| CVE-2025-70103 |
|
27.05.2026 |
|
| CVE-2026-1248 |
IBM Business Automation Workflow information leak |
27.05.2026 |
|
| CVE-2026-30498 |
|
27.05.2026 |
|
| CVE-2026-31266 |
|
27.05.2026 |
|
| CVE-2026-37711 |
|
27.05.2026 |
|
| CVE-2026-37712 |
|
27.05.2026 |
|
| CVE-2026-37713 |
|
27.05.2026 |
|
| CVE-2026-42184 |
Tauri: Origin Confusion Allows Remote Pages to Invoke Local-Only IPC Commands |
27.05.2026 |
|
| CVE-2026-42280 |
Improper Permission Checking in Auth.js SDK |
27.05.2026 |
7.1 |
| CVE-2026-44830 |
Empty API_TOKEN disables authentication on network-reachable HTTP/SSE transport |
27.05.2026 |
|
| CVE-2026-44838 |
RabbitMQ MQTT Topic Permission Authorization Bypass |
27.05.2026 |
|
| CVE-2026-44839 |
RabbitMQ: Unsanitized vhost names allow for XSS in management UI |
27.05.2026 |
|
| CVE-2026-44902 |
opentelemetry-js: Prometheus exporter process crash via malformed HTTP request |
27.05.2026 |
7.5 |
| CVE-2026-44971 |
GuardDog: Blind GitHub URL rewrite in remote project scanning causes SSRF and `GH_TOKEN` exfiltration |
27.05.2026 |
8.2 |
| CVE-2026-44972 |
GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content |
27.05.2026 |
5 |
| CVE-2026-44988 |
LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes |
27.05.2026 |
8.8 |
| CVE-2026-45022 |
go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git |
27.05.2026 |
|
| CVE-2026-45570 |
go-git: Improper single-quote escaping in go-git SSH transport |
27.05.2026 |
|
| CVE-2026-45571 |
go-git: Crafted repositories may modify main and submodule .git directories |
27.05.2026 |
5.4 |
| CVE-2026-47118 |
Agent Zero < 1.15 Path Traversal File Read via image_get API |
27.05.2026 |
|
| CVE-2026-47119 |
Agent Zero < 1.15 Stored XSS via image_get API Endpoint |
27.05.2026 |
|
| CVE-2026-48544 |
Taipy 4.1.1 Path Traversal via ElementLibrary.get_resource() |
27.05.2026 |
|
| CVE-2026-48545 |
Gradio < 6.15.0 Cookie Injection via Shared Proxy Client |
27.05.2026 |
|
| CVE-2026-48916 |
|
27.05.2026 |
|
| CVE-2026-48917 |
|
27.05.2026 |
|
| CVE-2026-48918 |
|
27.05.2026 |
|
| CVE-2026-48919 |
|
27.05.2026 |
|
| CVE-2026-48920 |
|
27.05.2026 |
|
| CVE-2026-48921 |
|
27.05.2026 |
|
| CVE-2026-48922 |
|
27.05.2026 |
|
| CVE-2026-48923 |
|
27.05.2026 |
|
| CVE-2026-48924 |
|
27.05.2026 |
|
| CVE-2026-48925 |
|
27.05.2026 |
|
| CVE-2026-48926 |
|
27.05.2026 |
|
| CVE-2026-48927 |
|
27.05.2026 |
|
| CVE-2026-48973 |
WordPress SVG Support plugin <= 2.5.14 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-49044 |
WordPress Advanced Custom Fields: Font Awesome Field plugin <= 5.0.2 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-49045 |
WordPress Adminimize plugin <= 1.11.11 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-49046 |
WordPress Duplicate Page and Post plugin <= 2.9.5 - SQL Injection vulnerability |
27.05.2026 |
8.5 |
| CVE-2026-49047 |
WordPress DearFlip plugin <= 2.4.27 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-49051 |
WordPress WP Meta and Date Remover plugin <= 2.3.6 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-49052 |
WordPress ElementsKit Elementor addons Lite plugin <= 3.9.6 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-49053 |
WordPress ElementsKit Elementor addons Lite plugin <= 3.9.6 - Broken Access Control vulnerability |
27.05.2026 |
5.3 |
| CVE-2026-49059 |
WordPress Facebook for WooCommerce plugin <= 3.7.0 - Open Redirection vulnerability |
27.05.2026 |
4.7 |
| CVE-2026-49102 |
|
27.05.2026 |
6.1 |
| CVE-2026-49103 |
|
27.05.2026 |
|
| CVE-2026-6957 |
Path traversal in Mattermost Legal Hold plugin via unsanitized file name from federated peer allows arbitrary file write. |
27.05.2026 |
8 |
| CVE-2026-9674 |
|
27.05.2026 |
|
| CVE-2026-9712 |
Insecure direct object reference |
27.05.2026 |
|
| CVE-2024-28765 |
Security vulnerability was found in IBM Security Directory Integrator |
27.05.2026 |
5.3 |
| CVE-2024-40684 |
IBM Operations Analytics - Log Analysis is affected by Weak Password Policy and Inadequate Account Lockout Mechanism |
27.05.2026 |
5.9 |
| CVE-2024-56462 |
IBM QRadar SIEM is vulnerable to using components with known vulnerabilities |
27.05.2026 |
7.2 |
| CVE-2025-3633 |
IBM Cognos Analytics is affected by multiple security vulnerabilities |
27.05.2026 |
5.4 |
| CVE-2025-71303 |
accel/amdxdna: Fix race condition when checking rpm_on |
27.05.2026 |
|
| CVE-2025-71304 |
smack: /smack/doi: accept previously used values |
27.05.2026 |
|
| CVE-2025-71305 |
drm/display/dp_mst: Add protection against 0 vcpi |
27.05.2026 |
|
| CVE-2025-71306 |
ima: Fix stack-out-of-bounds in is_bprm_creds_for_exec() |
27.05.2026 |
|
| CVE-2025-71307 |
drm/panthor: Fix NULL pointer dereference on panthor_fw_unplug |
27.05.2026 |
|
| CVE-2025-71308 |
accel/amdxdna: Fix potential NULL pointer dereference in context cleanup |
27.05.2026 |
|
| CVE-2025-71309 |
fs/ntfs3: fix deadlock in ni_read_folio_cmpr |
27.05.2026 |
|
| CVE-2025-71311 |
fs/ntfs3: Initialize new folios before use |
27.05.2026 |
|
| CVE-2025-71312 |
fs/ntfs3: fix ntfs_mount_options leak in ntfs_fill_super() |
27.05.2026 |
|
| CVE-2026-1718 |
IBM® Db2® is vulnerable to a denial of service with a specially crafted query when running an AUTONOMOUS procedure |
27.05.2026 |
7.1 |
| CVE-2026-1933 |
Samba: missing access check on reparse point operations |
27.05.2026 |
|
| CVE-2026-23679 |
libusb < 1.0.30 NULL Pointer Dereference in parse_interface() |
27.05.2026 |
|
| CVE-2026-2340 |
Samba: vfs_worm does not block directory modification |
27.05.2026 |
|
| CVE-2026-2607 |
Multiple vulnerabilities in IBM MQ Operator and Queue manager container images |
27.05.2026 |
5.1 |
| CVE-2026-35087 |
Authentication Bypass in Slican telephone exchanges |
27.05.2026 |
|
| CVE-2026-35089 |
Use of Weak Credentials in Slican telephone exchanges |
27.05.2026 |
|
| CVE-2026-35090 |
Authentication Bypass in Slican telephone exchanges |
27.05.2026 |
|
| CVE-2026-36044 |
|
27.05.2026 |
8.8 |
| CVE-2026-36045 |
|
27.05.2026 |
|
| CVE-2026-36538 |
|
27.05.2026 |
|
| CVE-2026-36539 |
|
27.05.2026 |
|
| CVE-2026-36540 |
|
27.05.2026 |
|
| CVE-2026-38422 |
|
27.05.2026 |
|
| CVE-2026-38426 |
|
27.05.2026 |
|
| CVE-2026-38427 |
|
27.05.2026 |
|
| CVE-2026-3366 |
InfoSphere Optim Test Data Fabrication is affected by Arbitrary File Read |
27.05.2026 |
7.5 |
| CVE-2026-3623 |
Vulnerabilities exists in IBM Netezza Performance Server Replication Services |
27.05.2026 |
7.8 |
| CVE-2026-3676 |
There are multiple vulnerabilities in IBM DB2 bundled with IBM Application Performance Management products. |
27.05.2026 |
6.5 |
| CVE-2026-42789 |
Non-CA certificate accepted as intermediate issuer in public_key path validation |
27.05.2026 |
|
| CVE-2026-42791 |
OCSP responder certificate validity period not checked in public_key |
27.05.2026 |
|
| CVE-2026-45847 |
net: remove WARN_ON_ONCE when accessing forward path array |
27.05.2026 |
|
| CVE-2026-45848 |
apparmor: fix NULL sock in aa_sock_file_perm |
27.05.2026 |
|
| CVE-2026-45849 |
net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj() |
27.05.2026 |
|
| CVE-2026-45850 |
ipvs: skip ipv6 extension headers for csum checks |
27.05.2026 |
|
| CVE-2026-45851 |
efi: Fix reservation of unaccepted memory table |
27.05.2026 |
|
| CVE-2026-45852 |
RDMA/rxe: Fix double free in rxe_srq_from_init |
27.05.2026 |
|
| CVE-2026-45853 |
drm/amdgpu: Use kvfree instead of kfree in amdgpu_gmc_get_nps_memranges() |
27.05.2026 |
|
| CVE-2026-45854 |
crypto: inside-secure/eip93 - unregister only available algorithm |
27.05.2026 |
|
| CVE-2026-45855 |
ata: libata-scsi: avoid Non-NCQ command starvation |
27.05.2026 |
|
| CVE-2026-45856 |
RDMA/uverbs: Validate wqe_size before using it in ib_uverbs_post_send |
27.05.2026 |
|
| CVE-2026-45857 |
scsi: csiostor: Fix dereference of null pointer rn |
27.05.2026 |
|
| CVE-2026-45858 |
ext4: don't zero the entire extent if EXT4_EXT_DATA_PARTIAL_VALID1 |
27.05.2026 |
|
| CVE-2026-45859 |
netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation |
27.05.2026 |
|
| CVE-2026-45860 |
netfilter: nf_conncount: increase the connection clean up limit to 64 |
27.05.2026 |
|
| CVE-2026-45861 |
gfs2: Fix slab-use-after-free in qd_put |
27.05.2026 |
|
| CVE-2026-45862 |
iommu/vt-d: Flush cache for PASID table before using it |
27.05.2026 |
|
| CVE-2026-45863 |
i3c: dw: Fix memory leak in dw_i3c_master_i2c_xfers() |
27.05.2026 |
|
| CVE-2026-45864 |
fs/ntfs3: prevent infinite loops caused by the next valid being the same |
27.05.2026 |
|
| CVE-2026-45865 |
mctp i2c: initialise event handler read bytes |
27.05.2026 |
|
| CVE-2026-45866 |
serial: caif: fix use-after-free in caif_serial ldisc_close() |
27.05.2026 |
|
| CVE-2026-45867 |
power: supply: act8945a: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45868 |
pinctrl: single: fix refcount leak in pcs_add_gpio_func() |
27.05.2026 |
|
| CVE-2026-45869 |
power: supply: wm97xx: Fix NULL pointer dereference in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45870 |
SUNRPC: auth_gss: fix memory leaks in XDR decoding error paths |
27.05.2026 |
|
| CVE-2026-45871 |
tpm: st33zp24: Fix missing cleanup on get_burstcount() error |
27.05.2026 |
|
| CVE-2026-45872 |
scsi: smartpqi: Fix memory leak in pqi_report_phys_luns() |
27.05.2026 |
|
| CVE-2026-45873 |
netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets |
27.05.2026 |
|
| CVE-2026-45874 |
phy: freescale: imx8qm-hsio: fix NULL pointer dereference |
27.05.2026 |
|
| CVE-2026-45875 |
mfd: arizona: Fix regulator resource leak on wm5102_clear_write_sequencer() failure |
27.05.2026 |
|
| CVE-2026-45876 |
arm64/gcs: Fix error handling in arch_set_shadow_stack_status() |
27.05.2026 |
|
| CVE-2026-45877 |
HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients |
27.05.2026 |
|
| CVE-2026-45878 |
drm/amdkfd: Fix watch_id bounds checking in debug address watch v2 |
27.05.2026 |
|
| CVE-2026-45879 |
power: supply: bq25980: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45880 |
PCI/P2PDMA: Release per-CPU pgmap ref when vm_insert_page() fails |
27.05.2026 |
|
| CVE-2026-45881 |
soc: mediatek: svs: Fix memory leak in svs_enable_debug_write() |
27.05.2026 |
|
| CVE-2026-45882 |
power: supply: pm8916_bms_vm: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45883 |
iio: sca3000: Fix a resource leak in sca3000_probe() |
27.05.2026 |
|
| CVE-2026-45884 |
apparmor: avoid per-cpu hold underflow in aa_get_buffer |
27.05.2026 |
|
| CVE-2026-45885 |
power: supply: cpcap-battery: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45886 |
bpf: Fix bpf_xdp_store_bytes proto for read-only arg |
27.05.2026 |
|
| CVE-2026-45887 |
af_unix: Fix memleak of newsk in unix_stream_connect(). |
27.05.2026 |
|
| CVE-2026-45888 |
md/raid1: fix memory leak in raid1_run() |
27.05.2026 |
|
| CVE-2026-45889 |
mptcp: do not account for OoO in mptcp_rcvbuf_grow() |
27.05.2026 |
|
| CVE-2026-45890 |
xen-netback: reject zero-queue configuration from guest |
27.05.2026 |
|
| CVE-2026-45891 |
net: hns3: fix double free issue for tx spare buffer |
27.05.2026 |
|
| CVE-2026-45892 |
ext4: drop extent cache after doing PARTIAL_VALID1 zeroout |
27.05.2026 |
|
| CVE-2026-45893 |
apparmor: Fix & Optimize table creation from possibly unaligned memory |
27.05.2026 |
|
| CVE-2026-45894 |
iommu/vt-d: Clear Present bit before tearing down PASID entry |
27.05.2026 |
|
| CVE-2026-45895 |
quota: fix livelock between quotactl and freeze_super |
27.05.2026 |
|
| CVE-2026-45896 |
mtd: intel-dg: Fix accessing regions before setting nregions |
27.05.2026 |
|
| CVE-2026-45897 |
netfilter: nft_counter: serialize reset with spinlock |
27.05.2026 |
|
| CVE-2026-45898 |
RDMA/iwcm: Fix workqueue list corruption by removing work_list |
27.05.2026 |
|
| CVE-2026-45899 |
ext4: drop extent cache when splitting extent fails |
27.05.2026 |
|
| CVE-2026-45900 |
crypto: caam - fix netdev memory leak in dpaa2_caam_probe |
27.05.2026 |
|
| CVE-2026-45901 |
netfilter: nf_tables: revert commit_mutex usage in reset path |
27.05.2026 |
|
| CVE-2026-45902 |
power: supply: bq256xx: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45903 |
bpf: Fix memory access flags in helper prototypes |
27.05.2026 |
|
| CVE-2026-45904 |
powerpc/eeh: fix recursive pci_lock_rescan_remove locking in EEH event handling |
27.05.2026 |
|
| CVE-2026-45905 |
xfrm: fix ip_rt_bug race in icmp_route_lookup reverse path |
27.05.2026 |
|
| CVE-2026-45906 |
power: supply: pf1550: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45907 |
net/mlx5e: Fix deadlocks between devlink and netdev instance locks |
27.05.2026 |
|
| CVE-2026-45908 |
accel/amdxdna: Fix memory leak in amdxdna_ubuf_map |
27.05.2026 |
|
| CVE-2026-45909 |
clk: mediatek: Drop __initconst from gates |
27.05.2026 |
|
| CVE-2026-45910 |
RDMA/rxe: Fix race condition in QP timer handlers |
27.05.2026 |
|
| CVE-2026-45911 |
usb: cdns3: fix role switching during resume |
27.05.2026 |
|
| CVE-2026-45912 |
ext4: don't cache extent during splitting extent |
27.05.2026 |
|
| CVE-2026-45913 |
net: bridge: mcast: always update mdb_n_entries for vlan contexts |
27.05.2026 |
|
| CVE-2026-45914 |
Revert "hwmon: (ibmpex) fix use-after-free in high/low store" |
27.05.2026 |
|
| CVE-2026-45915 |
fat: avoid parent link count underflow in rmdir |
27.05.2026 |
|
| CVE-2026-45916 |
power: supply: sbs-battery: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45917 |
ipvs: do not keep dest_dst if dev is going down |
27.05.2026 |
|
| CVE-2026-45918 |
ovpn: tcp - don't deref NULL sk_socket member after tcp_close() |
27.05.2026 |
|
| CVE-2026-45919 |
sched/rt: Skip currently executing CPU in rto_next_cpu() |
27.05.2026 |
|
| CVE-2026-45920 |
ext4: fix dirtyclusters double decrement on fs shutdown |
27.05.2026 |
|
| CVE-2026-45921 |
mtd: parsers: Fix memory leak in mtd_parser_tplink_safeloader_parse() |
27.05.2026 |
|
| CVE-2026-45922 |
RDMA/mlx5: Fix memory leak in GET_DATA_DIRECT_SYSFS_PATH handler |
27.05.2026 |
|
| CVE-2026-45923 |
net: usb: catc: enable basic endpoint checking |
27.05.2026 |
|
| CVE-2026-45924 |
ksmbd: call ksmbd_vfs_kern_path_end_removing() on some error paths |
27.05.2026 |
|
| CVE-2026-45925 |
thermal/of: Fix reference leak in thermal_of_cm_lookup() |
27.05.2026 |
|
| CVE-2026-45926 |
rust: pwm: Fix potential memory leak on init error |
27.05.2026 |
|
| CVE-2026-45927 |
bpf: Require frozen map for calculating map hash |
27.05.2026 |
|
| CVE-2026-45928 |
media: chips-media: wave5: Fix memory leak on codec_info allocation failure |
27.05.2026 |
|
| CVE-2026-45929 |
ovpn: fix possible use-after-free in ovpn_net_xmit |
27.05.2026 |
|
| CVE-2026-45930 |
net: mctp: ensure our nlmsg responses are initialised |
27.05.2026 |
|
| CVE-2026-45931 |
accel/amdxdna: Hold mm structure across iommu_sva_unbind_device() |
27.05.2026 |
|
| CVE-2026-45932 |
bpf: Fix tcx/netkit detach permissions when prog fd isn't given |
27.05.2026 |
|
| CVE-2026-45933 |
bpf: Preserve id of register in sync_linked_regs() |
27.05.2026 |
|
| CVE-2026-45934 |
btrfs: fix EEXIST abort due to non-consecutive gaps in chunk allocation |
27.05.2026 |
|
| CVE-2026-45935 |
fs/ntfs3: Fix slab-out-of-bounds read in DeleteIndexEntryRoot |
27.05.2026 |
|
| CVE-2026-45936 |
power: supply: goldfish: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45937 |
crypto: inside-secure/eip93 - fix kernel panic in driver detach |
27.05.2026 |
|
| CVE-2026-45938 |
power: supply: pm8916_lbc: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45939 |
gpib: Fix memory leak in ni_usb_init() |
27.05.2026 |
|
| CVE-2026-45940 |
net: stmmac: fix oops when split header is enabled |
27.05.2026 |
|
| CVE-2026-45941 |
tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure |
27.05.2026 |
|
| CVE-2026-45942 |
ext4: fix e4b bitmap inconsistency reports |
27.05.2026 |
|
| CVE-2026-45943 |
erofs: fix inline data read failure for ztailpacking pclusters |
27.05.2026 |
