CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2026-0826	Poly Voice – Possible Remote Control of Certain Poly Devices	01.06.2026	9.2
CVE-2026-42680	WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability	01.06.2026	9.8
CVE-2026-42682	WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability	01.06.2026	9.1
CVE-2026-48866	WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability	01.06.2026	9.6
CVE-2026-48879	WordPress AIWU plugin <= 1.4.17 - Privilege Escalation vulnerability	01.06.2026	9.8
CVE-2026-8931	Critical RCE vulnerability in Disig Web Signer	01.06.2026	9.4
CVE-2026-7858	Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x	01.06.2026	9.8
CVE-2026-48188	SQL Injection via MySQL Quote Method	01.06.2026	9.1
CVE-2026-10187	Totolink N300RH Web Management wireless.so setWiFiBasicConfig stack-based overflow	31.05.2026	9.3
CVE-2018-25412	Delta Sql 1.8.2 Arbitrary File Upload via docs_upload.php	30.05.2026	9.3
CVE-2026-45372	cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection	29.05.2026	9.9
CVE-2026-45697	Formie: Pre-authenticated server-side template injection in Hidden fields	29.05.2026	9.8
CVE-2026-44649	SillyTavern: Authentication Bypass via SSO Header Injection	29.05.2026	9.8
CVE-2026-44650	SillyTavern: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	29.05.2026	9.1
CVE-2026-47744	Shopper: Authorization bypass and RBAC privilege escalation in team settings	29.05.2026	9.9
CVE-2026-9051	Authentication Bypass Vulnerability in NI SystemLink Enterprise	29.05.2026	9.3
CVE-2026-45625	Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs	29.05.2026	9.9
CVE-2026-45628	Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline	29.05.2026	9.6
CVE-2026-45629	Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint	29.05.2026	9.9
CVE-2026-45630	Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement	29.05.2026	9
CVE-2026-45631	Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret	29.05.2026	10
CVE-2026-45632	Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution	29.05.2026	9.9
CVE-2026-45633	Dokploy: Command Injection in /docker-container-logs Endpoint	29.05.2026	9.9
CVE-2026-45661	Dokploy: Remote Code Execution through Path Traversal	29.05.2026	9.9
CVE-2026-45668	Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled)	29.05.2026	9.3
CVE-2026-5386	KMW CCTV Security Cameras Unverified Password Change	29.05.2026	9.1
CVE-2026-7786	Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials	29.05.2026	9.8
CVE-2026-44962		29.05.2026	10
CVE-2026-45663	Dokploy: Remote Code Execution via destinationPath in Container File Upload	29.05.2026	9.9
CVE-2026-10042	manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model	29.05.2026	9.2
CVE-2026-4290	WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators	29.05.2026	9.1
CVE-2026-46376	FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface	29.05.2026	9.3
CVE-2026-10071	Interinfo｜DreamMaker - Arbitrary File Upload	29.05.2026	9.3
CVE-2026-45043	RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root	29.05.2026	9.3
CVE-2026-45312	RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution	29.05.2026	9.9
CVE-2026-8326	Remote Spark SparkView Path Traversal in RDP Drive Redirection leading to RCE	29.05.2026	10
CVE-2026-9508	Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar	29.05.2026	10
CVE-2025-41269		29.05.2026	9.3
CVE-2025-41270		29.05.2026	9.3
CVE-2025-41272		29.05.2026	9.3
CVE-2025-41273		29.05.2026	9.3
CVE-2025-41274		29.05.2026	9.3
CVE-2025-41275		29.05.2026	9.3
CVE-2025-41276		29.05.2026	9.3
CVE-2025-41277		29.05.2026	9.3
CVE-2026-9559		29.05.2026	9.9
CVE-2026-49201	Acer Wave 7 router: Hardcoded Cryptographic Key	29.05.2026	10
CVE-2026-9558		29.05.2026	9.9
CVE-2026-49197	Predator Connect W6x: Improper Authentication	29.05.2026	10
CVE-2026-49199	Predator Connect W6x: RCE via MQTT	29.05.2026	10
