CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-11429 Path Traversal in Altium Git Service Allows Remote Code Execution 05.06.2026 9.4
CVE-2026-11423 Path Traversal in Altium Enterprise Server Collaboration Service Allows Privilege Escalation 05.06.2026 9.4
CVE-2026-11419 Path Traversal in Altium Enterprise Server Vault UploadController Allows Arbitrary File Write 05.06.2026 9.4
CVE-2026-11420 Path Traversal in Altium Enterprise Server NIS Allows Unauthenticated Arbitrary File Write and File Read 05.06.2026 10
CVE-2026-45758 Malicious code in guardrails-ai 0.10.1 (supply chain compromise) 05.06.2026 9.6
CVE-2026-45777 Open XDMoD Vulnerable to Unauthenticated Remote Code Execution (RCE) via OS Command Injection 05.06.2026 9.3
CVE-2026-45779 Open XDMoD Vulnerable to Unauthenticated SQL Injection Leading to Full Database Compromise 05.06.2026 9.3
CVE-2026-11414 Unauthenticated File Exfiltration in Altium Enterprise Server Vault Service via Hard-coded Cryptographic Key and Path Traversal 05.06.2026 10
CVE-2026-10580 Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API 06.06.2026 9.8
CVE-2026-46389 UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator` 05.06.2026 10
CVE-2026-46395 HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation 05.06.2026 9.3
CVE-2026-46396 HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data and account takeover 05.06.2026 9.3
CVE-2026-46399 Authenticated Remote Code Execution via File Overwrite 05.06.2026 9.4
CVE-2026-46496 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft 05.06.2026 9.3
CVE-2025-71317 NetMan 204 Hard-coded Backdoor Credentials 05.06.2026 9.3
CVE-2025-71318 NetMan 204 Missing Authentication for Administrative Functions 05.06.2026 9.3
CVE-2026-45744 Termix has an OS Command Injection in File Manager resolvePath endpoint 05.06.2026 9.9
CVE-2026-45746 Termix Vulnerable to Arbitrary Command Execution via Session Hijacking 05.06.2026 9
CVE-2026-45748 Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection 05.06.2026 9.8
CVE-2026-45750 Termix Vulnerable to Arbitrary Command Execution in File Manager 05.06.2026 9
CVE-2026-49777 WordPress Product Slider Pro for WooCommerce plugin < 3.5.3 - Backdoor vulnerability 05.06.2026 10
CVE-2026-6274 Authentication Bypass in DTS Electronics' Redline WR3200 05.06.2026 9.8
CVE-2026-48907 Joomla Extension - joomlacontenteditor.net - Remote Code Execution in JCE extension for Joomla < 2.9.99.5 05.06.2026 10
CVE-2026-48567 Azure HorizonDB Elevation of Privilege Vulnerability 06.06.2026 10
CVE-2026-48579 Microsoft Exchange Online Information Disclosure Vulnerability 05.06.2026 9.1
CVE-2025-71316 SQLite sqldiff remote code execution via argument injection 05.06.2026 9.2
CVE-2025-67447 04.06.2026 9.8
CVE-2026-10880 Unauthenticated SQL Injection in Osnexus Quantastor 04.06.2026 9.8
CVE-2026-25550 Seagull Software BarTender Unauthenticated RCE via .NET Remoting Service 04.06.2026 9.3
CVE-2025-67446 04.06.2026 9.8
CVE-2026-10868 MISP user edit endpoint mass assignment vulnerability allows unauthorized user account modification 04.06.2026 9
CVE-2026-43986 Tautulli vulnerable to unauthenticated SSRF in /image/<hash> via attacker-seeded image hash replay 04.06.2026 9.9
CVE-2019-25727 WordPress Plugin ad manager wd 1.0.11 Arbitrary File Download 04.06.2026 9.3
CVE-2019-25729 PDF Signer 3.0 Server-Side Template Injection RCE via CSRF Cookie 04.06.2026 9.3
CVE-2019-25738 WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change 04.06.2026 9.3
CVE-2019-25741 Mobatek MobaXterm 12.1 Buffer Overflow via Sessions File 04.06.2026 9.3
CVE-2026-8037 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF 05.06.2026 9.6
CVE-2026-10840 Openshift-pipelines-operator-rh: openshift-pipelines-operator: tekton-scheduler-rolebinding grants system:authenticated write access to kueue and cert-manager resources 04.06.2026 9.6