|
| CVE-2026-45944 |
iommu/vt-d: Clear Present bit before tearing down context entry |
27.05.2026 |
|
| CVE-2026-45945 |
iommu/vt-d: Fix race condition during PASID entry replacement |
27.05.2026 |
|
| CVE-2026-45946 |
power: supply: ab8500: Fix use-after-free in power_supply_changed() |
27.05.2026 |
|
| CVE-2026-45947 |
drm/amdgpu: Fix memory leak in amdgpu_acpi_enumerate_xcc() |
27.05.2026 |
|
| CVE-2026-45948 |
ext4: fix memory leak in ext4_ext_shift_extents() |
27.05.2026 |
|
| CVE-2026-45949 |
hwrng: core - use RCU and work_struct to fix race condition |
27.05.2026 |
|
| CVE-2026-45950 |
crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req() |
27.05.2026 |
|
| CVE-2026-45951 |
bpf: Fix a potential use-after-free of BTF object |
27.05.2026 |
|
| CVE-2026-45952 |
eth: fbnic: Add validation for MTU changes |
27.05.2026 |
|
| CVE-2026-45953 |
md/raid5: fix IO hang with degraded array with llbitmap |
27.05.2026 |
|
| CVE-2026-45954 |
fbdev: au1200fb: Fix a memory leak in au1200fb_drv_probe() |
27.05.2026 |
|
| CVE-2026-45955 |
md/md-llbitmap: fix percpu_ref not resurrected on suspend timeout |
27.05.2026 |
|
| CVE-2026-45956 |
drm/exynos: vidi: use priv->vidi_dev for ctx lookup in vidi_connection_ioctl() |
27.05.2026 |
|
| CVE-2026-45957 |
rcu: Fix rcu_read_unlock() deadloop due to softirq |
27.05.2026 |
|
| CVE-2026-45958 |
drm/exynos: vidi: fix to avoid directly dereferencing user pointer |
27.05.2026 |
|
| CVE-2026-45959 |
crypto: ccp - Fix a crash due to incorrect cleanup usage of kfree |
27.05.2026 |
|
| CVE-2026-45960 |
hfsplus: return error when node already exists in hfs_bnode_create |
27.05.2026 |
|
| CVE-2026-45961 |
gfs2: fix memory leaks in gfs2_fill_super error path |
27.05.2026 |
|
| CVE-2026-45962 |
ublk: Validate SQE128 flag before accessing the cmd |
27.05.2026 |
|
| CVE-2026-45963 |
ASoC: nau8821: Cancel delayed work on component remove |
27.05.2026 |
|
| CVE-2026-45964 |
SUNRPC: fix gss_auth kref leak in gss_alloc_msg error path |
27.05.2026 |
|
| CVE-2026-45965 |
apparmor: fix invalid deref of rawdata when export_binary is unset |
27.05.2026 |
|
| CVE-2026-45966 |
apparmor: fix NULL pointer dereference in __unix_needs_revalidation |
27.05.2026 |
|
| CVE-2026-45967 |
bpf: Return proper address for non-zero offsets in insn array |
27.05.2026 |
|
| CVE-2026-45968 |
cpuidle: Skip governor when only one idle state is available |
27.05.2026 |
|
| CVE-2026-45969 |
HID: playstation: Add missing check for input_ff_create_memless |
27.05.2026 |
|
| CVE-2026-45970 |
bonding: alb: fix UAF in rlb_arp_recv during bond up/down |
27.05.2026 |
|
| CVE-2026-45971 |
bpf: Limit bpf program signature size |
27.05.2026 |
|
| CVE-2026-45972 |
smb: client: fix potential UAF and double free in smb2_open_file() |
27.05.2026 |
|
| CVE-2026-45973 |
RDMA/mlx5: Fix UMR hang in LAG error state unload |
27.05.2026 |
|
| CVE-2026-45974 |
btrfs: fix invalid leaf access in btrfs_quota_enable() if ref key not found |
27.05.2026 |
|
| CVE-2026-45975 |
ublk: use READ_ONCE() to read struct ublksrv_ctrl_cmd |
27.05.2026 |
|
| CVE-2026-45976 |
drm/amdgpu: Fix memory leak in amdgpu_ras_init() |
27.05.2026 |
|
| CVE-2026-45977 |
fbnic: close fw_log race between users and teardown |
27.05.2026 |
|
| CVE-2026-45978 |
staging: greybus: lights: avoid NULL deref |
27.05.2026 |
|
| CVE-2026-45979 |
drm/amdgpu: clean up the amdgpu_cs_parser_bos |
27.05.2026 |
|
| CVE-2026-45980 |
accel/amdxdna: Stop job scheduling across aie2_release_resource() |
27.05.2026 |
|
| CVE-2026-45981 |
s390/cio: Fix device lifecycle handling in css_alloc_subchannel() |
27.05.2026 |
|
| CVE-2026-45982 |
ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch() |
27.05.2026 |
|
| CVE-2026-45983 |
nfsd: never defer requests during idmap lookup |
27.05.2026 |
|
| CVE-2026-45984 |
gfs2: Fix use-after-free in iomap inline data write path |
27.05.2026 |
|
| CVE-2026-45985 |
ext4: don't set EXT4_GET_BLOCKS_CONVERT when splitting before submitting I/O |
27.05.2026 |
|
| CVE-2026-45986 |
crypto: ccree - fix a memory leak in cc_mac_digest() |
27.05.2026 |
|
| CVE-2026-45987 |
KVM: nSVM: Sync interrupt shadow to cached vmcb12 after VMRUN of L2 |
27.05.2026 |
|
| CVE-2026-45988 |
rxrpc: Fix re-decryption of RESPONSE packets |
27.05.2026 |
|
| CVE-2026-45989 |
of: unittest: fix use-after-free in testdrv_probe() |
27.05.2026 |
|
| CVE-2026-45990 |
slub: fix data loss and overflow in krealloc() |
27.05.2026 |
|
| CVE-2026-45991 |
udf: fix partition descriptor append bookkeeping |
27.05.2026 |
|
| CVE-2026-45992 |
ALSA: caiaq: Fix potentially leftover ep1_in_urb at error path |
27.05.2026 |
|
| CVE-2026-45993 |
LoongArch: Add spectre boundry for syscall dispatch table |
27.05.2026 |
|
| CVE-2026-45994 |
ibmasm: fix OOB reads in command_file_write due to missing size checks |
27.05.2026 |
|
| CVE-2026-45995 |
io_uring/zcrx: fix user_struct uaf |
27.05.2026 |
|
| CVE-2026-45996 |
spi: imx: fix use-after-free on unbind |
27.05.2026 |
|
| CVE-2026-45997 |
scsi: sd: fix missing put_disk() when device_add(&disk_dev) fails |
27.05.2026 |
|
| CVE-2026-45998 |
rxrpc: Fix potential UAF after skb_unshare() failure |
27.05.2026 |
|
| CVE-2026-45999 |
erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap() |
27.05.2026 |
|
| CVE-2026-46000 |
rxrpc: Fix conn-level packet handling to unshare RESPONSE packets |
27.05.2026 |
|
| CVE-2026-46001 |
hwmon: (pt5161l) Fix bugs in pt5161l_read_block_data() |
27.05.2026 |
|
| CVE-2026-46002 |
ext2: reject inodes with zero i_nlink and valid mode in ext2_iget() |
27.05.2026 |
|
| CVE-2026-46003 |
net: qrtr: ns: Limit the total number of nodes |
27.05.2026 |
|
| CVE-2026-46004 |
ALSA: caiaq: Handle probe errors properly |
27.05.2026 |
|
| CVE-2026-46005 |
xfs: fix a resource leak in xfs_alloc_buftarg() |
27.05.2026 |
|
| CVE-2026-46006 |
drm/nouveau: fix u32 overflow in pushbuf reloc bounds check |
27.05.2026 |
|
| CVE-2026-46007 |
hwmon: (powerz) Avoid cacheline sharing for DMA buffer |
27.05.2026 |
|
| CVE-2026-46008 |
mm/damon/core: fix damos_walk() vs kdamond_fn() exit race |
27.05.2026 |
|
| CVE-2026-46009 |
PCI: endpoint: pci-epf-ntb: Remove duplicate resource teardown |
27.05.2026 |
|
| CVE-2026-46010 |
rxrpc: Fix error handling in rxgk_extract_token() |
27.05.2026 |
|
| CVE-2026-46011 |
media: mtk-jpeg: fix use-after-free in release path due to uncancelled work |
27.05.2026 |
|
| CVE-2026-46012 |
rxrpc: Fix memory leaks in rxkad_verify_response() |
27.05.2026 |
|
| CVE-2026-46013 |
mm/memfd_luo: fix physical address conversion in put_folios cleanup |
27.05.2026 |
|
| CVE-2026-46014 |
KVM: SVM: Add missing save/restore handling of LBR MSRs |
27.05.2026 |
|
| CVE-2026-46015 |
tcp: call sk_data_ready() after listener migration |
27.05.2026 |
|
| CVE-2026-46016 |
remoteproc: xlnx: Only access buffer information if IPI is buffered |
27.05.2026 |
|
| CVE-2026-46017 |
mm: fix deferred split queue races during migration |
27.05.2026 |
|
| CVE-2026-46018 |
ALSA: usb-audio: stop parsing UAC2 rates at MAX_NR_RATES |
27.05.2026 |
|
| CVE-2026-46019 |
crypto: atmel-aes - Fix 3-page memory leak in atmel_aes_buff_cleanup |
27.05.2026 |
|
| CVE-2026-46020 |
mm/damon/core: validate damos_quota_goal->nid for node_mem_{used,free}_bp |
27.05.2026 |
|
| CVE-2026-46021 |
thermal: core: Fix thermal zone governor cleanup issues |
27.05.2026 |
|
| CVE-2026-46022 |
misc: ibmasm: fix OOB MMIO read in ibmasm_handle_mouse_interrupt() |
27.05.2026 |
|
| CVE-2026-46023 |
dm mirror: fix integer overflow in create_dirty_log() |
27.05.2026 |
|
| CVE-2026-46024 |
libceph: Prevent potential null-ptr-deref in ceph_handle_auth_reply() |
27.05.2026 |
|
| CVE-2026-46025 |
mm/damon/core: fix damon_call() vs kdamond_fn() exit race |
27.05.2026 |
|
| CVE-2026-46026 |
net: qrtr: ns: Limit the maximum number of lookups |
27.05.2026 |
|
| CVE-2026-46027 |
net/smc: avoid early lgr access in smc_clc_wait_msg |
27.05.2026 |
|
| CVE-2026-46028 |
