13Netty is an asynchronous, event-driven network application framework.

Opnsense · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45158Critical9.12026-05-13OPNsense is a FreeBSD based firewall and routing platform.
CVE-2026-44194Critical9.12026-05-13OPNsense is a FreeBSD based firewall and routing platform.
CVE-2026-44193Critical9.12026-05-13OPNsense is a FreeBSD based firewall and routing platform.
CVE-2026-44195Medium5.32026-05-13OPNsense is a FreeBSD based firewall and routing platform.

Reconurge · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-443522026-05-12Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification.
CVE-2026-421582026-05-12Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification.
CVE-2026-421572026-05-12Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification.
CVE-2026-421562026-05-12Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification.

Schneider Electric · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6332High7.52026-05-14CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of confidentiality, When an authorized atta…
CVE-2026-6866High7.52026-05-12CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized…
CVE-2026-68652026-05-12CWE-22: Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”) vulnerability that could cause unauthorized access to sensitive files when user-supplied input is improperly handled during server-side file path proces…
CVE-2026-48272026-05-12CWE‑331: Insufficient Entropy vulnerability exists that could lead to unauthorized access when an attacker on the network can exploit weaknesses in session‑management protections.

Shellhub · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44426Medium6.52026-05-13ShellHub is a centralized SSH gateway.
CVE-2026-44424Medium6.52026-05-13ShellHub is a centralized SSH gateway.
CVE-2026-44423Medium6.52026-05-13ShellHub is a centralized SSH gateway.
CVE-2026-44425Medium5.42026-05-13ShellHub is a centralized SSH gateway.

Subnet Solutions · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-26289High8.22026-05-12PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only.
CVE-2026-35555Medium6.32026-05-12PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.
CVE-2026-33570Medium5.72026-05-12PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.
CVE-2026-35504Medium5.52026-05-12PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.

Tenda · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8264Medium6.32026-05-11A weakness has been identified in Tenda AC6 15.03.06.23.
CVE-2026-8265Medium4.72026-05-11A security vulnerability has been detected in Tenda AC6 15.03.06.23.
CVE-2026-8263Medium4.72026-05-11A security flaw has been discovered in Tenda AC6 15.03.06.49_multi_TDE01.
CVE-2026-8259Medium4.72026-05-11A vulnerability has been found in Tenda AC6 2.0/15.03.06.23.

Zyxel · 4 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7256High8.82026-05-12** UNSUPPORTED WHEN ASSIGNED ** A command injection vulnerability in the CGI program of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to execute operating system (OS) commands on a vulnerable…
CVE-2026-7287High7.52026-05-12** UNSUPPORTED WHEN ASSIGNED ** A buffer overflow vulnerability in the formWep(), formWlAc(), formPasswordSetup(), formUpgradeCert(), and formDelcert() functions of the “webs” binary in Zyxel NWA1100-N customized firmware version 1.00(AACE…
CVE-2026-7255Medium6.52026-05-12** UNSUPPORTED WHEN ASSIGNED ** An improper restriction of excessive authentication attempts vulnerability in the web management interface of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow an adjacent attacker on the LAN to…
CVE-2026-7257Medium4.42026-05-12** UNSUPPORTED WHEN ASSIGNED ** An insecure storage of sensitive information vulnerability in the configuration file of Zyxel WRE6505 v2 firmware version V1.00(ABDV.3)C0 could allow a local attacker with administrator privileges to downloa…

Akilli Commerce Software Technologies Ltd. Co. · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2347Critical9.82026-05-14Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd.
CVE-2025-11024Critical9.82026-05-14Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd.
CVE-2025-6577Critical9.82026-05-12Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd.

Arqit · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33583High8.72026-05-13Exposure of the QKEY (used as input into the ‘OTA-Quantum’ device registration process) and internal system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.
CVE-2026-33584Medium5.32026-05-13Exposed Keycloak management service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug information such as metrics and health data. This issue affects Symmetric Key Agreement Platform: before 26…
CVE-2026-33585Low3.82026-05-13Improper management of the idle timeout parameter in the Keycloak interface of the Arqit SKA-Platform enables an attacker to impersonate an authenticated tenant user via an unexpired browser session.

Ashlar · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-65088High7.82026-05-12An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a speciall…
CVE-2025-65087High7.82026-05-12An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information or execute arbitrary code when a speciall…
CVE-2025-65086High7.82026-05-12An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to execute arbitrary code when a specially crafted VC6 file is b…

Bitwarden · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43640High8.12026-05-11Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management privileges to obtain the key using only…
CVE-2026-43639High8.02026-05-11Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{providerId}/clients/existing`, resulting in tak…
CVE-2026-43638Medium5.42026-05-11Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organization` by submitting an empty `collectio…

Broadstreetads · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-9987Medium5.32026-05-13The Broadstreet plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.53.1 via the get_sponsored_meta() AJAX action.
CVE-2025-9989Medium4.42026-05-13The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.53.1 due to insufficient input sanitization and output escaping.
CVE-2025-9988Medium4.32026-05-13The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the create_advertiser AJAX action in all versions up to, and including, 1.53.1.

Craftcms · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-440122026-05-12Craft CMS is a content management system (CMS).
CVE-2026-440112026-05-12Craft CMS is a content management system (CMS).
CVE-2026-440102026-05-12Craft CMS is a content management system (CMS).

Cribl · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45392High8.72026-05-12DOM-based cross-site scripting (XSS) in Cribl Stream before 4.17.1 allows a remote attacker to execute arbitrary JavaScript in the browser of an authenticated user who is tricked into visiting a crafted URL and interacting with the page.
CVE-2026-45393High7.82026-05-12A vulnerability chain in Cribl Edge for Windows before 4.17.1 allows a local authenticated user to escalate privileges to NT AUTHORITY\SYSTEM.
CVE-2026-45391High7.82026-05-12A command injection vulnerability in Cribl Edge for Linux versions 3.2.0 through 4.17.0 allows a local unprivileged user to execute arbitrary commands in the context of the Cribl Edge service account.

Dhtmlx · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41553Critical10.02026-05-15PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Remote Code Execution due to lack of "data" parameter sanitization.
CVE-2026-41552High7.52026-05-15PDF Export Module used in DHTMLX's products Gantt and Scheduler is vulnerable to Path Traversal due to lack of HTML sanitization.
CVE-2026-71822026-05-15Diagram's export module is vulnerable to Path Traversal in src attribute due to lack of HTML sanitization. An unauthenticated user could craft the html payload which could include local files from the server and display them in the genera…

Heymrun · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45227High8.82026-05-12Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspection primitives.
CVE-2026-45225High7.62026-05-12Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by supplying a crafted filename with traversal sequences.
CVE-2026-45226High7.12026-05-12Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation.

Jo-jo98 · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44219Low3.72026-05-12ciguard is a static security auditor for CI/CD pipelines.
CVE-2026-44220Low3.22026-05-12ciguard is a static security auditor for CI/CD pipelines.
CVE-2026-44218Low3.02026-05-12ciguard is a static security auditor for CI/CD pipelines.