CVE-2026-49200	Acer Wave 7 router: Broken Access Control	29.05.2026	10
CVE-2026-3655	OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification	29.05.2026	9.8
CVE-2026-8732	WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action	29.05.2026	9.8
CVE-2026-8809	Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter	29.05.2026	9.8
CVE-2026-44848	Portainer: Missing authorization on Docker plugin endpoints allows host RCE	28.05.2026	9.4
CVE-2026-44849	Portainer: Endpoint security bypass via Swarm service create/update	29.05.2026	9.4
CVE-2026-34311		29.05.2026	9.8
CVE-2026-45288	Marten has an SQL injection vulnerability in its full-text search regConfig parameter	30.05.2026	9.8
CVE-2026-46775		29.05.2026	9.9
CVE-2026-46817		29.05.2026	9.8
CVE-2026-46819		29.05.2026	9.1
CVE-2026-46822		29.05.2026	9.9
CVE-2026-46824		29.05.2026	9.9
CVE-2026-46833		29.05.2026	9
CVE-2026-46839		29.05.2026	9.9
CVE-2026-46840		29.05.2026	10
CVE-2026-9645	ScadaBR Authenticated Remote Code Execution	29.05.2026	9.9
CVE-2026-9037	Download of code without integrity check in XCharge C6	29.05.2026	9.3
CVE-2026-45039	RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation	30.05.2026	9.8
CVE-2026-43898	SandboxJS: Sandbox escape via Function.caller leakage of internal call op	28.05.2026	10
CVE-2026-45058	electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark	30.05.2026	9.4
CVE-2026-45311	CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval	28.05.2026	9.6
CVE-2026-45323	MeshCore Card: XSS vulnerability through meshcore node name	29.05.2026	9.6
CVE-2026-45353	electerm: Local code through electerm's single-instance socket	28.05.2026	9.3
CVE-2026-45374	CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files	30.05.2026	9.6
CVE-2026-24444	SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php	28.05.2026	9.3
CVE-2026-44477	CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE	28.05.2026	9.4
CVE-2026-45261	GitButler: Link injection via forge integration enables arbitrary script execution	30.05.2026	9.3
CVE-2026-44672	mapfish-print: Remote Code Injection (RCE) in Dynamic table	28.05.2026	9.3
CVE-2026-8979	Authentication Bypass	28.05.2026	9.3
CVE-2026-8980	Privilege Escalation	28.05.2026	9.3
CVE-2026-46115	block: add pgmap check to biovec_phys_mergeable	30.05.2026	9.8
CVE-2026-46119	libceph: Fix slab-out-of-bounds access in auth message processing	30.05.2026	9.1
CVE-2026-46135	nvmet-tcp: fix race between ICReq handling and queue teardown	30.05.2026	9.8
CVE-2026-46137	mptcp: pm: ADD_ADDR rtx: fix potential data-race	30.05.2026	9.8
CVE-2026-46155	smb/client: fix out-of-bounds read in smb2_compound_op()	30.05.2026	9.1
CVE-2026-46185	smb/client: fix out-of-bounds read in symlink_data()	30.05.2026	9.1
CVE-2026-46195	smb: client: validate dacloffset before building DACL pointers	30.05.2026	9.8
CVE-2026-4408	Samba: remote code execution in samr	29.05.2026	9
CVE-2026-32998		29.05.2026	9.4
CVE-2026-32999		28.05.2026	9.1
CVE-2026-9739		28.05.2026	9.4
CVE-2026-45083	Goobi viewer: Unauthenticated Solr Streaming Expression Proxy	28.05.2026	9.8
CVE-2026-44590	Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml	28.05.2026	9.3
CVE-2026-8362	Gladinet Triofox Stack-based Buffer Overflow in WOSDefaultHttpModule.dll	28.05.2026	9.8
CVE-2026-8363	Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll	28.05.2026	9.8
CVE-2026-8364	Gladinet Triofox Missing Authentication for Critical Functions	28.05.2026	9.8
CVE-2026-44887	Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)	28.05.2026	9.8
CVE-2026-44888	Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger)	28.05.2026	9.8
CVE-2026-45102	OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion	30.05.2026	9.9
CVE-2026-45087	Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode	28.05.2026	10
CVE-2026-46425	Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users	28.05.2026	9.9