crypto: algif_aead - snapshot IV for async AEAD requests |
27.05.2026 |
|
| CVE-2026-46029 |
mm/slab: return NULL early from kmalloc_nolock() in NMI on UP |
27.05.2026 |
|
| CVE-2026-46030 |
EDAC/versalnet: Fix device_node leak in mc_probe() |
27.05.2026 |
|
| CVE-2026-46031 |
net: ks8851: Reinstate disabling of BHs around IRQ handler |
27.05.2026 |
|
| CVE-2026-46032 |
KVM: nSVM: Triple fault if restore host CR3 fails on nested #VMEXIT |
27.05.2026 |
|
| CVE-2026-46033 |
crypto: authencesn - reject short ahash digests during instance creation |
27.05.2026 |
|
| CVE-2026-46034 |
vfio/cdx: Fix NULL pointer dereference in interrupt trigger path |
27.05.2026 |
|
| CVE-2026-46035 |
mm/page_alloc: return NULL early from alloc_frozen_pages_nolock() in NMI on UP |
27.05.2026 |
|
| CVE-2026-46036 |
vfio/cdx: Serialize VFIO_DEVICE_SET_IRQS with a per-device mutex |
27.05.2026 |
|
| CVE-2026-46037 |
ipv4: icmp: validate reply type before using icmp_pointers |
27.05.2026 |
|
| CVE-2026-46038 |
net: qrtr: ns: Free the node during ctrl_cmd_bye() |
27.05.2026 |
|
| CVE-2026-46039 |
rxgk: Fix potential integer overflow in length check |
27.05.2026 |
|
| CVE-2026-46040 |
inotify: fix watch count leak when fsnotify_add_inode_mark_locked() fails |
27.05.2026 |
|
| CVE-2026-46041 |
greybus: gb-beagleplay: fix sleep in atomic context in hdlc_tx_frames() |
27.05.2026 |
|
| CVE-2026-46042 |
mm/mempolicy: fix memory leaks in weighted_interleave_auto_store() |
27.05.2026 |
|
| CVE-2026-46043 |
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv |
27.05.2026 |
|
| CVE-2026-46044 |
ipmi:ssif: Clean up kthread on errors |
27.05.2026 |
|
| CVE-2026-46045 |
md/md-llbitmap: skip reading rdevs that are not in_sync |
27.05.2026 |
|
| CVE-2026-46046 |
ext4: fix missing brelse() in ext4_xattr_inode_dec_ref_all() |
27.05.2026 |
|
| CVE-2026-46047 |
net: qrtr: ns: Fix use-after-free in driver remove() |
27.05.2026 |
|
| CVE-2026-46048 |
ALSA: caiaq: fix usb_dev refcount leak on probe failure |
27.05.2026 |
|
| CVE-2026-46049 |
ALSA: ctxfi: Add fallback to default RSR for S/PDIF |
27.05.2026 |
|
| CVE-2026-46050 |
md/raid10: fix deadlock with check operation and nowait requests |
27.05.2026 |
|
| CVE-2026-46051 |
md/raid5: fix soft lockup in retry_aligned_read() |
27.05.2026 |
|
| CVE-2026-46052 |
ceph: only d_add() negative dentries when they are unhashed |
27.05.2026 |
|
| CVE-2026-46053 |
net: rds: fix MR cleanup on copy error |
27.05.2026 |
|
| CVE-2026-46054 |
selinux: fix overlayfs mmap() and mprotect() access checks |
27.05.2026 |
|
| CVE-2026-46055 |
apparmor: Fix string overrun due to missing termination |
27.05.2026 |
|
| CVE-2026-46056 |
Bluetooth: hci_event: fix potential UAF in SSP passkey handlers |
27.05.2026 |
|
| CVE-2026-46057 |
landlock: Fix LOG_SUBDOMAINS_OFF inheritance across fork() |
27.05.2026 |
|
| CVE-2026-46058 |
media: amphion: Fix race between m2m job_abort and device_run |
27.05.2026 |
|
| CVE-2026-46059 |
KVM: nSVM: Always use NextRIP as vmcb02's NextRIP after first L2 VMRUN |
27.05.2026 |
|
| CVE-2026-46060 |
crypto: qat - fix IRQ cleanup on 6xxx probe failure |
27.05.2026 |
|
| CVE-2026-46061 |
jbd2: fix deadlock in jbd2_journal_cancel_revoke() |
27.05.2026 |
|
| CVE-2026-46062 |
ntfs3: fix integer overflow in run_unpack() volume boundary check |
27.05.2026 |
|
| CVE-2026-46063 |
x86/shstk: Prevent deadlock during shstk sigreturn |
27.05.2026 |
|
| CVE-2026-46064 |
ibmasm: fix heap over-read in ibmasm_send_i2o_message() |
27.05.2026 |
|
| CVE-2026-46065 |
fbdev: defio: Disconnect deferred I/O from the lifetime of struct fb_info |
27.05.2026 |
|
| CVE-2026-46066 |
ceph: fix num_ops off-by-one when crypto allocation fails |
27.05.2026 |
|
| CVE-2026-46067 |
mm/damon/core: validate damos_quota_goal->nid for node_memcg_{used,free}_bp |
27.05.2026 |
|
| CVE-2026-46068 |
crypto: nx - fix bounce buffer leaks in nx842_crypto_{alloc,free}_ctx |
27.05.2026 |
|
| CVE-2026-46069 |
wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup() |
27.05.2026 |
|
| CVE-2026-46070 |
md/raid5: validate payload size before accessing journal metadata |
27.05.2026 |
|
| CVE-2026-46071 |
KVM: nSVM: Avoid clearing VMCB_LBR in vmcb12 |
27.05.2026 |
|
| CVE-2026-46072 |
ntfs3: add buffer boundary checks to run_unpack() |
27.05.2026 |
|
| CVE-2026-46073 |
hwmon: (powerz) Fix missing usb_kill_urb() on signal interrupt |
27.05.2026 |
|
| CVE-2026-46074 |
spi: ch341: fix memory leaks on probe failures |
27.05.2026 |
|
| CVE-2026-46075 |
crypto: atmel-sha204a - Fix potential UAF and memory leak in remove path |
27.05.2026 |
|
| CVE-2026-46076 |
KVM: nSVM: Raise #UD if unhandled VMMCALL isn't intercepted by L1 |
27.05.2026 |
|
| CVE-2026-46077 |
crypto: atmel-tdes - fix DMA sync direction |
27.05.2026 |
|
| CVE-2026-46078 |
erofs: fix the out-of-bounds nameoff handling for trailing dirents |
27.05.2026 |
|
| CVE-2026-46079 |
rbd: fix null-ptr-deref when device_add_disk() fails |
27.05.2026 |
|
| CVE-2026-46080 |
ocfs2: split transactions in dio completion to avoid credit exhaustion |
27.05.2026 |
|
| CVE-2026-46081 |
crypto: acomp - fix wrong pointer stored by acomp_save_req() |
27.05.2026 |
|
| CVE-2026-46082 |
KVM: SVM: Inject #UD for INVLPGA if EFER.SVME=0 |
27.05.2026 |
|
| CVE-2026-46083 |
spi: fix resource leaks on device setup failure |
27.05.2026 |
|
| CVE-2026-46084 |
RDMA/mana_ib: Disable RX steering on RSS QP destroy |
27.05.2026 |
|
| CVE-2026-46085 |
rxrpc: Fix rxkad crypto unalignment handling |
27.05.2026 |
|
| CVE-2026-46086 |
net: bridge: use a stable FDB dst snapshot in RCU readers |
27.05.2026 |
|
| CVE-2026-46087 |
mm/damon/stat: fix memory leak on damon_start() failure in damon_stat_start() |
27.05.2026 |
|
| CVE-2026-46088 |
ALSA: control: Validate buf_len before strnlen() in snd_ctl_elem_init_enum_names() |
27.05.2026 |
|
| CVE-2026-46089 |
zram: do not forget to endio for partial discard requests |
27.05.2026 |
|
| CVE-2026-46090 |
ALSA: aloop: Fix peer runtime UAF during format-change stop |
27.05.2026 |
|
| CVE-2026-46091 |
media: rc: igorplugusb: heed coherency rules |
27.05.2026 |
|
| CVE-2026-46092 |
wifi: rtw88: check for PCI upstream bridge existence |
27.05.2026 |
|
| CVE-2026-46093 |
mm/vmalloc: take vmap_purge_lock in shrinker |
27.05.2026 |
|
| CVE-2026-46094 |
ext4: fix bounds check in check_xattrs() to prevent out-of-bounds access |
27.05.2026 |
|
| CVE-2026-46095 |
md/md-llbitmap: raise barrier before state machine transition |
27.05.2026 |
|
| CVE-2026-46096 |
tpm2-sessions: Fix missing tpm_buf_destroy() in tpm2_read_public() |
27.05.2026 |
|
| CVE-2026-46097 |
Input: edt-ft5x06 - fix use-after-free in debugfs teardown |
27.05.2026 |
|
| CVE-2026-46098 |
net: caif: clear client service pointer on teardown |
27.05.2026 |
|
| CVE-2026-46099 |
net: ipv6: fix NOREF dst use in seg6 and rpl lwtunnels |
27.05.2026 |
|
| CVE-2026-46100 |
fs: afs: revert mmap_prepare() change |
27.05.2026 |
|
| CVE-2026-46101 |
netfilter: reject zero shift in nft_bitwise |
27.05.2026 |
|
| CVE-2026-46102 |
net: strparser: fix skb_head leak in strp_abort_strp() |
27.05.2026 |
|
| CVE-2026-46103 |
can: ucan: fix devres lifetime |
27.05.2026 |
|
| CVE-2026-47104 |
libusb < 1.0.30 Out-of-Bounds Read in parse_iad_array() |
27.05.2026 |
|
| CVE-2026-48971 |
WordPress Product Import Export for WooCommerce plugin <= 2.5.6 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-48972 |
WordPress SeedProd Pro plugin < 6.19.5 - Local File Inclusion vulnerability |
27.05.2026 |
7.5 |
| CVE-2026-4410 |
IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a denial of service |
27.05.2026 |
4.8 |
| CVE-2026-5065 |
IBM Controller is affected by vulnerabilities |
27.05.2026 |
8.8 |
| CVE-2026-5515 |
IBM App Connect Enterprise is vulnerable to a confidential disclosure |
27.05.2026 |
5.5 |
| CVE-2026-5516 |
IBM WebSphere Application Server Liberty is affected by a security bypass vulnerability |
27.05.2026 |
4.4 |