Metagauss · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4609High7.12026-05-13The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pm_invite_user function in all versions up to, and including, 5.9.8.4.
CVE-2026-4608Medium6.52026-05-13The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insufficient escaping on the user supplied param…
CVE-2026-4607Medium4.32026-05-13The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4.

Modelcontextprotocol · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42559High8.82026-05-14RMCP is an official Rust SDK for the Model Context Protocol.
CVE-2026-45781Low3.52026-05-14The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers.
CVE-2026-444272026-05-14The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers.

Multiparty · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8162High7.52026-05-12multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception.
CVE-2026-8161High7.52026-05-12multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception.
CVE-2026-8159High7.52026-05-12multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser.

Open-telemetry · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42602High8.12026-05-13azureauthextension is the Azure Authenticator Extension.
CVE-2026-42191Medium6.52026-05-12OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation.
CVE-2026-42348Medium5.92026-05-12OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET.

Openedx · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42860High8.52026-05-11The Open edx Enterprise Service app provides enterprise features to the Open edX platform.
CVE-2026-42858High8.52026-05-11Open edX Platform enables the authoring and delivery of online learning at any scale.
CVE-2026-42857Medium4.62026-05-11Open edX Platform enables the authoring and delivery of online learning at any scale.

Openmage · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42207Medium6.12026-05-15Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility.
CVE-2026-424582026-05-15Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility.
CVE-2026-421552026-05-15Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility.

Saitoha · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44636High7.42026-05-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.
CVE-2026-44637High7.12026-05-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.
CVE-2026-44638Low2.52026-05-14libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel.

Sap · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40135Medium6.52026-05-12An OS Command Injection vulnerability exists in the SAP NetWeaver Application Server for ABAP and ABAP Platform that allows an authenticated attacker with administrative access to execute specially crafted shell commands on the server, byp…
CVE-2026-27682Medium4.72026-05-12Due to a reflected cross-site scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages), an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to…
CVE-2026-27680Low3.12026-05-14Due to improper input handling under certain conditions, SAP NetWeaver Application Server ABAP allows an attacker to inject custom Cascading Style Sheets (CSS) data into a web page served by the application.

Smub · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6177High7.22026-05-13The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4.
CVE-2026-7619Medium6.52026-05-13The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficie…
CVE-2026-5361Medium6.42026-05-14The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4.

Stylemix · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3892High8.12026-05-14The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.4.107.
CVE-2025-14755Medium5.32026-05-13The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference (IDOR) in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator…
CVE-2026-1934Medium4.32026-05-12The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to Payment Bypass via insecure user meta update in all versions up to, and including, 1.4.103 This is due to the stm_save_user_extra_fields() function upd…

Suse · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41050Critical9.92026-05-13Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by the…
CVE-2026-25705High8.42026-05-13A vulnerability has been identified in [Rancher's Extensions](https://ranchermanager.docs.rancher.com/integrations-in-rancher/rancher-extensions) where malicious code can be injected in Rancher through a path traversal in the `compressedEn…
CVE-2026-41051Medium5.02026-05-13csync2 uses insecure temporary directories when compiled with C99 or later, allowing for TOCTOU style attacks on the temporary directories.

Techjewel · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5395High8.22026-05-14The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.2.0 via the exportEntries function du…
CVE-2026-5396High8.22026-05-14The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21.
CVE-2026-6828Medium6.42026-05-13The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permission_message' parameter in all versions up to, and including, 6.2.1…

Universal-tool-calling-protocol · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45369High8.32026-05-14python-utcp is the python implementation of UTCP.
CVE-2026-45370High7.72026-05-14python-utcp is the python implementation of UTCP.
CVE-2026-44661Medium4.72026-05-14python-utcp is the python implementation of UTCP.

Vmware · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41713High8.22026-05-12A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way.
CVE-2026-41702High7.82026-05-15VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escal…
CVE-2026-41712High7.52026-05-12Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

Wikimedia Foundation · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-52662026-05-11Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo.
CVE-2026-340892026-05-11Vulnerability in Wikimedia Foundation Scribunto.
CVE-2026-340862026-05-11Vulnerability in Wikimedia Foundation AbuseFilter.

Wpengine · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4030High8.12026-05-14The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2.
CVE-2026-4031High7.52026-05-14The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2.
CVE-2026-4029High7.52026-05-14The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2.

Yafnet · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43937High8.82026-05-12YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum.
CVE-2026-43938High8.12026-05-12YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum.
CVE-2026-43939High7.32026-05-12YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum.

Yordam Information Technology Consulting, Training And Electronic Systems Industry And Trade Inc. · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15024High8.82026-05-14Improper Control of Generation of Code ('Code Injection') vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.
CVE-2025-15023High8.82026-05-14Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.
CVE-2025-15025High8.82026-05-14Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc.

Zen-browser · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41431High8.02026-05-11Zen is a firefox-based browser.
CVE-2026-44659Medium4.72026-05-11Zen is a firefox-based browser.
CVE-2026-44658Low2.42026-05-11Zen is a firefox-based browser.

Zoom · 3 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-30906High7.82026-05-13Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.
CVE-2026-30905High7.82026-05-13External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2026-30904Low1.82026-05-13Protection Mechanism Failure in Zoom Workplace for iOS before version 7.0.0 may allow an authenticated user to conduct a disclosure of information via physical access.

Alinto · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46446High7.12026-05-14SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection.
CVE-2026-46445High7.12026-05-14SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.

Aman · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42742High8.52026-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through <= 3.4.6.
CVE-2026-42741High8.52026-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Ninja Forms Views &#8211; Display &amp; Edit Ninja Forms Submissions on your site frontend views-for-ninja-forms allows Blind SQL In…

Amazon Sagemaker Python Sdk · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8597High7.22026-05-14Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacemen…
CVE-2026-8596High7.22026-05-14Cleartext storage of sensitive information in the ModelBuilder/Serve component in Amazon SageMaker Python SDK before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to extract the HMAC signing key from SageMaker API…

Atutor · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-69562026-05-11ATutor is vulnerable to Reflected XSS in /install/install.php endpoint.
CVE-2026-69092026-05-11ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint.

Claris · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43685High7.22026-05-12A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External ODBC Data Source connection test feature.
CVE-2026-43680High7.22026-05-12A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying ho…

Cleanuparr · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44183Critical9.82026-05-12Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent.
CVE-2026-44184High8.02026-05-12Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent.

Com.ritense.valtimo · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42555Critical9.12026-05-14Valtimo is an open-source business process automation platform.
CVE-2026-44516High7.62026-05-14Valtimo is an open-source business process automation platform.

Comarch · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2025-684212026-05-14Comarch ERP Optima client makes use of a hard-coded password for a database user.
CVE-2025-684202026-05-14Comarch ERP Optima client connects to a database using a high privileged account regardless of an application account to which a user logs in.