CVE-2026-4104 SQLi in Akmer Informatics' TeknoPass 04.06.2026 9.8
CVE-2026-50214 Shared Secret Quota Inflation 04.06.2026 9.3
CVE-2026-50208 Permissive TrustAllCerts TLS Verification 04.06.2026 9.2
CVE-2026-50209 MDM Server Registration Overriding 04.06.2026 9.3
CVE-2026-49190 Missing Per-Instruction Authorization Checks 04.06.2026 9.4
CVE-2026-49191 Exposed Hard-coded M3WebServer Backend API Key 04.06.2026 9.3
CVE-2026-49194 SCREEN_CLICK Authentication Bypass 04.06.2026 9.4
CVE-2026-41283 04.06.2026 9.9
CVE-2026-49185 Instruction Injection via FieldX MDM 04.06.2026 10
CVE-2026-46244 netfilter: nft_inner: Fix IPv6 inner_thoff desync 05.06.2026 9.1
CVE-2026-46266 inet: RAW sockets using IPPROTO_RAW MUST drop incoming ICMP 05.06.2026 9.1
CVE-2026-35075 Hardcoded default Password for Service Account 03.06.2026 9.3
CVE-2026-47065 Apache MINA: Critical Deserialization Allow-list Bypass via resolveProxyClass - ZDRES-232 04.06.2026 9.8
CVE-2026-4035 Environment Variable Resolution Vulnerability in mlflow/mlflow 03.06.2026 9.1
CVE-2026-32625 LibreChat Exfiltrates Server Secrets via MCP Server URL Injection 03.06.2026 9.6
CVE-2026-42849 authentik: Reflected XSS in SFE AutosubmitStage allows IDP account takeover 03.06.2026 9.3
CVE-2026-49448 authentik: SourceStage bypass via empty POST 03.06.2026 9.8
CVE-2026-5076 ARMember Premium <= 7.3.1 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalation 02.06.2026 9.8
CVE-2026-0611 Spacelabs Healthcare Sentinel 10.5.x < 11.6.0 Unauthenticated RCE via .NET Remoting 02.06.2026 9.2
CVE-2026-42074 OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input 02.06.2026 9.3
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading 02.06.2026 9.3
CVE-2026-7198 CWE-284: Improper Access Control in web services in Progress Sitefinity 03.06.2026 9.8
CVE-2026-7312 CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity 03.06.2026 10
CVE-2026-42684 WordPress WP Job Portal plugin <= 2.5.1 - SQL Injection vulnerability 02.06.2026 9.3
CVE-2025-53209 WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability 02.06.2026 9.8
CVE-2026-34906 Server-Side Template Injection (SSTI) in Wirtualna Uczelnia 02.06.2026 9.3
CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' 02.06.2026 9.8
CVE-2026-25879 Langroid has Prompt to SQL Injection, Leading to RCE 02.06.2026 9.8
CVE-2018-25427 Arm Whois 3.11 Buffer Overflow via SEH Overwrite 02.06.2026 9.3
CVE-2026-40965 03.06.2026 10
CVE-2026-0072 01.06.2026 10
CVE-2026-49121 AI Tensor Engine for ROCm (AITER) 0.1.14 Unauthenticated RCE via MessageQueue.recv() Pickle Deserialization 02.06.2026 9.2
CVE-2026-8644 IBM WebSphere Application Server is affected by an identity spoofing vulnerability 01.06.2026 9.1
CVE-2026-9311 IBM WebSphere Application Server is affected by remote code execution 02.06.2026 9
CVE-2026-9319 IBM WebSphere Application Server is affected by a remote code execution vulnerability 02.06.2026 9
CVE-2026-42672 WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability 01.06.2026 9.3
CVE-2026-44211 Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability 04.06.2026 9.6
CVE-2026-45131 CloudPirates Open Source Helm Charts: GitHub Actions pull_request_target workflow allows secret exfiltration via fork pull requests 01.06.2026 10
CVE-2026-45132 CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling 01.06.2026 10
CVE-2026-0826 Poly Voice – Possible Remote Control of Certain Poly Devices 01.06.2026 9.2
CVE-2026-42680 WordPress Contest Gallery Pro plugin <= 29.0.1 - Privilege Escalation vulnerability 01.06.2026 9.8
CVE-2026-42682 WordPress wpForo Forum plugin <= 3.0.6 - Broken Access Control vulnerability 01.06.2026 9.1
CVE-2026-48866 WordPress Gravity Forms plugin <= 2.10.0.1 - Arbitrary File Deletion vulnerability 01.06.2026 9.6
CVE-2026-48879 WordPress AIWU plugin <= 1.4.17 - Privilege Escalation vulnerability 01.06.2026 9.8