| CVE-2026-6051 |
IBM® Db2® is vulnerable to a denial of service when executing a specially crafted query with a small statement heap |
27.05.2026 |
5.5 |
| CVE-2026-6052 |
IBM® Db2® is vulnerable to running out of memory when executing certain queries with MDC tables |
27.05.2026 |
6.5 |
| CVE-2026-6053 |
IBM® Db2® is vulnerable to a denial of service when a specially crafted query is run with range partitioned tables |
27.05.2026 |
5.5 |
| CVE-2026-6936 |
IBM i is Affected by a Denial of Service Vulnerability [] |
27.05.2026 |
6.5 |
| CVE-2026-6938 |
IBM® Db2® is vulnerable to authorization bypass when uploading to a remote object storage path with a special query |
27.05.2026 |
6.5 |
| CVE-2026-7254 |
Open BMC Denial of Service |
27.05.2026 |
|
| CVE-2026-7365 |
IBM Operations Analytics - Log Analysis is affected by Information disclosure due to default passwords not being forced to be changed on post-installation |
27.05.2026 |
8.4 |
| CVE-2026-7524 |
Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System Access and Potential Remote Code Execution |
27.05.2026 |
9.8 |
| CVE-2026-7528 |
Unauthenticated File Upload Vulnerability Allows Disk Space Exhaustion and Path Disclosure in Langflow OSS |
27.05.2026 |
7.1 |
| CVE-2026-7876 |
Authentication bypass vulnerability found in Aspera High-Speed Transfer Server for Cloud Pak for Integration |
27.05.2026 |
|
| CVE-2026-8175 |
Multiple vulnerabilities in Aspera applications. |
27.05.2026 |
9.8 |
| CVE-2026-8179 |
Multiple vulnerabilities in Aspera applications. |
27.05.2026 |
8.8 |
| CVE-2026-8180 |
Multiple vulnerabilities in Aspera applications. |
27.05.2026 |
7.5 |
| CVE-2026-8405 |
IBM Guardium Data Protection is affected by Exposure of Sensitive Information vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-9035 |
Multiple vulnerabilities in Aspera applications. |
27.05.2026 |
6.5 |
| CVE-2026-9617 |
PostgreSQL Anonymizer: malicious column name allows SQL injection via anon.k_anonymity() function |
27.05.2026 |
6.8 |
| CVE-2026-9704 |
Keycloak: keycloak: privilege escalation due to oversized subject_token jwt |
27.05.2026 |
|
| CVE-2026-9689 |
Keycloak: org.keycloak.protocol.oidc: http parameter pollution in oidc redirect uri allows response parameter duplication - #ghi-604 |
27.05.2026 |
|
| CVE-2025-0898 |
Xpro Elementor Addons - Pro <= 1.4.7 - Authenticated (Contributor+) Arbitrary File Read via Draw SVG |
27.05.2026 |
6.5 |
| CVE-2026-2280 |
rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings |
27.05.2026 |
4.8 |
| CVE-2026-2288 |
myLinksDump <= 1.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'link_title' Parameter |
27.05.2026 |
4.8 |
| CVE-2026-3012 |
Samba: group policy certificate enrollment uses http:// without validation |
27.05.2026 |
|
| CVE-2026-3348 |
MinhNhut Link Gateway <= 3.6.1 - Authenticated (Admin+) Stored Cross-Site Scripting via Plugin Settings |
27.05.2026 |
4.4 |
| CVE-2026-3349 |
MinhNhut Link Gateway <= 3.6.1 - Reflected Cross-Site Scripting via 'url' Parameter |
27.05.2026 |
6.1 |
| CVE-2026-42725 |
WordPress Checkout Files Upload for WooCommerce plugin <= 2.2.5 - Insecure Direct Object References (IDOR) vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-42726 |
WordPress AWP Classifieds plugin <= 4.4.5 - Broken Access Control vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-42727 |
WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42728 |
WordPress HT Contact Form 7 plugin <= 2.8.2 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42729 |
WordPress PropertyHive plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42730 |
WordPress MasterStudy LMS plugin <= 3.7.29 - SQL Injection vulnerability |
27.05.2026 |
8.5 |
| CVE-2026-42731 |
WordPress miniorange otp verification plugin <= 5.4.9 - Privilege Escalation vulnerability |
27.05.2026 |
9.8 |
| CVE-2026-42732 |
WordPress Ads by WPQuads plugin <= 3.0.2 - Broken Authentication vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-42733 |
WordPress WPCS plugin <= 1.3.1 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42734 |
WordPress Geo Mashup plugin <= 1.13.19 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42735 |
WordPress KiviCare plugin <= 4.3.0 - Broken Authentication vulnerability |
27.05.2026 |
8.2 |
| CVE-2026-42736 |
WordPress BP Better Messages plugin <= 2.14.16 - Insecure Direct Object References (IDOR) vulnerability |
27.05.2026 |
7.5 |
| CVE-2026-42737 |
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Arbitrary File Deletion vulnerability |
27.05.2026 |
8.6 |
| CVE-2026-42738 |
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42739 |
WordPress Advanced IP Blocker plugin <= 8.10.7 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42740 |
WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42744 |
WordPress Ads by WPQuads plugin <= 3.0.2 - Bypass Vulnerability vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-42745 |
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Broken Authentication vulnerability |
27.05.2026 |
7.3 |
| CVE-2026-42746 |
WordPress Smart Online Order for Clover plugin <= 1.6.0 - Sensitive Data Exposure vulnerability |
27.05.2026 |
7.3 |
| CVE-2026-42747 |
WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42748 |
WordPress WPify Woo Czech plugin <= 5.4.1 - Arbitrary File Upload vulnerability |
27.05.2026 |
9.9 |
| CVE-2026-42749 |
WordPress Disable Comments for Any Post Types (Remove comments) plugin <= 1.3.0 - Broken Authentication vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42750 |
WordPress WPComplete plugin <= 2.9.5.4 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-42751 |
WordPress Booking Manager plugin <= 2.1.18 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-42753 |
WordPress WCFM Membership plugin <= 2.11.10 - Broken Access Control vulnerability |
27.05.2026 |
7.3 |
| CVE-2026-42754 |
WordPress Favicon plugin <= 1.3.46 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42755 |
WordPress TableOn plugin <= 1.0.5.1 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42756 |
WordPress QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly plugin <= 3.2.7 - Arbitrary File Deletion vulnerability |
27.05.2026 |
9.9 |
| CVE-2026-42757 |
WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File Deletion vulnerability |
27.05.2026 |
9.9 |
| CVE-2026-42758 |
WordPress WebinarIgnition plugin < 4.08.253 - Privilege Escalation vulnerability |
27.05.2026 |
9.8 |
| CVE-2026-42759 |
WordPress Affiliate Super Assistent plugin <= 1.10.1 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-42760 |
WordPress Backup and Staging by WP Time Capsule plugin <= 1.22.25 - Broken Authentication vulnerability |
27.05.2026 |
7.5 |
| CVE-2026-42761 |
WordPress Active Products Tables for WooCommerce plugin <= 1.0.9 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42762 |
WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-45837 |
bpf: Fix use-after-free in arena_vm_close on fork |
27.05.2026 |
|
| CVE-2026-45838 |
bpf: fix end-of-list detection in cgroup_storage_get_next_key() |
27.05.2026 |
|
| CVE-2026-45839 |
bpf: reject negative CO-RE accessor indices in bpf_core_parse_spec() |
27.05.2026 |
|
| CVE-2026-45840 |
openvswitch: cap upcall PID array size and pre-size vport replies |
27.05.2026 |
|
| CVE-2026-45841 |
netfilter: nfnetlink_osf: fix divide-by-zero in OSF_WSS_MODULO |
27.05.2026 |
|
| CVE-2026-45842 |
slip: reject VJ receive packets on instances with no rstate array |
27.05.2026 |
|
| CVE-2026-45843 |
slip: bound decode() reads against the compressed packet length |
27.05.2026 |
|
| CVE-2026-45844 |
netfilter: arp_tables: fix IEEE1394 ARP payload parsing |
27.05.2026 |
|
| CVE-2026-45845 |
net/sched: taprio: fix NULL pointer dereference in class dump |
27.05.2026 |
|
| CVE-2026-45846 |
bareudp: fix NULL pointer dereference in bareudp_fill_metadata_dst() |
27.05.2026 |
|
| CVE-2026-48906 |
Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla |
27.05.2026 |
|
| CVE-2023-52945 |
|
27.05.2026 |
7.8 |
| CVE-2024-11399 |
|
27.05.2026 |
6.8 |
| CVE-2024-47267 |
|
27.05.2026 |
2.7 |
| CVE-2024-47268 |
|
27.05.2026 |
4.9 |
| CVE-2024-47269 |
|
27.05.2026 |
4.9 |
| CVE-2024-47270 |
|
27.05.2026 |
2.7 |
| CVE-2024-47271 |
|
27.05.2026 |
4.9 |
| CVE-2024-47272 |
|
27.05.2026 |
2.7 |
| CVE-2025-10466 |
|
27.05.2026 |
5.9 |
| CVE-2025-12686 |
|
27.05.2026 |
9.8 |
| CVE-2025-13167 |
|
27.05.2026 |
5.4 |
| CVE-2025-13392 |
|
27.05.2026 |
8.1 |
| CVE-2025-13593 |
|
27.05.2026 |
6.1 |
| CVE-2025-14713 |
|
27.05.2026 |
7.5 |
| CVE-2025-22741 |
WordPress Felan Framework plugin <= 1.1.3 - Reflected Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2025-30028 |
|
27.05.2026 |
8.6 |
| CVE-2025-52747 |
WordPress Themebox - Digital Products Ecommerce theme <= 1.4.2 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
7.1 |
| CVE-2025-66592 |
|
27.05.2026 |
6.1 |
| CVE-2025-66593 |
|
27.05.2026 |
6.1 |
| CVE-2026-2237 |
|
27.05.2026 |
6.2 |
| CVE-2026-40827 |
Authenticated SQLi in _RemoveRequest function |
27.05.2026 |
|
| CVE-2026-40828 |
Authenticated SQLi in DeleteSysLogEntry function |
27.05.2026 |
|
| CVE-2026-40829 |
Authenticated SQLi in UpdateParam function |
27.05.2026 |
|
| CVE-2026-40830 |
Authenticated SQLi in UpdateParam function |
27.05.2026 |
|
| CVE-2026-40831 |
Authenticated SQLi in Easy View |
27.05.2026 |
|
| CVE-2026-40832 |
Authenticated SQLi in getDevicegroups function |
27.05.2026 |
|
| CVE-2026-40833 |
Authenticated SQLi in saveDashboardLayout function |
27.05.2026 |
|
| CVE-2026-40834 |
Authenticated SQLi in saveDashboardLayout function |
27.05.2026 |
|
| CVE-2026-40835 |
Authenticated SQLi in saveObjectFromData function |
27.05.2026 |
|
| CVE-2026-40836 |
Authenticated SQLi in inmessage model |
27.05.2026 |
|
| CVE-2026-40837 |
Authenticated SQLi in getProjectScalings function |
27.05.2026 |
|
| CVE-2026-40838 |
Authenticated SQLi in getDeviceScalings function |
27.05.2026 |
|
| CVE-2026-40839 |
Authenticated SQLi in getComponentScalings function |
27.05.2026 |
|
| CVE-2026-40840 |
Authenticated SQLi in VerifyCreateLicences function |
27.05.2026 |
|
| CVE-2026-40841 |
Authenticated SQLi in getProjectTags function |
27.05.2026 |
|
| CVE-2026-40842 |
Authenticated SQLi in getWidgetTags function |
27.05.2026 |
|
| CVE-2026-40843 |
Authenticated SQLi in alarming view |
27.05.2026 |
|
| CVE-2026-40844 |
Authenticated SQLi in dashboard view |
27.05.2026 |
|
| CVE-2026-40845 |
Authenticated SQLi in devices_configuration view |
27.05.2026 |
|
| CVE-2026-40846 |
Authenticated SQLi in system view |
27.05.2026 |
|
| CVE-2026-40847 |
Authenticated SQLi in system_tag view |
27.05.2026 |
|
| CVE-2026-40848 |
Authenticated SQLi in tag view |
27.05.2026 |
|
| CVE-2026-40849 |
Authenticated SQLi in user_alarmprofile view |
27.05.2026 |
|
| CVE-2026-40850 |
Unauthenticated SQLi in getAccountData function |
27.05.2026 |
|
| CVE-2026-40851 |
Command injection via USB |
27.05.2026 |
8.4 |
| CVE-2026-40852 |
Command injection via malicious configuration |
27.05.2026 |
7.2 |
| CVE-2026-48877 |
WordPress GenerateBlocks plugin <= 2.1.0 - Sensitive Data Exposure vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-48968 |
WordPress Master Slider plugin <= 3.10.8 - Cross Site Scripting (XSS) vulnerability |
27.05.2026 |
6.5 |
| CVE-2026-49002 |
Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product |
27.05.2026 |
9.1 |
| CVE-2026-8054 |
Unauthenticated SQL Injection in dotCMS Publish Audit API |
27.05.2026 |
|
| CVE-2025-41669 |
Insufficient Verification of Data Authenticity |
27.05.2026 |
|
| CVE-2025-41670 |
Untrusted Search Path |
27.05.2026 |
|
| CVE-2026-2030 |
WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-3001 |
Gutenverse <= 3.4.6 - Reflected Cross-Site Scripting via 's' Parameter |
27.05.2026 |
6.1 |
| CVE-2026-3279 |
Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade |
27.05.2026 |
6.5 |
| CVE-2026-3375 |
LiteSpeed Cache <= 7.7 - Unauthenticated Stored Cross-Site Scripting via QUIC.cloud CCSS/UCSS REST API Endpoints |
27.05.2026 |
7.2 |
| CVE-2026-3895 |
WPBakery Page Builder Addons by Livemesh <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting |
27.05.2026 |
6.4 |
| CVE-2026-3896 |
Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting |
27.05.2026 |
6.4 |
| CVE-2026-3897 |
Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization |
27.05.2026 |
6.4 |
| CVE-2026-40810 |
Unauthenticated SQLi in userinfo Endpoint |
27.05.2026 |
|
| CVE-2026-40811 |
Unauthenticated SQLi in ssoabstractservice |
27.05.2026 |
|
| CVE-2026-40812 |
Unauthenticated SQLi in getLiveValues function |
27.05.2026 |
|
| CVE-2026-40813 |
Unauthenticated SQLi in getLiveValues |
27.05.2026 |
|
| CVE-2026-40814 |
Unauthenticated SQLi in _mb24confi_getTagAlarm function |
27.05.2026 |
|
| CVE-2026-40815 |
Unauthenticated SQLi in _mb24api_getUserAccount function |
27.05.2026 |
|
| CVE-2026-40816 |
Unauthenticated SQLi in _mb24confi_getTagAlarm function |
27.05.2026 |
|
| CVE-2026-40817 |
Unauthenticated SQLi in getAlarmProfiles function |
27.05.2026 |
|
| CVE-2026-40818 |
Unauthenticated SQLi in _mb24confi_getDevice function function |
27.05.2026 |
|
| CVE-2026-40819 |
Unauthenticated SQLi in sync_data24 task |
27.05.2026 |
|
| CVE-2026-40821 |
Authenticated SQLi in getAccountByID function |
27.05.2026 |
|
| CVE-2026-40822 |
Authenticated SQLi in DevSerialReset function |
27.05.2026 |
|
| CVE-2026-40823 |
Authenticated SQLi in DevSerialReset function |
27.05.2026 |
|
| CVE-2026-40824 |
Authenticated SQLi in accountstatus view |
27.05.2026 |
|
| CVE-2026-40825 |
Authenticated SQLi in accountstatus view |
27.05.2026 |
|
| CVE-2026-40826 |
Authenticated SQLi in dsgvo_contracts view |
27.05.2026 |
|
| CVE-2026-41009 |
Local Blobstore may allow arbitrary reads/deletes |
27.05.2026 |
5.8 |
| CVE-2026-41704 |
Compromised VM can make arbitrary blobstore deletes |
27.05.2026 |
5 |
| CVE-2026-49001 |
Cross-Site Request Forgery (CSRF) vulnerability in ZTE ZXUniPOS NDS-LTE product |
27.05.2026 |
5.3 |
| CVE-2026-6169 |
affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution |
27.05.2026 |
7.2 |
| CVE-2026-7618 |
EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter |
27.05.2026 |
4.9 |
| CVE-2026-8042 |
Github Shortcode <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
27.05.2026 |
6.4 |
| CVE-2026-8143 |
Booking Calendar – Event Calendar <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters |
27.05.2026 |
7.2 |
| CVE-2026-8832 |
WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost |
27.05.2026 |
8.8 |
| CVE-2026-8906 |
WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter |
27.05.2026 |
6.1 |
| CVE-2026-8942 |
MetaMagic SEO Plugin <= 1.6 - Cross-Site Request Forgery to Plugin Settings Update via Settings Page |
27.05.2026 |
4.3 |
| CVE-2026-6268 |
EventPress < 22.2 – Reflected Cross-Site Scripting |
27.05.2026 |
|
| CVE-2026-7614 |
Old Posts Highlighter <= 1.0.3 - Cross-Site Request Forgery to Settings Update |
27.05.2026 |
4.3 |
| CVE-2026-8040 |
faq shortocde <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute |
27.05.2026 |
6.4 |
| CVE-2026-8048 |
My Email Shortcode <= 0.91 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] |
27.05.2026 |
6.4 |
| CVE-2026-8698 |
Cryptocurrency Prijsvergelijking Widget <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute |
27.05.2026 |
6.4 |
| CVE-2026-8701 |
GNTT Post Title Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8702 |
GBI To Print <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'div' Shortcode Attribute |
27.05.2026 |
6.4 |
| CVE-2026-8703 |
Endless Scroll <= 1.0.0 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] |
27.05.2026 |
6.4 |
| CVE-2026-8707 |
NS Product icon badge <= 1.2.4 - Reflected Cross-Site Scripting via PHP_SELF |
27.05.2026 |
6.1 |
| CVE-2026-8708 |
Genzel breadcrumbs <= 1.2 - Cross-Site Request Forgery to Settings Update via Plugin Settings Page |