Cp0204 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45229High8.82026-05-13Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary.
CVE-2026-45228Medium5.42026-05-13Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping.

Devolutions · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5146Medium4.32026-05-12Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation.
CVE-2026-8407Medium4.32026-05-12Missing authorization in the PAM module in Devolutions Server allows an authenticated user with a PAM license but no additional permissions to obtain OTP secret keys and recovery codes via crafted requests to PAM API endpoints.

Dgtlmoon · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43891High7.52026-05-12changedetection.io is a free open source web page change detection tool.
CVE-2026-41895High7.52026-05-12changedetection.io is a free open source web page change detection tool.

E-commerce · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-33202026-05-11Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform.
CVE-2026-33192026-05-11Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform.

Emmett-framework · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42544High7.52026-05-12Granian is a Rust HTTP server for Python applications.
CVE-2026-42545Medium5.92026-05-12Granian is a Rust HTTP server for Python applications.

Enchant97 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44523Critical10.02026-05-14Note Mark is an open-source note-taking application.
CVE-2026-445222026-05-14Note Mark is an open-source note-taking application.

Espressif · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42854Critical9.82026-05-12arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers.
CVE-2026-42855High7.52026-05-12arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers.

External-secrets · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42876Medium4.92026-05-11External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets.
CVE-2026-428752026-05-11External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets.

Freedesktop · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46470Medium4.02026-05-14An issue was discovered in GStreamer gst-plugins-good before 1.28.2.
CVE-2026-46469Medium4.02026-05-14An issue was discovered in GStreamer gst-plugins-good before 1.28.2.

Fujitsu Japan Limited · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-28761High8.12026-05-15Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier.
CVE-2026-24662Medium5.42026-05-15Cross-site scripting vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier.

Google Cloud · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-20312026-05-15An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive internal information and execute arbitr…
CVE-2026-74282026-05-12Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited by a remote attacker to gain full admin…

Huggingface · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44827High8.82026-05-14Diffusers is the a library for pretrained diffusion models.
CVE-2026-44513High8.82026-05-14Diffusers is the a library for pretrained diffusion models.

Joomsky · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37226High7.12026-05-13Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter.
CVE-2020-37224High7.12026-05-13Joomla J2 JOBS 1.3.0 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'sortby' parameter.

Jupyter · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42557Critical9.62026-05-13jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture.
CVE-2026-42266High8.82026-05-13JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture.

Lenovo · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6281High8.82026-05-13A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
CVE-2026-6282High8.12026-05-13A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.

Mathesar-foundation · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-447192026-05-15Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful.
CVE-2026-447182026-05-15Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful.

Mattermost · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4054Medium4.32026-05-15Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled or…
CVE-2026-4053Low3.12026-05-15Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, and pin status after the edit window has…

Micronaut-projects · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44241High7.52026-05-12Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications.
CVE-2026-44242Low3.72026-05-12Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications.

Mtrudel · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39806High7.52026-05-13Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion.
CVE-2026-39803High7.52026-05-13Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion.

Naturalintelligence · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44665Medium6.12026-05-13fast-xml-builder builds XML from JSON.
CVE-2026-44664Medium6.12026-05-13fast-xml-builder builds XML from JSON.

Netflix · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44304High8.12026-05-12Lemur manages TLS certificate creation.
CVE-2026-44305Medium6.82026-05-12Lemur manages TLS certificate creation.

Nitro · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44372Medium6.12026-05-13Nitro is a next generation server toolkit.
CVE-2026-44373Medium5.32026-05-13Nitro is a next generation server toolkit.

Oalders · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8368Medium6.52026-05-12LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects.
CVE-2026-8612Medium5.32026-05-15WWW::Mechanize::Cached versions before 2.00 for Perl deserialize cached HTTP responses from a world-writable on-disk cache, enabling local response forgery and code execution.

Phpoffice · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40902High7.52026-05-12PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files.
CVE-2026-40863High7.52026-05-12PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files.

Python · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44432High7.52026-05-13urllib3 is an HTTP client library for Python.
CVE-2026-44431Medium5.32026-05-13urllib3 is an HTTP client library for Python.

Radare · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8696High7.52026-05-15radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending malformed thread i…
CVE-2026-8695High7.52026-05-15radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response.

Realmag777 · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4094High8.12026-05-15The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5.
CVE-2026-45213High7.62026-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from n/a through <= 1.1.7.1.

Rometheme · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3425High8.82026-05-13The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action.
CVE-2026-3426Medium4.32026-05-13The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() functions in all versions up to, and including, 2.0.2.

Rust-openssl · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-446622026-05-14rust-openssl provides OpenSSL bindings for the Rust programming language.
CVE-2026-423272026-05-14rust-openssl provides OpenSSL bindings for the Rust programming language.

Saad Iqbal · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45211High8.52026-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal APIExperts Square for WooCommerce woosquare allows Blind SQL Injection.This issue affects APIExperts Square for WooCommerce: f…
CVE-2026-45215Medium5.32026-05-12Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0.

Samsung Mobile · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-210242026-05-13Improper privilege management in Samsung System Support Service prior to version 8.0.8.0 allows local attackers to trigger privileged functions.
CVE-2026-210192026-05-13Improper input validation in FacAtFunction in Galaxy Watch prior to SMR May-2026 Release 1 allows local attacker to execute arbitrary code with system privilege.

Sigstore · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44310Medium5.42026-05-15Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity.
CVE-2026-44309Medium5.32026-05-15Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity.

Sonatype · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-73082026-05-11An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via the HTML index page in Sonatype Nexus Re…
CVE-2026-30482026-05-11An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections when interacting with a malicious LDAP s…

Spip · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8429High8.82026-05-12SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the private space that allows attackers to execute arbitrary code in the context of the web server.
CVE-2026-8430High8.12026-05-12SPIP versions prior to 4.4.14 contain a remote code execution vulnerability in the public space that is limited to certain nginx configurations, allowing attackers to execute arbitrary code in the context of the web server.

Stel Order · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-57982026-05-14Unsafe object reference (IDOR) in Stel Order v3.25.1 and earlier versions, specifically in the ‘/app/FrontController’ endpoint, through manipulation of the ‘employeeID’ parameter.
CVE-2026-57902026-05-14Stored Cross-Site Scripting (XSS) in Stel Order v3.25.1 and earlier, located at the ‘/app/FrontController’ endpoint via the ‘legalName’ and ‘employeeID’ parameters.

Themefusion · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4798High7.52026-05-13The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of suffici…
CVE-2026-4782Medium6.52026-05-13The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of the 'fusion_section_separator' shortcod…

Thinkinaixyz · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43899Critical9.62026-05-11DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents.
CVE-2026-43900Critical9.32026-05-11DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents.