CVE-2026-48150	Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign	27.05.2026	9
CVE-2026-44315	free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions	27.05.2026	9.4
CVE-2026-44326	free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions	27.05.2026	9.4
CVE-2026-44327	free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler	28.05.2026	10
CVE-2026-44329	free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers	28.05.2026	10
CVE-2026-44330	free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions	27.05.2026	10
CVE-2026-48027	Compromised Nx Console version 18.95.0	28.05.2026	9.3
CVE-2026-49103		27.05.2026	9.4
CVE-2026-35087	Authentication Bypass in Slican telephone exchanges	27.05.2026	9.3
CVE-2026-35090	Authentication Bypass in Slican telephone exchanges	27.05.2026	9.3
CVE-2026-45898	RDMA/iwcm: Fix workqueue list corruption by removing work_list	30.05.2026	9.8
CVE-2026-45972	smb: client: fix potential UAF and double free in smb2_open_file()	30.05.2026	9.8
CVE-2026-45988	rxrpc: Fix re-decryption of RESPONSE packets	30.05.2026	9.8
CVE-2026-46039	rxgk: Fix potential integer overflow in length check	30.05.2026	9.8
CVE-2026-46043	RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv	30.05.2026	9.1
CVE-2026-7524	Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System Access and Potential Remote Code Execution	28.05.2026	9.8
CVE-2026-8175	Multiple vulnerabilities in Aspera applications.	28.05.2026	9.8
CVE-2026-42727	WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42731	WordPress miniorange otp verification plugin <= 5.4.9 - Privilege Escalation vulnerability	27.05.2026	9.8
CVE-2026-42740	WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42747	WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42748	WordPress WPify Woo Czech plugin <= 5.4.1 - Arbitrary File Upload vulnerability	27.05.2026	9.9
CVE-2026-42755	WordPress TableOn plugin <= 1.0.5.1 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42756	WordPress QuickWebP – Compress / Optimize Images & Convert WebP \| SEO Friendly plugin <= 3.2.7 - Arbitrary File Deletion vulnerability	27.05.2026	9.9
CVE-2026-42757	WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File Deletion vulnerability	27.05.2026	9.9
CVE-2026-42758	WordPress WebinarIgnition plugin < 4.08.253 - Privilege Escalation vulnerability	27.05.2026	9.8
CVE-2026-42761	WordPress Active Products Tables for WooCommerce plugin <= 1.0.9 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-48906	Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla	27.05.2026	9.3
CVE-2025-12686		27.05.2026	9.8
CVE-2026-49002	Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product	28.05.2026	9.1
CVE-2026-8054	Unauthenticated SQL Injection in dotCMS Publish Audit API	27.05.2026	10
CVE-2026-8760	Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force	27.05.2026	9.8
CVE-2026-9312	Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint	28.05.2026	9.2
CVE-2026-44895	GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools	27.05.2026	9.2
CVE-2026-44444	Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan	27.05.2026	9.1
CVE-2026-44449	Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape	27.05.2026	9.1
CVE-2026-44450	Lumiverse: RCE via MCP stdio argument injection	26.05.2026	9.9
CVE-2026-44451	Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass	27.05.2026	9.3
CVE-2026-9642	Delta Electronics DIAView Patch Bypass	26.05.2026	9.8
CVE-2026-3660	IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass	28.05.2026	9.8
CVE-2026-44668	Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates	27.05.2026	9.8
CVE-2026-46624	Twenty: SQL Injection via the timeZone field	26.05.2026	9.9
CVE-2026-47202	Kavita: Pre-Auth Account Takeover	27.05.2026	9.3
CVE-2026-7251	Eppendorf BioFlo 320 Use of hard-coded password	26.05.2026	9.3