27.05.2026 |
4.3 |
| CVE-2026-8760 |
Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force |
27.05.2026 |
9.8 |
| CVE-2026-8787 |
Firebase Support & Chat Management <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation |
27.05.2026 |
8.8 |
| CVE-2026-8837 |
WP Iframe Geo Style for Amazon affiliates <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'adid' Shortcode Attribute |
27.05.2026 |
6.4 |
| CVE-2026-8842 |
Google+ Link Name <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8844 |
Responsive Check <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8845 |
Islamic Database <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8846 |
Tuxquote <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8847 |
Dideo <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8866 |
jQuery googleslides <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8867 |
Post Categories Gallery <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8868 |
Single Mailchimp <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8869 |
Mutual Funds Data <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute |
27.05.2026 |
6.4 |
| CVE-2026-8870 |
Team Master <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8871 |
Formidable Kinetic <= 1.1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8872 |
Animate Your Content <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8873 |
Content Slideshow <= 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8875 |
Easy Prism Syntax Highlighter <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8877 |
Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8884 |
Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8886 |
hk_shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute |
27.05.2026 |
6.4 |
| CVE-2026-8887 |
Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8891 |
BitForm <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8894 |
iWR Tooltip <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8897 |
Shortcode Buddy <= 0.1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8898 |
Events In City <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8899 |
Auto Thumbnails <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
27.05.2026 |
6.4 |
| CVE-2026-8903 |
Two-factor authentication (formerly IP Vault) <= 2.1 - Cross-Site Request Forgery to Settings Update |
27.05.2026 |
4.3 |
| CVE-2026-8911 |
WP AutoBuzz <= 1.1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'googleAccount' Parameter |
27.05.2026 |
6.1 |
| CVE-2026-8938 |
auto making JSON-LD <= 4.5.3 - Cross-Site Request Forgery to Plugin Certification Settings via Nonce Validation Bypass |
27.05.2026 |
4.3 |
| CVE-2026-8939 |
Search Simple Fields <= 0.2 - Cross-Site Request Forgery to Plugin Settings Update |
27.05.2026 |
4.3 |
| CVE-2026-8941 |
CDN Linker lite <= 1.3.1 - Cross-Site Request Forgery to Plugin Settings Update |
27.05.2026 |
4.3 |
| CVE-2026-8943 |
GoStats for WordPress <= 1.4 - Cross-Site Request Forgery via gostats_manage() Function |
27.05.2026 |
4.3 |
| CVE-2026-8994 |
Login with NEAR <= 0.3.3 - Authentication Bypass via 'account' Parameter |
27.05.2026 |
8.1 |
| CVE-2026-9014 |
WP Promoter <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action |
27.05.2026 |
5.3 |
| CVE-2026-9200 |
Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute |
27.05.2026 |
7.5 |
| CVE-2025-14481 |
Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter |
27.05.2026 |
4.3 |
| CVE-2026-49000 |
Cryptography Implementation Flaw vulnerability in ZTE ZXUniPOS NDS-LTE product |
27.05.2026 |
7 |
| CVE-2026-6287 |
ShopLentor - WooCommerce Builder for Elementor & Gutenberg <= 3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Product Grid 'blockUniqId' Block Attribute |
27.05.2026 |
5.4 |
| CVE-2026-8450 |
HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file() |
27.05.2026 |
|
| CVE-2026-9236 |
CM Ad Changer <= 2.0.7 - Cross-Site Request Forgery to Campaign Deletion via Campaign Management |
27.05.2026 |
4.3 |
| CVE-2025-15649 |
IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date |
27.05.2026 |
|
| CVE-2026-2253 |
Hitachi Vantara Pentaho Data Integration & Analytics - Improper Restriction of XML External Entity Reference |
27.05.2026 |
7.7 |
| CVE-2026-2254 |
Hitachi Vantara Pentaho Data Integration & Analytics - Incorrect Permission Assignment for Critical Resource |
27.05.2026 |
6.3 |
| CVE-2026-2255 |
Hitachi Vantara Pentaho Data Integration & Analytics - Insufficiently Protected Credentials |
27.05.2026 |
4.3 |
| CVE-2026-48959 |
IO::Uncompress::Unzip versions before 2.220 for Perl allow CPU exhaustion via per-byte read loop in fastForward |
27.05.2026 |
|
| CVE-2026-48961 |
IO::Compress versions from 2.207 before 2.220 for Perl ship a zipdetails CLI tool that crashes with undefined subroutine on Info-ZIP Unix Extra Field with 8-byte UID or GID |
27.05.2026 |
|
| CVE-2026-48962 |
IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob |
27.05.2026 |
|
| CVE-2026-48999 |
Stored Cross-Site Scripting (XSS) vulnerability in ZTE ZXUniPOS NDS-LTE product |
27.05.2026 |
5.7 |
| CVE-2026-9022 |
Splide Carousel Block <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'url' Block Attribute |
27.05.2026 |
6.4 |
| CVE-2026-49014 |
|
27.05.2026 |
7.4 |
| CVE-2026-49017 |
|
27.05.2026 |
|
| CVE-2026-6565 |
Style Kits – Advanced Theme Styles for Elementor <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Kit Title |
27.05.2026 |
6.4 |
| CVE-2026-7493 |
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.11.5 - Unauthenticated Denial of Service |
27.05.2026 |
5.3 |
| CVE-2026-9156 |
Tanium addressed a denial of service vulnerability in Tanium Server. |
27.05.2026 |
6.5 |
| CVE-2026-9207 |
Tanium addressed an unauthorized code execution vulnerability in Connect. |
27.05.2026 |
8.8 |
| CVE-2026-9632 |
UTT HiPER 1250GW Web Management formGroupConfig strcpy stack-based overflow |
27.05.2026 |
|
| CVE-2026-9608 |
QianFox FoxCMS Administrator Backend edit cross site scripting |
27.05.2026 |
|
| CVE-2026-9609 |
QianFox FoxCMS Admin.php edit password recovery |
27.05.2026 |
|
| CVE-2026-9627 |
UTT HiPER 1200GW Web Management setSysAdm strcpy buffer overflow |
27.05.2026 |
|
| CVE-2026-9628 |
UTT HiPER 1200GW Web Management formPptpClientConfig stack-based overflow |
27.05.2026 |
|
| CVE-2026-9631 |
UTT HiPER 1250GW Web Management formConfigFastDirectionW strcpy stack-based overflow |
27.05.2026 |
|
| CVE-2026-8606 |
Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint |
27.05.2026 |
|
| CVE-2026-9312 |
Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint |
27.05.2026 |
|
| CVE-2026-9607 |
itsourcecode Courier Management System parcel_list.php sql injection |
27.05.2026 |
|
| CVE-2026-9605 |
GNU libredwg Dwgbmp Utility bits.c bit_read_RC heap-based overflow |
26.05.2026 |
|
| CVE-2026-9606 |
itsourcecode Courier Management System manage_user.php sql injection |
27.05.2026 |
|
| CVE-2026-46740 |
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections |
26.05.2026 |
|
| CVE-2026-8647 |
Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available |
27.05.2026 |
|
| CVE-2026-8680 |
|
26.05.2026 |
|
| CVE-2026-9604 |
JeecgBoot AiragModelController access control |
27.05.2026 |
|
| CVE-2026-44985 |
Dozzle: Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpoints bypasses authentication |
26.05.2026 |
|
| CVE-2026-45298 |
Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy) |
27.05.2026 |
8.6 |
| CVE-2026-48710 |
Starlette has missing Host header validation that poisons request.url.path, bypassing path-based security checks |
27.05.2026 |
6.5 |
| CVE-2026-9603 |
SourceCodester eDoc Doctor Appointment System delete-session.php authorization |
27.05.2026 |
|
| CVE-2025-43289 |
|
27.05.2026 |
|
| CVE-2025-43290 |
|
27.05.2026 |
|
| CVE-2025-43306 |
|
27.05.2026 |
|
| CVE-2025-43451 |
|
27.05.2026 |