Timeclock · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47966High8.22026-05-15PHP Timeclock 1.04 contains time-based and boolean-based blind SQL injection vulnerabilities in the login_userid parameter of login.php that allows unauthenticated attackers to extract database contents.
CVE-2021-47967Medium6.12026-05-15PHP Timeclock 1.04 contains multiple cross-site scripting vulnerabilities that allow unauthenticated attackers to inject arbitrary JavaScript by manipulating URL paths and POST parameters.

Timlegge · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8700High7.32026-05-15Crypt::DSA versions before 1.20 for Perl generate seeds using rand.
CVE-2026-8704Medium6.52026-05-15Crypt::DSA versions through 1.19 for Perl use 2-args open, allowing existing files to be modified.

Tonyc · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8669Medium6.52026-05-15Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.
CVE-2026-8454Medium5.32026-05-15Imager::File::GIF versions through 1.002 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files.

Traefik · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44774Critical9.92026-05-15Traefik is an HTTP reverse proxy and load balancer.
CVE-2026-41181Medium5.82026-05-15Traefik is an HTTP reverse proxy and load balancer.

Tuist · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-446792026-05-14Tuist is a virtual platform team for Swift app devs.
CVE-2026-446782026-05-14Tuist is a virtual platform team for Swift app devs.

Vllm · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44223Medium6.52026-05-12vLLM is an inference and serving engine for large language models (LLMs).
CVE-2026-44222Medium6.52026-05-12vLLM is an inference and serving engine for large language models (LLMs).

Zephyrproject-rtos · 2 CVEs

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1681Medium6.12026-05-12Issuing an ICMP ping via the `net ping` shell command to a device's own IPv4 address causes the network stack to recursively re-enter the input path on the same system work-queue stack.
CVE-2026-1677Medium5.32026-05-11Zephyr sockets created with `IPPROTO_TLS_1_3` can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS (e.g.

0xjacky · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44015High8.52026-05-12Nginx UI is a web user interface for the Nginx web server.

10up · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5028Medium6.52026-05-12The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action in all versions up to, and including, 1.2.6.

611711dark · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44717Critical9.82026-05-15MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library.

@Backstage · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44374Medium4.32026-05-14Backstage is an open framework for building developer portals.

@Clerk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42349High8.12026-05-11Clerk JavaScript is the official JavaScript repository for Clerk authentication.

@Turbo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45772Critical9.82026-05-15Turborepo is a high-performance build system for JavaScript and TypeScript codebases.

Aarnott · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44375High7.52026-05-14Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library.

Aas-ee · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42260High8.22026-05-12Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval.

Abhishake1 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45321Critical9.6KEV2026-05-12On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry.

Abis Technology Ltd. Co. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6001High8.82026-05-12Authorization bypass through User-Controlled key vulnerability in ABIS Technology Ltd.

Advantech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6888High7.22026-05-13Successful exploitation of the SQL injection vulnerability could allow a remote authenticated attacker to execute arbitrary commands via a specific interface, potentially enabling the attacker to access, modify, or delete sensitive informa…

Aegra · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-445042026-05-14Aegra is a drop-in replacement for LangSmith Deployments.

Agpt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-32425Medium5.52026-05-13AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows.

Aiwaves-cn · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8319Medium5.32026-05-11A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59.

Alfredredbird · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-428662026-05-11Tookie is a advanced OSINT information gathering tool.

Alinto Sogo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8496Medium6.12026-05-13A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7.

Angular · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44437Medium6.12026-05-13The Angular SSR is a server-rise rendering tool for Angular applications.

Anothernote · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47963High7.22026-05-15Anote 1.0 contains a persistent cross-site scripting vulnerability that allows attackers to execute arbitrary code by injecting malicious payloads into markdown files stored within the application.

Anthropic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44467Medium6.82026-05-13The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side.

Antswordproject · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43892High8.82026-05-12AntSword is a cross-platform website management toolkit.

Any1 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-428592026-05-11Neat VNC is a VNC server library.

Appyap Technology And Information Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-12008High8.82026-05-14Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc.

Arcadedata · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44221Critical9.02026-05-12ArcadeDB is a Multi-Model DBMS.

Aria2_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8367Medium4.82026-05-13aria2c accepts a server certificate with incorrect Extended Key Usage (EKU).

Arraytics · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-39432High8.22026-05-12Missing Authorization vulnerability in Arraytics Timetics allows Exploiting Incorrectly Configured Access Control Security Levels.

Ashanjay · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6690High7.22026-05-12The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lp_update_mds AJAX action in all versions up to, and including, 2.2.2.

Aspeer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5084Medium6.52026-05-11WebDyne::Session versions through 2.075 for Perl generates the session id insecurely.

Astro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45028Medium6.12026-05-13Astro is a web framework.

Automattic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42334High7.52026-05-14Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Awspring · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-443082026-05-14Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications.

Azure · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42316Medium6.52026-05-11kafka-sink-azure-kusto Kafka Connect plugin is the official Microsoft sink for Azure Data Explorer (Kusto).

Backdrop Cms Contributed Projects · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45430High7.12026-05-12The Salesforce module before 1.x-1.0.1 for Backdrop CMS does not properly use a random state parameter to protect the authorization flow against CSRF attacks.

Badgerati · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-425982026-05-14Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers.

Beardev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6929High7.52026-05-13The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' parameter in all versions up to, and including, 5.7.7 due to insufficient escaping on t…

Beaugunderson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42338Medium6.12026-05-12ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript.

Benmcollins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-446992026-05-15LibJWT is a C JSON Web Token Library.

Bigfoot · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6146Medium5.32026-05-11Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys.

Bitcoinj · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44714High7.52026-05-15The bitcoinj library is a Java implementation of the Bitcoin protocol.

Bjornjohansen · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2300Medium6.42026-05-12The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9.

Bojansliskovicglscroatiacom · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6417Medium6.12026-05-14The GLS Shipping for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failed_orders' parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping.

Boldthemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3694Medium6.42026-05-14The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the bt_bb_button shortcode in all versions up to, and including, 5.6.8.

Brantburnett · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44302High7.52026-05-12Snappier is a high performance C# implementation of the Snappy compression algorithm.

Broadstreet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45210Medium5.42026-05-12Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through <= 1.52.2.

Burstbv · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8181Critical9.82026-05-14The Burst Statistics – Privacy-Friendly WordPress Analytics (Google Analytics Alternative) plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1.

Bx33661 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43901Medium6.82026-05-11Wireshark MCP is an MCP Server that turns tshark into a structured analysis interface, then layers in optional Wireshark suite utilities.

Bytecodealliance · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44216High7.52026-05-14Wasmtime is a runtime for WebAssembly.

Bytello · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44612High7.82026-05-13Bytello Share (Windows Edition) installer executable provided by Bytello insecurely loads Dynamic Link Libraries.

Cacalabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42046High7.82026-05-11libcaca is a colour ASCII art library.

Canon Marketing Japan Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-32661Critical9.82026-05-13Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version).

Casbin · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6815Medium5.92026-05-11An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider.

Caterhamcomputing · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6174Medium6.42026-05-14The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'more' parameter in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping.