CVE-2026-8633	IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins	27.05.2026	9.8
CVE-2026-2264	Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.	26.05.2026	9.2
CVE-2026-45721	Algernon: handler.lua discovery walks parent directories above the server root	26.05.2026	9
CVE-2026-45247	Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection	26.05.2026	9.3
CVE-2026-7374	Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability	28.05.2026	9.9
CVE-2026-9543	Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection	26.05.2026	9.3
CVE-2026-42773	WordPress eMagicOne Store Manager plugin <= 1.3.2 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-42774	WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-9477	Totolink A8000RU Web Management cstecgi.cgi setAccessDeviceCfg os command injection	26.05.2026	9.3
CVE-2026-9478	Totolink A8000RU Web Management cstecgi.cgi setParentalRules os command injection	27.05.2026	9.3
CVE-2026-9475	Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection	26.05.2026	9.3
CVE-2026-9476	Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection	28.05.2026	9.3

Latest Updates

CVE	Title	Updated	Score
CVE-2024-40646	Vertex Vulnerable to Path Traversal	01.06.2026	8.6
CVE-2025-55664		01.06.2026
CVE-2025-60481		01.06.2026
CVE-2025-60483		01.06.2026
CVE-2025-60485		01.06.2026
CVE-2025-60486		01.06.2026
CVE-2025-60495		01.06.2026
CVE-2026-0826	Poly Voice – Possible Remote Control of Certain Poly Devices	01.06.2026
CVE-2026-10259	H3C Magic B0 aspForm SetMobileAPInfoById stack-based overflow	01.06.2026
CVE-2026-10260	CodeAstro Online Job Portal delete-jobs.php sql injection	01.06.2026
CVE-2026-10261	CodeAstro Online Job Portal application_status.php sql injection	01.06.2026
CVE-2026-10262	code-projects Real State Services Login loginuser.php sql injection	01.06.2026
CVE-2026-10263	SourceCodester Computer Repair Shop Management System manage_product.php sql injection	01.06.2026
CVE-2026-10264	lharries whatsapp-mcp Send API Endpoint main.go SendMessageRequest path traversal	01.06.2026
CVE-2026-10265	itsourcecode Content Management System edit_topic.php sql injection	01.06.2026
CVE-2026-10267	janet-lang janet debug.c doframe out-of-bounds	01.06.2026
CVE-2026-10533	Openshift: openshift: non-admin user can bypass resourcequota and flood etcd with events causing cluster-wide api degradation	01.06.2026
CVE-2026-37220		01.06.2026
CVE-2026-37221		01.06.2026
CVE-2026-42251	Hard-coded credentials in KS-SOMED	01.06.2026
CVE-2026-42680	WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability	01.06.2026	9.8
CVE-2026-42681	WordPress e2pdf plugin <= 1.32.14 - Reflected Cross Site Scripting (XSS) vulnerability	01.06.2026	7.1
CVE-2026-42682	WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability	01.06.2026	9.1
CVE-2026-42683	WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.8 - Cross Site Scripting (XSS) vulnerability	01.06.2026	7.1
CVE-2026-48559	Lightweight Music Server 3.76.0 Stored XSS via Media File Metadata Tags	01.06.2026
CVE-2026-48839	WordPress WP Statistics plugin <= 14.16.6 - Cross Site Scripting (XSS) vulnerability	01.06.2026	7.1
CVE-2026-48865	WordPress LearnPress plugin <= 4.3.6 - Reflected Cross Site Scripting (XSS) vulnerability	01.06.2026	7.1
CVE-2026-48866	WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability	01.06.2026	9.6
CVE-2026-48879	WordPress AIWU plugin <= 1.4.17 - Privilege Escalation vulnerability	01.06.2026	9.8
CVE-2026-8931	Critical RCE vulnerability in Disig Web Signer	01.06.2026
CVE-2026-10251	itsourcecode Online House Rental System ajax.php login sql injection	01.06.2026
CVE-2026-10252	itsourcecode Online House Rental System manage_tenant.php sql injection	01.06.2026
CVE-2026-10253	itsourcecode Online House Rental System manage_payment.php sql injection	01.06.2026
CVE-2026-10254	SourceCodester Pet Grooming Management Software admin file information disclosure	01.06.2026