|
| CVE-2025-46280 |
|
27.05.2026 |
|
| CVE-2025-46284 |
|
27.05.2026 |
|
| CVE-2025-46307 |
|
27.05.2026 |
|
| CVE-2026-42012 |
Gnutls: gnutls: certificate validation bypass due to improper handling of uri and srv sans |
27.05.2026 |
|
| CVE-2026-42013 |
Gnutls: gnutls: certificate validation bypass due to oversized subject alternative name |
27.05.2026 |
|
| CVE-2026-42015 |
Gnutls: gnutls: memory corruption due to off-by-one error in pkcs#12 bag handling |
27.05.2026 |
|
| CVE-2026-43988 |
Vanetza: Remote Denial of Service via Uncaught Exception in ASN.1/OER Parsing |
26.05.2026 |
7.5 |
| CVE-2026-44213 |
OpenTelemetry.Exporter.Instana bypasses TLS certificate validation when a proxy is configured |
26.05.2026 |
6.5 |
| CVE-2026-44788 |
SharpCompress: Directory traversal via directory entries in WriteToDirectory (zip slip variant) |
27.05.2026 |
5.9 |
| CVE-2026-44895 |
GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools |
27.05.2026 |
|
| CVE-2026-44900 |
epa4all-client: VAU Signature bypass |
26.05.2026 |
8.1 |
| CVE-2026-44903 |
Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display of the old Prometheus web UI |
27.05.2026 |
|
| CVE-2026-44905 |
Vanetza: Remote Denial of Service via Uncaught OER Encoding Exception in Cryptographic Verification |
27.05.2026 |
7.5 |
| CVE-2026-44966 |
Velocity.js: Prototype Pollution in #set path assignment |
26.05.2026 |
8.3 |
| CVE-2026-44983 |
smallbitvec: Safe API Triggered Heap Buffer Overflow via Integer Overflow |
27.05.2026 |
7.3 |
| CVE-2026-45574 |
epa4all-client: TLS Certificate Validation Disabled in Production |
27.05.2026 |
8.1 |
| CVE-2026-5260 |
Gnutls: gnutls: information disclosure via heap overread in rsa key exchange |
27.05.2026 |
|
| CVE-2026-9584 |
code-projects Project Management System Login chk.php sql injection |
27.05.2026 |
|
| CVE-2025-14361 |
WordPress Woocommerce Envato Affiliates plugin <= 1.2.1 - Settings Change vulnerability |
27.05.2026 |
7.1 |
| CVE-2026-44209 |
Banks: Critical Remote Code Execution (RCE) via Jinja2 SSTI |
26.05.2026 |
7.5 |
| CVE-2026-44708 |
Mistune Math Plugin XSS Escape Bypass |
27.05.2026 |
6.1 |
| CVE-2026-44896 |
Mistune: XSS via unescaped figclass/figwidth in Figure directive |
27.05.2026 |
|
| CVE-2026-44897 |
Mistune Heading ID Attribute Injection XSS |
26.05.2026 |
6.1 |
| CVE-2026-44898 |
Mistune TOC Anchor Injection XSS |
26.05.2026 |
6.1 |
| CVE-2026-44899 |
Mistune Image Directive CSS Injection Vulnerability |
27.05.2026 |
4.7 |
| CVE-2026-45575 |
epa4all-client: Improper Verification of Cryptographic Signature |
26.05.2026 |
7.4 |
| CVE-2026-47672 |
epa4all-client: Unauthenticated REST API for Patient Record Writes |
27.05.2026 |
6.5 |
| CVE-2026-9581 |
JeecgBoot add access control |
26.05.2026 |
|
| CVE-2026-9582 |
SourceCodester CET Automated Grading System with AI Predictive Analytics cross-site request forgery |
26.05.2026 |
|
| CVE-2026-9583 |
SourceCodester CET Automated Grading System with AI Predictive Analytics SQL index.php information exposure |
26.05.2026 |
|
| CVE-2025-68708 |
|
26.05.2026 |
|
| CVE-2025-68711 |
|
26.05.2026 |
|
| CVE-2026-36239 |
|
26.05.2026 |
|
| CVE-2026-42335 |
MaxKB: SSRF Bypass in MaxKB OSS URL Fetch due to URL Parsing Discrepancy |
26.05.2026 |
|
| CVE-2026-42336 |
MaxKB: SSRF Bypass via DNS Rebinding in MaxKB OSS URL Fetch |
26.05.2026 |
|
| CVE-2026-42337 |
MaxKB: Broken Access Control in MaxKB OSS URL Fetch API |
27.05.2026 |
|
| CVE-2026-44443 |
Lumiverse: Sign-up nonce race condition allows unauthorized account registration |
26.05.2026 |
4.8 |
| CVE-2026-44444 |
Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan |
27.05.2026 |
9.1 |
| CVE-2026-44449 |
Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape |
27.05.2026 |
9.1 |
| CVE-2026-44450 |
Lumiverse: RCE via MCP stdio argument injection |
26.05.2026 |
9.9 |
| CVE-2026-44451 |
Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass |
26.05.2026 |
9.3 |
| CVE-2026-44836 |
view_component: Preview Route Can Dispatch Inherited Helper Methods |
27.05.2026 |
6.5 |
| CVE-2026-44837 |
view_component: System Test Entry Point Path Check Allows Sibling Directory Escape |
26.05.2026 |
5.9 |
| CVE-2026-44843 |
LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly broad `load()` allowlists |
27.05.2026 |
8.2 |
| CVE-2026-44844 |
eml_parser: Recursion DoS via nested message/rfc822 attachments |
27.05.2026 |
|
| CVE-2026-44847 |
MaxKB: Webhook Trigger Authentication Bypass |
26.05.2026 |
7.5 |
| CVE-2026-45412 |
MaxKB: Unauthenticated SSRF via Workflow Template Import |
26.05.2026 |
|
| CVE-2026-45413 |
MaxKB: Unsalted MD5 Password Hashing |
27.05.2026 |
|
| CVE-2026-48592 |
Missing authorization check on save-job event handler in oban_web |
27.05.2026 |
|
| CVE-2026-48593 |
Unbounded range expansion in cron describe causes memory exhaustion in oban_web |
27.05.2026 |
|
| CVE-2026-8676 |
|
26.05.2026 |
8.8 |
| CVE-2026-9579 |
JeecgBoot SysUser userEdit user.getUsername access control |
27.05.2026 |
|
| CVE-2026-9580 |
JeecgBoot selectDepart LoginController.selectDepart access control |
27.05.2026 |
|
| CVE-2026-9642 |
Delta Electronics DIAView Patch Bypass |
26.05.2026 |
9.8 |
| CVE-2025-68709 |
|
26.05.2026 |
|
| CVE-2025-68710 |
|
26.05.2026 |
|
| CVE-2026-24520 |
WordPress Tiktok Feed plugin <= 1.0.24 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-25426 |
WordPress Taxi Booking Manager for WooCommerce plugin <= 2.0.1 - Broken Access Control vulnerability |
27.05.2026 |
5.3 |
| CVE-2026-25444 |
WordPress WpBookingly plugin <= 1.2.9 - Broken Access Control vulnerability |
27.05.2026 |
4.3 |
| CVE-2026-27331 |
WordPress WpTravelly plugin <= 2.1.5 - Broken Access Control vulnerability |
27.05.2026 |
6.3 |
| CVE-2026-44214 |
eventsource-encoder: SSE event injection via unsanitized event and id fields |
27.05.2026 |
5.8 |
| CVE-2026-44831 |
Snipe-IT: XSS vulnerability in component notes |
26.05.2026 |
4.8 |
| CVE-2026-44832 |
Snipe-IT: Privilege Escalation via API Permissions Assignment |
27.05.2026 |
|
| CVE-2026-44833 |
Snipe-IT: Open redirect vulnerability |
27.05.2026 |
5.9 |
| CVE-2026-8453 |
|
26.05.2026 |
|
| CVE-2026-9573 |
itsourcecode Student Transcript Processing System index.php sql injection |
26.05.2026 |
|
| CVE-2026-9574 |
itsourcecode Student Transcript Processing System trans.php sql injection |
27.05.2026 |
|
| CVE-2026-9575 |
itsourcecode Student Transcript Processing System index.php sql injection |
27.05.2026 |
|
| CVE-2026-3603 |
IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML external entity injection (XXE) attack |
27.05.2026 |
7.1 |
| CVE-2026-3660 |
IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass |
26.05.2026 |
9.8 |
| CVE-2026-48689 |
|
27.05.2026 |
|
| CVE-2026-4051 |
IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth Remote Code Execution |
27.05.2026 |
7.2 |
| CVE-2026-8890 |
code100x Mobile API Authentication Bypass via Header Spoofing |
26.05.2026 |
8.2 |
| CVE-2026-9568 |
ThingsBoard YAML provision getGatewayDockerComposeFile code injection |
27.05.2026 |
|
| CVE-2026-9572 |
GPAC MP4Box media.c Media_GetSample memory leak |
26.05.2026 |
|
| CVE-2026-42448 |
wormhole receive, with --output pointing at an existing directory can be path-traversed |
27.05.2026 |
3.5 |
| CVE-2026-44667 |
Faction: Stored XSS in Remediation Verification Attachment Filename Preview Rendering |
26.05.2026 |
8.7 |
| CVE-2026-44668 |
Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates |
27.05.2026 |
9.8 |
| CVE-2026-44669 |
Faction: Stored XSS in Assessment Attachment Filename Preview Rendering |
26.05.2026 |
8.7 |
| CVE-2026-44728 |
Improper Control of Generation of Code when compiling specifically crafted malicious code with @babel/plugin-transform-modules-systemjs |
27.05.2026 |
8.2 |
| CVE-2026-9560 |
|
27.05.2026 |
|
| CVE-2026-9567 |
GPAC MP4Box isom_intern.c MergeFragment null pointer dereference |
26.05.2026 |
|