Cesnet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44673High7.52026-05-14libyang is a YANG data modeling language library.

Checkmk · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2024-47091High7.82026-05-13Privilege escalation in the mk_mysql agent plugin on Windows in Checkmk <2.4.0p29, <2.3.0p47, and 2.2.0 (EOL) allows a local unprivileged user able to create a Windows service whose name matches 'MySQL' or 'MariaDB' (or with write access t…

Chitora Soft · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41530Low3.32026-05-12The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability.

Chriscct7 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5371High7.12026-05-12The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() an…

Cli · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45803Low3.52026-05-15`gh` is GitHub’s official command line tool.

Cockpit-hq · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23695Medium5.42026-05-15Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using…

Code Runner Mcp Server · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-50292026-05-12A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088.

Coderpress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6709Medium4.32026-05-12The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2.

Codesys · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-352272026-05-12An unauthenticated remote attacker may exhaust all available TCP connections in the CODESYS Modbus TCP Server stack if a race condition in connection handling is successfully exploited, preventing legitimate clients from establishing new c…

Codingjoe · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-421962026-05-12django-s3file is a lightweight file upload input for Django and Amazon S3.

Continually · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6813Medium4.42026-05-12The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping.

Cortezaproject · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-60932026-05-11Corteza contains a SQL injection vulnerability in its Microsoft SQL Server (MSSQL) backend when filtering Compose records by the meta field.This issue affects corteza: 2024.9.8.

Couchcms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47958Medium4.32026-05-15CouchCMS 2.2.1 contains a server-side request forgery vulnerability that allows authenticated attackers to make arbitrary HTTP requests by uploading malicious SVG files.

Cvat-ai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-443692026-05-13CVAT is an open source interactive video and image annotation tool for computer vision.

Dataease · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42463High8.12026-05-13SQLBot is an intelligent Text-to-SQL system based on large language models and RAG.

Datahub · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44501Medium4.32026-05-14DataHub is an open-source metadata platform.

Davidalmeidac · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45091Critical9.12026-05-12sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot.

Davidfcarr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6403High7.52026-05-15The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3.

Davidskysa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6710Medium4.32026-05-12The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.

Debian · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46333High7.12026-05-15In the Linux kernel, the following vulnerability has been resolved: ptrace: slightly saner 'get_dumpable()' logic The 'dumpability' of a task is fundamentally about the memory image of the task - the concept comes from whether it can cor…

Dedoc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44262Critical9.42026-05-12Scramble generates API documentation for Laravel project.

Delphix Continuous Data · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-86542026-05-15Improper input validation in Delphix Continuous Data connectors allows an authenticated user to execute arbitrary operating system commands on the staging or target host.

Deskflow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44296High7.52026-05-12Deskflow is a keyboard and mouse sharing app.

Devspace · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42283High7.72026-05-14DevSpace is a client-only developer tool for cloud-native development with Kubernetes.

Distribution · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41888Medium6.52026-05-14Distribution is a toolkit to pack, ship, store, and deliver container content.

Dkfz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44246High7.22026-05-12nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset.
CVESeverityCVSSKEVPublishedSummary
CVE-2026-36983High7.32026-05-11D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd.

Docling-project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44520Medium5.72026-05-14Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships.

Dream-theme · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6646Medium6.42026-05-15The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2.

Drive-software · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37221High8.42026-05-13Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Clock configuration.

E-kalite Software Hardware Engineering Design And Internet Services Industry And Trade Ltd. Co. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2465High8.82026-05-12Incorrect Authorization vulnerability in E-Kalite Software Hardware Engineering Design and Internet Services Industry and Trade Ltd.

Easy2pilot · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37217Medium4.32026-05-13Easy2Pilot 7 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized user accounts by tricking authenticated administrators into visiting malicious pages.

Elie222 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42865Medium4.32026-05-11Inbox Zero is an AI personal assistant for email.

Elixir-ecto · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-32687High7.82026-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection.

Elixir-plug · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-84682026-05-14Allocation of Resources Without Limits or Throttling vulnerability in plug_project plug allows denial of service via unbounded buffer accumulation in multipart header parsing.

Elixir-webrtc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-447002026-05-14Elixir WebRTC is an Elixir implementation of the W3C WebRTC API.

Enesgkky · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44225Critical9.32026-05-12Pulpy is a lightweight, cross-platform desktop application packager for web apps.

Epg, Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41872High7.42026-05-12"Kura Sushi Official App" provided by EPG, Inc.

Erolsk8 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6670Medium6.52026-05-14The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and 'media_items' parameters.

Etcd · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44283Unrated2026-05-14etcd is a distributed key-value store for the data of a distributed system.

Ethyca · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-423032026-05-12Fides is an open-source privacy engineering platform.

Evank · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8500Critical9.82026-05-13Web::Passwd versions through 0.03 for Perl is vulnerable to RCE.

Exim · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45185Critical9.82026-05-12Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path.

Fabrikar · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37219High7.52026-05-13Joomla com_fabrik 3.9.11 contains a directory traversal vulnerability that allows unauthenticated attackers to list arbitrary files by manipulating the folder parameter.

Fastbots · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6800Medium4.42026-05-12The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping.

Fccview · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42564High8.22026-05-11jotty·page is a self-hosted app for your checklists and notes.

Felippe-regazio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43929High8.22026-05-12ssrfcheck is a library that checks if a string contains a potential SSRF attack.

Flowiseai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43995Critical9.82026-05-11Flowise is a drag & drop user interface to build a customized large language model flow.

Flowsint · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42159Medium5.42026-05-14Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification.

Freertos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8686High7.52026-05-15Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet.

Fuji Electric · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8108High7.82026-05-12The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

Gabe Livan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45212Medium5.32026-05-12Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a th…

Gdragon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7635High8.12026-05-13The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.

Gerrit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2725Medium5.32026-05-13Incorrect authorization in the "submitted together" feature in Gerrit versions 2.12 and later allows an authenticated attacker with force push permissions on a secondary branch to bypass code review and forcefully submit code to restricted…

Getoutline · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44695Medium5.82026-05-11Outline is a service that allows for collaborative documentation.

Geysermc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42188Low2.42026-05-11Geyser is a bridge between Minecraft: Bedrock Edition and Minecraft: Java Edition.

Ghera74 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14033Medium5.32026-05-13The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ticket_content_callback' function in all versions up to, and including, 1.3.0.

Github · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45033High7.82026-05-13GitHub Copilot CLI brings AI-powered coding assistance directly to your command line.

Gitoxidelabs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44471High7.82026-05-13gitoxide is an implementation of git written in Rust.

Gittuf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-445442026-05-14gittuf is a platform-agnostic Git security system.

Gnome · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-449312026-05-13The newly introduced RecordUsage D-Bus method https://gitlab.freedesktop.org/pwithnall/malcontent/-/blob/0.14.0/libmalcontent-timer/child-timer-service.c in malcontent-timerd allows arbitrary users in the system to slowly fill up disk sp…

Gofiber · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42554Medium6.12026-05-11Fiber is a web framework for Go.