CVE-2026-8931 Critical RCE vulnerability in Disig Web Signer 01.06.2026 9.4
CVE-2026-7858 Deserialization of Untrusted Data vulnerability affecting Teamwork Cloud from No Magic Release 2022x through No Magic Release 2026x and Magic Collaboration Studio from CATIA Magic Release 2022x through CATIA Magic Release 2026x 01.06.2026 9.8
CVE-2026-48188 SQL Injection via MySQL Quote Method 01.06.2026 9.1
CVE-2026-10187 Totolink N300RH Web Management wireless.so setWiFiBasicConfig stack-based overflow 02.06.2026 9.3

Latest Updates

CVE Title Updated Score
CVE-2026-11435 Jinher OA nextselectplan.aspx sql injection 06.06.2026
CVE-2026-11434 FluentCMS Blocks Plugin blocks cross site scripting 06.06.2026
CVE-2026-11413 JingDong JD Cloud Box AX6600 jdcweb_rpc set_macfilter stack-based overflow 06.06.2026
CVE-2026-11411 iAI Lab PDF AI App chatpdf.pro getExternalCacheDir path traversal 06.06.2026
CVE-2026-11412 Jinher OA GetFormSn.aspx sql injection 06.06.2026
CVE-2026-11408 vertex-app vertex Log Viewer Endpoint LogMod.js os command injection 06.06.2026
CVE-2026-10725 Protocol::HTTP2 versions through 1.12 for Perl is vulnerable to a HTTP/2 Bomb 06.06.2026
CVE-2026-11406 GL.iNet MT3000 OpenVPN Client Import Workflow ovpnclient.sh command injection 06.06.2026
CVE-2026-7624 SEO Plugin by Squirrly SEO <= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations 06.06.2026 4.3
CVE-2026-8611 Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter 06.06.2026 4.3
CVE-2026-8839 MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints 06.06.2026 5.3
CVE-2026-9016 Debug Log Manager <= 2.5.0 - Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action 06.06.2026 5.3
CVE-2026-9594 WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter 06.06.2026 4.4
CVE-2026-9829 Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter 06.06.2026 6.5
CVE-2026-9851 Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action 06.06.2026 7.2
CVE-2026-2500 Quick Playground <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter 06.06.2026 4.4
CVE-2026-7537 MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter 06.06.2026 7.2
CVE-2026-7565 LearnPress <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter 06.06.2026 4.9
CVE-2026-7566 LearnPress – Backup & Migration Tool <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload 06.06.2026 6.6
CVE-2026-7665 Essential Addons for Elementor <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler 06.06.2026 5.3
CVE-2026-7792 WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint 06.06.2026 5.3
CVE-2026-7795 Click to Chat <= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter 06.06.2026 6.4
CVE-2026-7796 EmbedPress <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute 06.06.2026 6.4
CVE-2026-8502 LearnPress <= 4.3.6 - Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters 06.06.2026 5.3
CVE-2026-8978 OptinCraft <= 1.2.0 - Authenticated (Administrator+) SQL Injection via 'order_by' Parameter 06.06.2026 4.9
CVE-2026-8991 Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings 06.06.2026 4.4
CVE-2026-9197 Smart Slider 3 <= 3.5.1.36 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export 06.06.2026 4.9
CVE-2026-9280 Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode 06.06.2026 6.1
CVE-2026-8438 All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path 06.06.2026 7.2
CVE-2026-8901 Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data 06.06.2026 7.2
CVE-2026-9008 Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes 06.06.2026 4.3
CVE-2026-9281 Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) 06.06.2026 6.4
CVE-2026-34123 Whitelist Validation Bypass in TP-Link Tapo C520WS 05.06.2026
CVE-2026-6239 Authenticated Stack-based Buffer Overflow in ONVIF CreateUsers Service in TP-Link Tao C520WS 05.06.2026
CVE-2026-6240 Authenticated Stack-based Buffer Overflow in ONVIF DeleteUsers Service on TP-Link Tapo C520WS 05.06.2026