CVE-2026-10255	SourceCodester Pharmacy Sales and Inventory System ShowForm.php sell_statement access control	01.06.2026
CVE-2026-10256	itsourcecode Content Management System save_comment.php sql injection	01.06.2026
CVE-2026-10257	itsourcecode Content Management System update_ss_img.php sql injection	01.06.2026
CVE-2026-10258	itsourcecode Content Management System add_sub_topic.php sql injection	01.06.2026
CVE-2026-10532	Logback deserialization whitelist bypass for Proxy objects	01.06.2026
CVE-2026-34193	GPU DDK - Arbitrary write via UFO updates due insufficient pointer validation in rgxfw_to_ptr()	01.06.2026
CVE-2026-9308	Arbitrary JavaScript execution in Reader View due to wrong HTML replacement order	01.06.2026
CVE-2026-9309	Arbitrary JavaScript execution in internal pages via Reader View JSON-LD injection	01.06.2026
CVE-2026-10244	SourceCodester Pharmacy Sales and Inventory System main create_medicine_name cross site scripting	01.06.2026
CVE-2026-10245	SourceCodester Pharmacy Sales and Inventory System main create_supplier cross site scripting	01.06.2026
CVE-2026-10246	SourceCodester Pharmacy Sales and Inventory System main create_medicine_presentation cross site scripting	01.06.2026
CVE-2026-10247	SourceCodester Pharmacy Sales and Inventory System main create_generic_name cross site scripting	01.06.2026
CVE-2026-10248	SourceCodester Pharmacy Sales and Inventory System Supplier Creation export create_supplier csv injection	01.06.2026
CVE-2026-10249	itsourcecode Online Blood Bank Management System viewrequest.php sql injection	01.06.2026
CVE-2026-10250	itsourcecode Online Blood Bank Management System campsdetails.php sql injection	01.06.2026
CVE-2026-25599	Missing authentication and clear‑text data transmission affecting Orca heat pumps	01.06.2026	6.3
CVE-2026-25600	Credential Exposure Vulnerability in Trac PDBM	01.06.2026	6.4
CVE-2026-49328	Apache Fesod (Incubating): Improper validation of user-supplied URLs leading to SSRF	01.06.2026
CVE-2026-10236	SourceCodester Water Billing Management System User Management Endpoint Users.php save improper authorization	01.06.2026
CVE-2026-10237	SourceCodester Water Billing Management System User Management manage_user sql injection	01.06.2026
CVE-2026-10239	JeecgBoot edit WordUtil.addImage server-side request forgery	01.06.2026
CVE-2026-10240	JeecgBoot test server-side request forgery	01.06.2026
CVE-2026-10241	jeecgboot The server processes these URLs Cloud Instance Metadata Endpoint debug FileDownloadUtils.download2DiskFromNet server-side request forgery	01.06.2026
CVE-2026-10242	itsourcecode Content Management System instructions.php sql injection	01.06.2026
CVE-2026-10243	code-projects Smart Parking System Admin Endpoint missing authentication	01.06.2026
CVE-2026-10517	Clair: clair: unauthenticated ssrf via manifest layer uri enables internal network reconnaissance	01.06.2026
CVE-2026-27788		01.06.2026
CVE-2026-32325		01.06.2026
CVE-2026-40543	Missing Authorization in SOPlanning	01.06.2026
CVE-2026-40544	Stored XSS in SOPlanning	01.06.2026
CVE-2026-40545	Reflected XSS in SOPlanning	01.06.2026
CVE-2026-40546	Multiple SQL Injections in SOPlanning	01.06.2026
CVE-2026-40547	Path Traversal in SOPlanning	01.06.2026
CVE-2026-40548	Unrestricted Upload of File with Dangerous Type in SOPlanning	01.06.2026
CVE-2026-40549	Cross-Site Request Forgery in SOPlanning	01.06.2026
CVE-2026-40861	Apache Airflow: Arbitrary File Read via Log Symlink following in FileTaskHandler	01.06.2026
CVE-2026-40961	Apache Airflow: Open Redirect Bypass Vulnerability	01.06.2026
CVE-2026-40963	Apache Airflow: DAG authorization bypass on /ui/structure/structure_data	01.06.2026
CVE-2026-41014	Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints	01.06.2026
CVE-2026-41017	Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy	01.06.2026