Gohugo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44301High8.12026-05-12Hugo is a static site generator.

Gopi_plus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5340Medium6.42026-05-12The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user…

Gowebsmarty · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3829Medium5.42026-05-14The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'wple_basic_get_requests' functi…

Growi, Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41951High7.22026-05-11Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.

Gtsteffaniak · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44542Critical9.12026-05-14FileBrowser Quantum is a free, self-hosted, web-based file manager.

Guimard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8503Medium6.52026-05-15Apache::Session::Generate::SHA256 versions before 1.3.19 for Perl create insecure session ids.

Haarg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7010Medium6.52026-05-11HTTP::Tiny versions before 0.093 for Perl do not validate CRLF in HTTP request lines or control field header values.

Hackingrepo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-442322026-05-12DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks.

Hashgraph · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45248Medium5.32026-05-14Hedera Guardian through 3.5.1 contains an authentication bypass vulnerability in the GET /api/v1/demo/registered-users endpoint that allows unauthenticated attackers to retrieve sensitive user information.

Hatchet · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42572Medium5.32026-05-14Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale.

Hclsoftware · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-21821High8.32026-05-13The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library.

Hdwplayer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37218High8.22026-05-13Joomla com_hdwplayer 4.2 contains an SQL injection vulnerability in the search.php file that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the hdwplayersearch parameter.

Hemant29 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6932Medium4.32026-05-12The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1.

Higheredlab · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6708Medium5.32026-05-12The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3.

Hikvision · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-32684Low2.92026-05-12The application does not impose strict enough restrictions on directory access permissions, posing a risk that other malicious applications could obtain sensitive information.

Hitachi · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-11159Critical9.12026-05-13Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.

Hoppscotch · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44478High7.52026-05-13hoppscotch is an open source API development ecosystem.

Horilla · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-415132026-05-12Horilla is an HR and CRM software.

Hostinger · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2515Medium5.32026-05-13The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and includ…

Husky · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37174Medium5.52026-05-13WOOF Products Filter for WooCommerce 1.2.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by entering XSS payloads in design tab textfields.

Hwk-fr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15463Medium6.52026-05-12The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3.

Identd-ng · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-439162026-05-12pam_authnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes.

Im Park Information Technology, Electronics, Press, Publishing And Advertising, Education Ltd. Co. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6008Medium6.82026-05-14Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd.

Imagemagick · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42050Medium5.52026-05-11ImageMagick is free and open-source software used for editing and manipulating digital images.

Inc2734 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3004Medium6.42026-05-13The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitization and output escaping.

Ingeteam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-80722026-05-12Insecure generation of credentials in the local SAT (Technical Support) access functionality of the Ingecon Sun EMS Board.

Inkeep · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8321High7.32026-05-11A vulnerability was detected in inkeep agents 0.58.14.

Interactivegeomaps · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-15345Medium6.12026-05-14The MapGeo – Interactive Geo Maps plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'map' parameter in the display-map shortcode in all versions up to, and including, 1.6.27 due to insufficient input sanitization…

Iobit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37223High7.82026-05-13IObit Uninstaller 9.5.0.15 contains an unquoted service path vulnerability in the IObitUnSvr service that allows local attackers to escalate privileges to SYSTEM level.

Jashjacob · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6256Medium6.42026-05-12The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escapin…

Jeremyshapiro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4920Medium6.42026-05-12The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied att…

Jetbrains · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44413High8.22026-05-11In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access

Jishenghua · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8320Medium4.72026-05-11A security vulnerability has been detected in jishenghua jshERP up to 3.6.

Joedolson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7525Medium4.32026-05-14The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9.

Jovancoding · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-428562026-05-11Network-AI is a TypeScript/Node.js multi-agent orchestrator.

Justinkruit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6415Medium6.42026-05-15The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2.

Karnop · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44341Medium5.32026-05-12GoJobs is a REST API for a Job Board platform.

Katalyst · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44511High7.42026-05-14Katalyst Koi is a framework for building Rails admin functionality.

Kcseopro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3604Medium4.92026-05-12The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping.

Kddi Corporation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41281Medium4.82026-05-14Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability.

Kde · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-257102026-05-13The new upstream added a privileged D-Bus helper called plasmaloginauthhelper, which suffers from multiple issues, e.g.aA compromised plasmalogin service account can chown() arbitrary files in the system.

Kludex · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42561High7.52026-05-13Python-Multipart is a streaming multipart parser for Python.

Kmx · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2022-4988High7.32026-05-11Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries.

Krajowa Izba Rozliczeniowa · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-440882026-05-15SzafirHost verifies the signature of the downloaded JAR file using class JarInputStream (reading from the beginning of the file), but loads classes using class JarFile/URLClassLoader (reading the Central Directory from the end).

Kubetail-org · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44514Medium6.52026-05-14Kubetail is a real-time logging dashboard for Kubernetes.

Kubewarden · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42541Medium4.32026-05-12Kubewarden is a policy engine for Kubernetes.

Kuicms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37222High7.22026-05-13Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint.

Kyverno · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44245Medium6.12026-05-12Kyverno is a policy engine designed for cloud native platform engineering teams.

L3montree-dev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-423002026-05-12DevGuard provides vulnerability management for the full software supply chain.

Langflow · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42048Critical9.62026-05-12Langflow is a tool for building and deploying AI-powered agents and workflows.

Latepoint · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5365Medium4.32026-05-14The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2.

Leont · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8463Medium5.32026-05-13Crypt::Argon2 versions from 0.017 before 0.031 for Perl perform a heap out-of-bounds read in argon2_verify on empty encoded input.

Libexpat_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7210High7.52026-05-11`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating li…

Lightning-ai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44484Critical9.82026-05-14PyTorch Lightning is a deep learning framework to pretrain and finetune AI models.

Lightningai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-31221High7.82026-05-12PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism.

Livehelperchat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44633High8.12026-05-14Live Helper Chat is an open-source application that enables live support websites.

Lobehub · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42045Medium6.22026-05-12LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you.

Loft-sh · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42457Critical9.02026-05-14vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing.

Lookyloo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44439High7.52026-05-13PlaywrightCapture is a simple replacement for splash using playwright.

M615926 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5229Critical9.82026-05-15The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10.

Macwarrior · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-428472026-05-14ClipBucket v5 is an open source video sharing platform.

Magicmirror · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42281High8.62026-05-14MagicMirror² is an open source modular smart mirror platform.

Managewp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3718High7.22026-05-14The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'MWP-Key-Name' HTTP request header in all versions up to, and including, 4.9.31.

Manomanotech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42864Critical9.92026-05-11FireFighter is an incident management application.

Midoks · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41315Critical9.82026-05-14mdserver-web is a simple Linux panel.

Miguelgrinberg · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42874Low3.72026-05-11Microdot is a minimalistic Python web framework.