CVE-2026-6241 Authenticated Format String Vulnerability in ONVIF AddScopes Method on TP-Link Tapo C520WS 05.06.2026
CVE-2026-6242 Authenticated Format String Vulnerability in ONVIF Subscribe Service on TP-Link Tapo C520WS 05.06.2026
CVE-2025-12656 Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.128 - Authenticated (Admin+) Arbitrary Directory Deletion 06.06.2026 3.8
CVE-2026-10038 Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter 06.06.2026 4.3
CVE-2026-6448 Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters 06.06.2026 4.9
CVE-2026-7047 Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action 06.06.2026 4.3
CVE-2026-8608 Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action 06.06.2026 5.3
CVE-2026-8893 Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 06.06.2026 6.4
CVE-2026-8900 Simple SEO Slideshow <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 06.06.2026 6.4
CVE-2026-8976 RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions 06.06.2026 4.3
CVE-2026-9290 WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter 06.06.2026 7.5
CVE-2026-9719 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action 06.06.2026 4.3
CVE-2026-7523 Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter 06.06.2026 4.3
CVE-2026-7654 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value 06.06.2026 8.8
CVE-2026-45409 Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix 05.06.2026
CVE-2026-11416 MoviePilot Path Traversal via Cloud Storage Download Handlers 05.06.2026 8.1
CVE-2026-11424 Server-Side Request Forgery in Altium Platform Design GraphQL Service Allows Information Disclosure 05.06.2026
CVE-2026-11429 Path Traversal in Altium Git Service Allows Remote Code Execution 05.06.2026
CVE-2026-11431 Path Traversal in Altium Projects Service Allows Arbitrary File Read 05.06.2026
CVE-2026-11422 Markdown Preview Enhanced 0.8.x Code Injection via WaveDrom Rendering 05.06.2026 7.1
CVE-2026-11423 Path Traversal in Altium Enterprise Server Collaboration Service Allows Privilege Escalation 05.06.2026
CVE-2026-36785 05.06.2026
CVE-2026-11419 Path Traversal in Altium Enterprise Server Vault UploadController Allows Arbitrary File Write 05.06.2026
CVE-2026-11420 Path Traversal in Altium Enterprise Server NIS Allows Unauthenticated Arbitrary File Write and File Read 05.06.2026
CVE-2026-25620 Arista Edge Threat Management NGFW Captive Portal Encrypted Password Command Injection 05.06.2026 6
CVE-2026-25621 Arista Edge Threat Management NGFW Reports Application Insecure Input Validation 05.06.2026 6
CVE-2026-25622 Arista Edge Threat Management NGFW Captive Portal Custom Handler Command Injection 05.06.2026 6
CVE-2026-25623 Arista Edge Threat Management NGFW UI Arbitrary Command Execution 05.06.2026 6
CVE-2026-25624 Arista Edge Threat Management NGFW UI Administrative Cross-Site Scripting 05.06.2026 5.7
CVE-2026-45300 async-http-client: Cookie header not stripped on cross-origin redirect 05.06.2026 7.4
CVE-2026-45758 Malicious code in guardrails-ai 0.10.1 (supply chain compromise) 05.06.2026 9.6
CVE-2026-45777 Open XDMoD Vulnerable to Unauthenticated Remote Code Execution (RCE) via OS Command Injection 05.06.2026
CVE-2026-45778 Open XDMoD Vulnerable to Reflected Cross-Site Scripting (XSS) in Password Reset 05.06.2026
CVE-2026-45779 Open XDMoD Vulnerable to Unauthenticated SQL Injection Leading to Full Database Compromise 05.06.2026
CVE-2026-11400 Privilege Escalation in AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL 05.06.2026 8
CVE-2026-11401 Privilege Escalation in AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL 05.06.2026 8
CVE-2026-11414 Unauthenticated File Exfiltration in Altium Enterprise Server Vault Service via Hard-coded Cryptographic Key and Path Traversal 05.06.2026
CVE-2026-45776 Open XDMoD has Broken Access Control via Client-Controlled Session Variable 05.06.2026
