| CVE-2026-10187 |
Totolink N300RH Web Management wireless.so setWiFiBasicConfig stack-based overflow |
31.05.2026 |
9.3 |
| CVE-2018-25412 |
Delta Sql 1.8.2 Arbitrary File Upload via docs_upload.php |
30.05.2026 |
9.3 |
| CVE-2026-45372 |
cpp-httplib: HTTP header value percent-decoding in server-side `parse_header` enables CRLF injection |
29.05.2026 |
9.9 |
| CVE-2026-45697 |
Formie: Pre-authenticated server-side template injection in Hidden fields |
29.05.2026 |
9.8 |
| CVE-2026-44649 |
SillyTavern: Authentication Bypass via SSO Header Injection |
29.05.2026 |
9.8 |
| CVE-2026-44650 |
SillyTavern: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
29.05.2026 |
9.1 |
| CVE-2026-47744 |
Shopper: Authorization bypass and RBAC privilege escalation in team settings |
29.05.2026 |
9.9 |
| CVE-2026-9051 |
Authentication Bypass Vulnerability in NI SystemLink Enterprise |
29.05.2026 |
9.3 |
| CVE-2026-45625 |
Arcane: Missing admin authorization on git repository endpoints allows non-admin users to exfiltrate stored Git credentials and tamper with GitOps configs |
29.05.2026 |
9.9 |
| CVE-2026-45628 |
Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline |
29.05.2026 |
9.6 |
| CVE-2026-45629 |
Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint |
29.05.2026 |
9.9 |
| CVE-2026-45630 |
Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement |
29.05.2026 |
9 |
| CVE-2026-45631 |
Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret |
29.05.2026 |
10 |
| CVE-2026-45632 |
Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution |
29.05.2026 |
9.9 |
| CVE-2026-45633 |
Dokploy: Command Injection in /docker-container-logs Endpoint |
29.05.2026 |
9.9 |
| CVE-2026-45661 |
Dokploy: Remote Code Execution through Path Traversal |
29.05.2026 |
9.9 |
| CVE-2026-45668 |
Trilium Notes : Note Import to RCE via #docName Path Traversal (Safe Import Enabled) |
29.05.2026 |
9.3 |
| CVE-2026-5386 |
KMW CCTV Security Cameras Unverified Password Change |
29.05.2026 |
9.1 |
| CVE-2026-7786 |
Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter Use of Hard-coded Credentials |
29.05.2026 |
9.8 |
| CVE-2026-44962 |
|
29.05.2026 |
10 |
| CVE-2026-45663 |
Dokploy: Remote Code Execution via destinationPath in Container File Upload |
29.05.2026 |
9.9 |
| CVE-2026-10042 |
manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model |
29.05.2026 |
9.2 |
| CVE-2026-4290 |
WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators |
29.05.2026 |
9.1 |
| CVE-2026-46376 |
FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface |
29.05.2026 |
9.3 |
| CVE-2026-10071 |
Interinfo|DreamMaker - Arbitrary File Upload |
29.05.2026 |
9.3 |
| CVE-2026-45043 |
RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root |
29.05.2026 |
9.3 |
| CVE-2026-45312 |
RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution |
29.05.2026 |
9.9 |
| CVE-2026-8326 |
Remote Spark SparkView Path Traversal in RDP Drive Redirection leading to RCE |
29.05.2026 |
10 |
| CVE-2026-9508 |
Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar |
29.05.2026 |
10 |
| CVE-2025-41269 |
|
29.05.2026 |
9.3 |
| CVE-2025-41270 |
|
29.05.2026 |
9.3 |
| CVE-2025-41272 |
|
29.05.2026 |
9.3 |
| CVE-2025-41273 |
|
29.05.2026 |
9.3 |
| CVE-2025-41274 |
|
29.05.2026 |
9.3 |
| CVE-2025-41275 |
|
29.05.2026 |
9.3 |
| CVE-2025-41276 |
|
29.05.2026 |
9.3 |
| CVE-2025-41277 |
|
29.05.2026 |
9.3 |
| CVE-2026-9559 |
|
29.05.2026 |
9.9 |
| CVE-2026-49201 |
Acer Wave 7 router: Hardcoded Cryptographic Key |
29.05.2026 |
10 |
| CVE-2026-9558 |
|
29.05.2026 |
9.9 |
| CVE-2026-49197 |
Predator Connect W6x: Improper Authentication |
29.05.2026 |
10 |
| CVE-2026-49199 |
Predator Connect W6x: RCE via MQTT |
29.05.2026 |
10 |
| CVE-2026-49200 |
Acer Wave 7 router: Broken Access Control |
29.05.2026 |
10 |
| CVE-2026-3655 |
OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification |
29.05.2026 |
9.8 |
| CVE-2026-8732 |
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action |
29.05.2026 |