Minio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42600Medium4.92026-05-11MinIO is a high-performance object storage system.

Moch-a · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7437Medium6.12026-05-12The AzonPost plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `editpos_hidden` parameter in all versions up to, and including, 1.3.

Mongodb Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6811Medium5.92026-05-14Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.

Mongodb, Inc. · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8431High7.22026-05-12An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax.  This issue affects all MongoDB Ops Manager 7.0 versions…

Mosparo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41195Medium5.02026-05-12mosparo is the modern solution to protect your online forms from spam.

Mr2p · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6252Medium6.42026-05-14The Meta Field Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tagName' block attribute in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping.

Nearform · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44351Critical9.12026-05-13fast-jwt provides fast JSON Web Token (JWT) implementation.

Nesquena · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-22677Medium6.52026-05-13Hermes WebUI prior to 0.51.44 contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted session with an unrestricted workspace value.

Nextcloud · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-445152026-05-14Nextcloud News is an RSS/Atom feed reader.

No-instructions · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42889Critical9.12026-05-12Relay adds real-time collaboration to Obsidian.

Npitre · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8274Medium5.32026-05-11A security vulnerability has been detected in npitre cramfs-tools up to 2.1.

Ntop · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45448Medium4.32026-05-14CWE-601 URL redirection to untrusted site ('open redirect')

Nuvoton · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6923Low3.82026-05-14A side-channel attack, which requires a physical presence to the TPM, can lead to extraction of an Elliptic Curve Diffie-Hellman (ECDH) key.

Nuxt-modules · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44589Low3.72026-05-14Nuxt OG Image generates OG Images with Vue templates in Nuxt.

Omec-project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8349Medium4.32026-05-12A flaw has been found in omec-project amf up to 2.1.1.

Op-engineering · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-438972026-05-11Link Preview JS extracts web links information.

Openbao · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42186High7.52026-05-14OpenBao is an open source identity-based secrets management system.

Openmrs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41258Critical9.12026-05-15OpenMRS is an open source electronic medical record system platform.

Openstack · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44919Medium4.32026-05-14In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

Optimalplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6808Medium6.12026-05-12The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0.

Osc · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-443712026-05-14Open OnDemand is an open-source high-performance computing portal.

Owasp · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42268High7.52026-05-12ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.

Owasp-blt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42603High8.82026-05-11OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more.

Oxyno-zeta · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42882Critical9.42026-05-11oxyno-zeta/s3-proxy is an aws s3 proxy written in go.

Paiement · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37168Critical9.82026-05-13Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation.

Parse-community · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43930Medium5.92026-05-12Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js.

Patilswapnilv · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6913Medium6.42026-05-12The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widget_area' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping.

Patrickjuchli · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44240High7.52026-05-12basic-ftp is an FTP client for Node.js.

Peerigon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44643Critical10.02026-05-11Angular Expressions provides expressions for the Angular.JS web framework as a standalone module.

Pektsekye · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8425Medium4.32026-05-15The Notify Odoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1.

Phili67 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-444182026-05-13EcclesiaCRM is CRM Software for church management.

Phkcorp2005 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7562Medium4.32026-05-12The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3.

Photostructure · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43893High8.22026-05-11exiftool-vendored provides cross-platform Node.js access to ExifTool.

Phpseclib · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44167High7.52026-05-12phpseclib is a PHP secure communications library.

Pi-hole · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41489High8.82026-05-11Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software.

Pocket-id · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43983High8.12026-05-12Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services.

Pocketbase · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44166High7.62026-05-12Pocketbase is an open source web backend written in go.

Podcastgenerator · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47968Medium6.42026-05-15Podcast Generator 3.1 is vulnerable to persistent cross-site scripting, allowing authenticated attackers to inject malicious scripts by submitting unfiltered JavaScript code in the long_description parameter.

Podofo · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44348Low2.52026-05-14PoDoFo is a C++17 PDF manipulation library.

Posimyththemes · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5243Medium6.42026-05-14The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to stored cross-site scripting via the `menu_hover_click` parameter of the Navigation Menu Lite wi…

Powie · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37225Medium6.42026-05-13Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings.

Pr-gateway · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7051Medium5.42026-05-13The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0.

Premailer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44312Medium5.82026-05-14css_parser is a Ruby CSS parser.

Prestashop · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44212Critical9.32026-05-14PrestaShop is an open source e-commerce web application.

Python Software Foundation · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-83282026-05-13The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed.

Qqqjus · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7626Medium5.32026-05-12The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0.

Rapid7 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-73732026-05-15Rapid7 Metasploit Pro is vulnerable to a local privilege escalation attack that allows a user to gain SYSTEM level control of a Windows host.

Rbplugins · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7050Medium4.32026-05-12The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9.

Rdcravens · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6237Medium6.42026-05-12The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on u…

Red Hat · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4802High8.02026-05-11A flaw was found in Cockpit.

Requarks · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44224High8.82026-05-12Wiki.js is an open source wiki app built on Node.js.

Rexxars · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-442172026-05-12sse-channel is an SSE-implementation which can be used to any node.js http request/response stream.

Richardhbtz · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44482Critical9.62026-05-14soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support.

Riotweb · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7659Medium6.42026-05-12The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `social` shortcode in all versions up to, and including, 1.2.

Saleor · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42175Medium6.52026-05-12requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features.

Sangoma · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45362Low3.22026-05-12Sangoma Switchvox before 8.4 places cleartext SIP authentication credentials in a backup file.

Saturngod · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7616Medium4.32026-05-12The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1.

Savsofts · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47962Medium6.42026-05-15Savsoft Quiz 5.0 contains a persistent cross-site scripting vulnerability in the user account settings page that allows authenticated attackers to inject malicious HTML and JavaScript code.

Schlix · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47964High8.82026-05-15Schlix CMS 2.2.6-6 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious extension packages through the block manager.

Scui2 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5715Medium6.42026-05-12The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escap…

Shabti · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6228High8.82026-05-15The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36.

Shahinurislam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6271Critical9.82026-05-14The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler.

Shamim_d · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7661Medium6.42026-05-12The Bootstrap Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `box` shortcode in all versions up to, and including, 1.0.

Shelf-nu · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44204Medium6.52026-05-12Shelf is a platform for tracking physical assets.

Silabs.com · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-149722026-05-15* Countermeasures for DPA within SYMCRYPTO engine on SixG301xxx devices are not sufficiently random and will eventually repeat.

Silicon Labs · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-32902026-05-14Timing limitations of the HRNG in RS9116 when power save mode is enabled results in predictable values

Simdjson · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-82952026-05-14An integer overflow vulnerability in the simdjson document-builder API allows incorrect buffer size calculations in "string_builder::escape_and_append()" when processing very large input strings on platforms with limited "size_t" width (e…

Smartcatai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4683Medium6.52026-05-15The Smartcat Translator for WPML plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'routeData' REST endpoint in all versions up to, and including, 3.1.77.