CVE-2026-41084	Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation	01.06.2026
CVE-2026-42252	Apache Airflow: BashOperator Jinja2 injection via dag_run.conf — low-privilege user pattern	01.06.2026
CVE-2026-42253	Apache ActiveMQ, Apache ActiveMQ Web: HTTP Response Header Injection via JMS Message Properties	01.06.2026
CVE-2026-42358	Apache Airflow: Variable masker depth-limit bypass returns cleartext nested secrets	01.06.2026
CVE-2026-42359	Apache Airflow: Authenticated RCE via XCom PATCH endpoint — XComUpdateBody missing FORBIDDEN_XCOM_KEYS validator	01.06.2026
CVE-2026-42360	Apache Airflow: Rendered template truncation bypasses nested sensitive-key masking	01.06.2026
CVE-2026-42588	Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Remote Code Execution via Jolokia addNetworkConnector	01.06.2026
CVE-2026-44825	Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users	01.06.2026
CVE-2026-45360	Apache Airflow: Arbitrary import in custom deadline-reference deserialization	01.06.2026
CVE-2026-45426	Apache Airflow: Log server JWT authorization bypass via Python lstrip() character stripping allows cross-Dag log access	01.06.2026
CVE-2026-45505	Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Jolokia `addNetworkConnector` Discovery Wrapper Bypass	01.06.2026
CVE-2026-46605	Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal	01.06.2026
CVE-2026-46764	Apache Airflow: Event Log detail endpoint bypasses DAG-scoped event log permission filter	01.06.2026
CVE-2026-48726	Apache Airflow: revoke_token() unreachable in FabAuthManager / KeycloakAuthManager logout path	01.06.2026
CVE-2026-48827	Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git	01.06.2026	7.1
CVE-2026-49157	Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default	01.06.2026
CVE-2026-49267	Apache Airflow: No certificate validation on SMTP STARTTLS connections	01.06.2026
CVE-2026-49270	Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All: Durable Subscription Disclosure via Crafted BrokerInfo (OpenWire)	01.06.2026
CVE-2026-49298	Apache Airflow: JWT Token Exposure in KubernetesExecutor Command-Line Arguments	01.06.2026
CVE-2026-49361	Apache Fluss Netty Frame Decoder Memory Exhaustion Vulnerability	01.06.2026
CVE-2026-7858	Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x	01.06.2026	9.8
CVE-2026-8474	Possible to run a Cross Site Scripting request on the login API available on Stormshield SNS appliances.	01.06.2026	5.3
CVE-2026-9024	Stored Cross-site Scripting (XSS) vulnerability affecting Process Experience Studio in DELMIA Service Process Engineer from Release 3DEXPERIENCE R2024x through Release 3DEXPERIENCE R2026x	01.06.2026	8.7
CVE-2026-10228	raisulislamg4 student_management_system_by_php admission_form_check.php cross site scripting	01.06.2026
CVE-2026-10229	Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_meshes heap-based overflow	01.06.2026
CVE-2026-10230	Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_animations heap-based overflow	01.06.2026
CVE-2026-10231	Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp extract_anim_value heap-based overflow	01.06.2026
CVE-2026-10232	Assimp ASE File scene.cpp ~aiNode use after free	01.06.2026
CVE-2026-10233	Assimp Half-Life 1 MDL Loader HL1MDLLoader.cpp read_sequence_infos out-of-bounds	01.06.2026
CVE-2026-10234	Mettle sendportal Campaign webview cross site scripting	01.06.2026
CVE-2026-10235	CodeAstro Ingredients Stock Management System stock_manager.php sql injection	01.06.2026
CVE-2026-35563	Apache Directory LDAP API: LDAP client implementation does not verify if the server certificate matches the intended LDAP hostname	01.06.2026
CVE-2026-45192	Apache Airflow: Incomplete Redaction of Sensitive Fields in Connection Extra API Response	01.06.2026
CVE-2026-10222	NousResearch hermes-agent config.py _sanitize_env_lines injection	01.06.2026