CVE-2026-46357 HAX CMS NodeJS application Vulnerable to Denial of Service using Malicious Import Request 05.06.2026 6.5
CVE-2026-46397 haxcms-php Local File Inclusion via saveOutline API Location Parameter v2.0 05.06.2026 6.5
CVE-2026-46398 HAX CMS Missing Secure Flag on Cookie 05.06.2026
CVE-2026-46400 HAXCMS PHP has a File Upload Validation Bypass 05.06.2026
CVE-2026-46401 HAX CMS PHP has Insufficient Session Expiration 05.06.2026
CVE-2026-46493 haxtheweb/haxcms-php uses insecure method for generating salt 05.06.2026 7.5
CVE-2026-10580 Hippoo Mobile App for WooCommerce <= 1.9.4 - Unauthenticated Authentication Bypass to Administrator Account Takeover via REST API 06.06.2026 9.8
CVE-2026-46389 UDS Identity Config has a client authentication bypass in `ClientIdAndKubernetesSecretAuthenticator` 05.06.2026 10
CVE-2026-46390 HAX CMS has Unauthenticated Git Access via User-Controlled Key 05.06.2026
CVE-2026-46391 HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis 05.06.2026
CVE-2026-46392 HAX CMS PHP Has a Stored XSS via Case-Sensitivity Mismatch in HTML Upload Validation 05.06.2026 8.7
CVE-2026-46393 HAXcms createSite SSRF Enables Arbitrary File Read 05.06.2026
CVE-2026-46394 HAX CMS Vulnerable to Command Injection using Git.php 05.06.2026
CVE-2026-46395 HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation 05.06.2026
CVE-2026-46396 HAX CMS has a stored XSS via <iframe> that allows access to sensitive client-side data and account takeover 05.06.2026
CVE-2026-46399 Authenticated Remote Code Execution via File Overwrite 05.06.2026
CVE-2026-46496 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft 05.06.2026
CVE-2026-46511 HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack 05.06.2026
CVE-2026-5411 WP Captcha PRO <= 5.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload 06.06.2026 8.8
CVE-2026-5415 WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link 06.06.2026 8.8
CVE-2025-71317 NetMan 204 Hard-coded Backdoor Credentials 05.06.2026
CVE-2025-71318 NetMan 204 Missing Authentication for Administrative Functions 05.06.2026
CVE-2026-2379 Arista EOS IPsec Tunnel Sequence Number Mismatch via Interface Flaps when Anti-Replay is Disabled 05.06.2026 5.9
CVE-2026-45743 Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR) 05.06.2026 8.1
CVE-2026-45744 Termix has an OS Command Injection in File Manager resolvePath endpoint 05.06.2026 9.9
CVE-2026-45745 Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft 05.06.2026 8
CVE-2026-45746 Termix Vulnerable to Arbitrary Command Execution via Session Hijacking 05.06.2026 9
CVE-2026-45748 Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection 05.06.2026 9.8
CVE-2026-45749 Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password 05.06.2026 8.1
CVE-2026-45750 Termix Vulnerable to Arbitrary Command Execution in File Manager 05.06.2026 9
CVE-2026-49492 Markdown Preview Enhanced OS Command Injection in External File and Link Opening 05.06.2026
CVE-2026-49493 Markdown Preview Enhanced Arbitrary Code Execution via Bitfield interpretJS() 05.06.2026
CVE-2026-50733 Markdown Preview Enhanced Arbitrary Code Execution via WaveDrom eval() 05.06.2026
CVE-2026-11341 D-Link DWR-M920 formIMEISetup sub_412DA0 os command injection 05.06.2026
CVE-2026-11342 code-projects Hotel and Tourism Reservation System details.php sql injection 05.06.2026
CVE-2026-11344 code-projects Vehicle Management System New Driver Registration Form newdriver.php unrestricted upload 05.06.2026
CVE-2026-36500 05.06.2026
CVE-2026-36501 05.06.2026
CVE-2026-45290 Cloudburst Network has DoS in RakNet connection handling due to missing bound checks 05.06.2026 7.5
CVE-2026-45291 Cloudburst Network erroneously handles invalid connections 05.06.2026 7.5
CVE-2026-45327 TinyIce: Missing authentication on WebRTC ingest endpoint allows unauthorized stream injection 05.06.2026 8.2