Smp46 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44196Critical9.12026-05-12Pingvin Share X is a secure and easy self-hosted file sharing platform.

Socfortress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42869Critical10.02026-05-11SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs.

Softpulseinfotech · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4859Medium6.42026-05-12The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and…

Sqlalchemy · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-443072026-05-12Mako is a template library written in Python.

Squinky86 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-428812026-05-14STIGQter is an open-source reimplementation of DISA's STIG Viewer.

Statamic · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44306Medium5.32026-05-12Statamic is a Laravel and Git powered content management system (CMS).

Stefanprodan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43644Medium5.42026-05-14podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without setting explicit Content-Type or X-Conte…

Steipete · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45222Medium6.12026-05-11Summarize versions through 0.14.1, fixed in commit 0cfb0fb, creates the daemon configuration directory and file with default filesystem permissions that may be world-readable on Unix-like systems, allowing local attackers to read bearer to…

Svvqt · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-443682026-05-13PyQuorum is a cryptographic library for secret sharing and key management.

Taigaio · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41250Medium5.72026-05-11Taiga is a project management platform for startups and agile developers.

Taskbuilder · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6225Medium6.52026-05-14The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'project_search' parameter in all versions up to, and including, 5.0.6 due to insuff…

Teamviewer · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2695Medium6.32026-05-13A command injection vulnerability was discovered in TeamViewer DEX Platform On-Premises (former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows authenticated users with at least questioner privileges to…

Techlabpro1 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7563Medium4.32026-05-15The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10.

Teodesian · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46474High7.52026-05-15Trog::TOTP versions before 1.006 for Perl generate secrets using rand.

The Openthread Authors · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-83692026-05-13Improper Input Validation in the NAT64 translator in The OpenThread Authors OpenThread before commit 26a882d on all platforms allows an attacker on the adjacent IPv4 network to inject corrupted IPv6 packets into the Thread mesh or bypass s…

Themeum · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6965Medium5.32026-05-13The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9.

Theonedev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-446472026-05-14OneDev is a Git server with CI/CD, kanban, and packages.

Thewebsitesupply · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6663Medium4.82026-05-12The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9.

Thimpress · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7648Medium4.32026-05-14The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to payment bypass through user-controlled key in all versions up to, and including, 4.3.5.

Thymeleaf · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-41901Critical9.02026-05-12Thymeleaf is a server-side Java template engine for web and standalone environments.

Tienrocker · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7561Medium6.12026-05-12The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.

Tkc49 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6247Medium6.42026-05-12The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and…

Toddr · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5089High7.32026-05-12YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.

Trapesium · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7464Medium6.12026-05-12The WP Google Maps Integration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.2.

Twisted · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42304High7.52026-05-13Twisted is an event-based framework for internet applications, supporting Python 3.6+.

Ultimate Member · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37169Medium5.52026-05-13WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php.

Unitecms · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5486Medium6.52026-05-14The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.7.

Unknown · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6433High7.32026-05-11The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.

Vectifyai · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8318Medium5.32026-05-11A security flaw has been discovered in VectifyAI PageIndex up to f50e52975313c6716c02b20a119577a1929decba.

Verint · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-21730Medium6.12026-05-14Verba is affected by a Stored Cross-Site Scripting (XSS) vulnerability within its login logging mechanism.

Videowhisper · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-4301Medium4.32026-05-12The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4.

Vim · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46483Low3.62026-05-15Vim is an open source, command line text editor.

Warpgate_project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44347Medium5.82026-05-12Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux.

Wavelens · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44592Critical9.42026-05-14Gradient is a nix-based continuous integration system.

Webassembly · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-8257Low3.32026-05-11A vulnerability was detected in WebAssembly Binaryen up to 117.

Webaways · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-7046Medium4.92026-05-15The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'table' parameter in all versions up to, and including, 9.1.12 due to insufficient escaping on the user suppli…

Webcon · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-16302026-05-14WEBCON BPS is vulnerable to Reflected XSS via one of parameters used by "/openinmobileapp" endpoint. An attacker can send a specially crafted URL that, when opened by an authenticated user, results in arbitrary JavaScript execution in the…

Webmuehle · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-1250High7.52026-05-12The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied pa…

Webpack-dev-server · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6402Medium5.32026-05-12webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP.

Websockets · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45736Medium4.42026-05-15ws is an open source WebSocket client and server for Node.js.

Websoudan · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6206Medium5.32026-05-14The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the _get_post_property_from_querystring() function due to insufficient restrictions on which posts can be included.

Wellbia · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-3609High7.82026-05-11Wellbia's XIGNCODE3 xhunter1.sys kernel driver Privilege Escalation Vulnerability provides access to IRP_MJ_REITS command interface, which allows any user process to request a PROCESS_ALL_ACCESS. Cross reference to KVE 2023-5589 (https://…

Wftpserver · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44403High7.22026-05-12Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code through the domain admin mydirectory fi…

Wgdashboard · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44343Critical9.82026-05-12WGDashboard is a dashboard for WireGuard VPN.

Wger-project · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-43948Critical9.92026-05-12wger is a free, open-source workout and fitness manager.

Workos · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42565Medium4.32026-05-11@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations.

Wp Travel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45218High7.72026-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a through <= 11.4.0.

Wp-super-edit · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47965Critical9.82026-05-15WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation.

Wpclever · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2025-14767Medium5.52026-05-13The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input…

Wpcodefactory · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6962Medium6.42026-05-13The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit' shortcodes in all versions up…

Wpdevteam · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5193Medium6.52026-05-14The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.5.13.

Wpeverest · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6145Medium5.32026-05-14The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5.

Wpgraphql · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2021-47959High7.52026-05-15WordPress Plugin WPGraphQL 1.3.5 contains a denial of service vulnerability that allows unauthenticated attackers to exhaust server resources by sending batched GraphQL queries with duplicated fields.

Wpmu Dev · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-25431Medium5.32026-05-12Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels.

Wproyal · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-6504Medium6.42026-05-14The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escap…

Wupsales · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-2993High7.52026-05-12The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the ex…

Www.huawei.com · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2020-37220High7.52026-05-13Huawei HG630 V2 router contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain administrative access by retrieving the device serial number.

Xibosignage · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-42141High7.72026-05-12Xibo is an open source digital signage platform with a web content management system and Windows display player software.

Xpro · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-45214High8.52026-05-12Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through <=…

Yubico · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-46419High7.52026-05-14Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.

Zealopensource · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-5693Medium5.32026-05-12The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and in…

Zelon88 · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-446662026-05-14HRConvert2 is a self-hosted, drag-and-drop & nosql file conversion server & share tool.

Zitadel · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-44671High7.52026-05-14ZITADEL is an open source identity management platform.

Zulip · 1 CVE

CVESeverityCVSSKEVPublishedSummary
CVE-2026-40300Medium6.52026-05-12Zulip is an open-source team collaboration tool.