CVE-2026-10223	NousResearch hermes-agent memory_tool.py _scan_memory_content injection	01.06.2026
CVE-2026-10224	NousResearch hermes-agent Webhook Endpoint feishu.py _handle_webhook_request resource consumption	01.06.2026
CVE-2026-10225	raisulislamg4 student_management_system_by_php Login login_check.php sql injection	01.06.2026
CVE-2026-10226	raisulislamg4 student_management_system_by_php delete.php sql injection	01.06.2026
CVE-2026-10227	raisulislamg4 student_management_system_by_php User Creation add_user_check.php sql injection	01.06.2026
CVE-2026-10216	unitedbyai droidclaw claim Endpoint pairing.ts excessive authentication	01.06.2026
CVE-2026-10217	nextlevelbuilder GoClaw RoleAdmin Gateway tts_config.go handleSave privileges management	01.06.2026
CVE-2026-10218	nextlevelbuilder GoClaw evolution_handlers.go auth improper authorization	01.06.2026
CVE-2026-10219	nextlevelbuilder GoClaw write_file Tool fsbridge.go FsBridge.WriteFile os command injection	01.06.2026
CVE-2026-10220	NousResearch hermes-agent skills_tool.py skill_view injection	01.06.2026
CVE-2026-10221	NousResearch hermes-agent run_agent.py _compress_context injection	01.06.2026
CVE-2026-20452		01.06.2026
CVE-2026-20453		01.06.2026
CVE-2026-20454		01.06.2026
CVE-2026-20455		01.06.2026
CVE-2026-20456		01.06.2026
CVE-2026-48187	Email with special content can lead to DoS	01.06.2026	5.7
CVE-2026-48188	SQL Injection via MySQL Quote Method	01.06.2026	9.1
CVE-2026-48189	Bypass DedicatedAgentToCustomerGroups Setting	01.06.2026	5.7
CVE-2026-48190	Incorrect handling of permissions in External Interface Config Item List module	01.06.2026	3.5
CVE-2026-48191	Wrong Permission Handling in Document Search Article Meta Filters	01.06.2026	3.5
CVE-2026-48208	Denial-of-Service via SVG Rendering in Ticket	01.06.2026	6.5
CVE-2026-48209	Reflected XSS in authenticated agent context	01.06.2026	7.1
CVE-2026-10212	AstrBotDevs AstrBot astr_main_agent.py astr_main_agent authorization	01.06.2026
CVE-2026-10213	AstrBotDevs AstrBot API Endpoint delete path traversal	01.06.2026
CVE-2026-10214	zhayujie chatgpt-on-wechat Bash Tool bash.py _get_safety_warning os command injection	01.06.2026
CVE-2026-10215	Dolibarr ERP CRM Leave Request REST API api_holidays.class.php checkUserAccessToObject improper authorization	01.06.2026
CVE-2026-10208	code-projects Online Hospital Management System login_1.php login_user sql injection	01.06.2026
CVE-2026-10209	code-projects Online Hospital Management System Appointment appointmentdetail.php sql injection	01.06.2026
CVE-2026-10210	AstrBotDevs AstrBot skill_manager.py _sanitize_prompt_description injection	01.06.2026
CVE-2026-10211	AstrBotDevs AstrBot fs.py _normalize_rw_path authorization	01.06.2026
CVE-2026-10205	Metasoft 美特软件 MetaCRM upload.jsp unrestricted upload	01.06.2026
CVE-2026-10206	D-Link DI-8400 dbsrv.asp stack-based overflow	01.06.2026
CVE-2026-10203	OFCMS JSON Query SystemParamController.java query sql injection	01.06.2026
CVE-2026-10204	OFCMS JSON Query SysUserController.java query sql injection	31.05.2026
CVE-2026-10201	Assimp UV Channel FBXExporter.cpp WriteObjects divide by zero	31.05.2026
CVE-2026-10202	OFCMS JSON Query SystemDictController.java query sql injection	31.05.2026
CVE-2026-10200	Assimp 4x4 Matrix glTFCommon.h CopyValue heap-based overflow	01.06.2026
CVE-2026-10198	Assimp glTFImporter glTFImporter.cpp ImportMeshes null pointer dereference	31.05.2026
CVE-2026-10199	Assimp glTF2Asset.h LazyDict null pointer dereference	31.05.2026
CVE-2026-10197	Assimp TF File glTF2Importer.cpp ImportEmbeddedTextures null pointer dereference	01.06.2026
CVE-2026-48210	Possible information disclosure via External Interface	01.06.2026	5.7
CVE-2026-8796	Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input	01.06.2026
CVE-2026-10194	OFFIS DCMTK dcmqrscp dcmqrdbi.cc deleteOldestImages heap-based overflow	31.05.2026