9.8 |
| CVE-2026-8809 |
Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter |
29.05.2026 |
9.8 |
| CVE-2026-44848 |
Portainer: Missing authorization on Docker plugin endpoints allows host RCE |
28.05.2026 |
9.4 |
| CVE-2026-44849 |
Portainer: Endpoint security bypass via Swarm service create/update |
29.05.2026 |
9.4 |
| CVE-2026-34311 |
|
29.05.2026 |
9.8 |
| CVE-2026-45288 |
Marten has an SQL injection vulnerability in its full-text search regConfig parameter |
30.05.2026 |
9.8 |
| CVE-2026-46775 |
|
29.05.2026 |
9.9 |
| CVE-2026-46817 |
|
29.05.2026 |
9.8 |
| CVE-2026-46819 |
|
29.05.2026 |
9.1 |
| CVE-2026-46822 |
|
29.05.2026 |
9.9 |
| CVE-2026-46824 |
|
29.05.2026 |
9.9 |
| CVE-2026-46833 |
|
29.05.2026 |
9 |
| CVE-2026-46839 |
|
29.05.2026 |
9.9 |
| CVE-2026-46840 |
|
29.05.2026 |
10 |
| CVE-2026-9645 |
ScadaBR Authenticated Remote Code Execution |
29.05.2026 |
9.9 |
| CVE-2026-9037 |
Download of code without integrity check in XCharge C6 |
29.05.2026 |
9.3 |
| CVE-2026-45039 |
RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation |
30.05.2026 |
9.8 |
| CVE-2026-43898 |
SandboxJS: Sandbox escape via Function.caller leakage of internal call op |
28.05.2026 |
10 |
| CVE-2026-45058 |
electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark |
30.05.2026 |
9.4 |
| CVE-2026-45311 |
CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval |
28.05.2026 |
9.6 |
| CVE-2026-45323 |
MeshCore Card: XSS vulnerability through meshcore node name |
29.05.2026 |
9.6 |
| CVE-2026-45353 |
electerm: Local code through electerm's single-instance socket |
28.05.2026 |
9.3 |
| CVE-2026-45374 |
CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files |
30.05.2026 |
9.6 |
| CVE-2026-24444 |
SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php |
28.05.2026 |
9.3 |
| CVE-2026-44477 |
CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE |
28.05.2026 |
9.4 |
| CVE-2026-45261 |
GitButler: Link injection via forge integration enables arbitrary script execution |
30.05.2026 |
9.3 |
| CVE-2026-44672 |
mapfish-print: Remote Code Injection (RCE) in Dynamic table |
28.05.2026 |
9.3 |
| CVE-2026-8979 |
Authentication Bypass |
28.05.2026 |
9.3 |
| CVE-2026-8980 |
Privilege Escalation |
28.05.2026 |
9.3 |
| CVE-2026-46115 |
block: add pgmap check to biovec_phys_mergeable |
30.05.2026 |
9.8 |
| CVE-2026-46119 |
libceph: Fix slab-out-of-bounds access in auth message processing |
30.05.2026 |
9.1 |
| CVE-2026-46135 |
nvmet-tcp: fix race between ICReq handling and queue teardown |
30.05.2026 |
9.8 |
| CVE-2026-46137 |
mptcp: pm: ADD_ADDR rtx: fix potential data-race |
30.05.2026 |
9.8 |
| CVE-2026-46155 |
smb/client: fix out-of-bounds read in smb2_compound_op() |
30.05.2026 |
9.1 |
| CVE-2026-46185 |
smb/client: fix out-of-bounds read in symlink_data() |
30.05.2026 |
9.1 |
| CVE-2026-46195 |
smb: client: validate dacloffset before building DACL pointers |
30.05.2026 |
9.8 |
| CVE-2026-4408 |
Samba: remote code execution in samr |
29.05.2026 |
9 |
| CVE-2026-32998 |
|
29.05.2026 |
9.4 |
| CVE-2026-32999 |
|
28.05.2026 |
9.1 |
| CVE-2026-9739 |
|
28.05.2026 |
9.4 |
| CVE-2026-45083 |
Goobi viewer: Unauthenticated Solr Streaming Expression Proxy |
28.05.2026 |
9.8 |
| CVE-2026-44590 |
Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml |
28.05.2026 |
9.3 |
| CVE-2026-8362 |
Gladinet Triofox Stack-based Buffer Overflow in WOSDefaultHttpModule.dll |
28.05.2026 |
9.8 |
| CVE-2026-8363 |
Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll |
28.05.2026 |
9.8 |
| CVE-2026-8364 |
Gladinet Triofox Missing Authentication for Critical Functions |
28.05.2026 |
9.8 |
| CVE-2026-44887 |
Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path) |
28.05.2026 |
9.8 |
| CVE-2026-44888 |
Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger) |
28.05.2026 |
9.8 |
| CVE-2026-45102 |
OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion |
30.05.2026 |
9.9 |
| CVE-2026-45087 |
Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode |
28.05.2026 |
10 |
| CVE-2026-46425 |
Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users |
28.05.2026 |
9.9 |
| CVE-2026-48150 |
Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign |
27.05.2026 |
9 |
| CVE-2026-44315 |
free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions |
27.05.2026 |
9.4 |
| CVE-2026-44326 |
free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions |
27.05.2026 |
9.4 |
| CVE-2026-44327 |
free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler |
28.05.2026 |
10 |
| CVE-2026-44329 |
free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers |
28.05.2026 |
10 |
| CVE-2026-44330 |
free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions |
27.05.2026 |
10 |
| CVE-2026-48027 |
Compromised Nx Console version 18.95.0 |
28.05.2026 |
9.3 |
| CVE-2026-49103 |
|
27.05.2026 |
9.4 |
| CVE-2026-35087 |
Authentication Bypass in Slican telephone exchanges |
27.05.2026 |
9.3 |
| CVE-2026-35090 |
Authentication Bypass in Slican telephone exchanges |
27.05.2026 |
9.3 |
| CVE-2026-45898 |
RDMA/iwcm: Fix workqueue list corruption by removing work_list |
30.05.2026 |
9.8 |
| CVE-2026-45972 |
smb: client: fix potential UAF and double free in smb2_open_file() |
30.05.2026 |
9.8 |
| CVE-2026-45988 |
rxrpc: Fix re-decryption of RESPONSE packets |
30.05.2026 |
9.8 |
| CVE-2026-46039 |
rxgk: Fix potential integer overflow in length check |
30.05.2026 |
9.8 |
| CVE-2026-46043 |
RDMA/rxe: Validate pad and ICRC before payload_size() in rxe_rcv |
30.05.2026 |
9.1 |
| CVE-2026-7524 |
Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System Access and Potential Remote Code Execution |
28.05.2026 |
9.8 |
| CVE-2026-8175 |
Multiple vulnerabilities in Aspera applications. |
28.05.2026 |
9.8 |
| CVE-2026-42727 |
WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42731 |
WordPress miniorange otp verification plugin <= 5.4.9 - Privilege Escalation vulnerability |
27.05.2026 |
9.8 |
| CVE-2026-42740 |
WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42747 |
WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42748 |
WordPress WPify Woo Czech plugin <= 5.4.1 - Arbitrary File Upload vulnerability |
27.05.2026 |
9.9 |
| CVE-2026-42755 |
WordPress TableOn plugin <= 1.0.5.1 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-42756 |
WordPress QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly plugin <= 3.2.7 - Arbitrary File Deletion vulnerability |
27.05.2026 |
9.9 |
| CVE-2026-42757 |
WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File Deletion vulnerability |
27.05.2026 |
9.9 |
| CVE-2026-42758 |
WordPress WebinarIgnition plugin < 4.08.253 - Privilege Escalation vulnerability |
27.05.2026 |
9.8 |
| CVE-2026-42761 |
WordPress Active Products Tables for WooCommerce plugin <= 1.0.9 - SQL Injection vulnerability |
27.05.2026 |
9.3 |
| CVE-2026-48906 |
Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla |
27.05.2026 |
9.3 |
| CVE-2025-12686 |
|
27.05.2026 |
9.8 |
| CVE-2026-49002 |
Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product |
28.05.2026 |
9.1 |
| CVE-2026-8054 |
Unauthenticated SQL Injection in dotCMS Publish Audit API |
27.05.2026 |
10 |
| CVE-2026-8760 |
Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force |
27.05.2026 |
9.8 |
| CVE-2026-9312 |
Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint |
28.05.2026 |
9.2 |
| CVE-2026-44895 |
GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools |
27.05.2026 |
9.2 |
| CVE-2026-44444 |
Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan |
27.05.2026 |
9.1 |
| CVE-2026-44449 |
Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape |
27.05.2026 |
9.1 |
| CVE-2026-44450 |
Lumiverse: RCE via MCP stdio argument injection |
26.05.2026 |
9.9 |
| CVE-2026-44451 |
Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass |
27.05.2026 |
9.3 |
| CVE-2026-9642 |
Delta Electronics DIAView Patch Bypass |
26.05.2026 |
9.8 |
| CVE-2026-3660 |
IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass |
28.05.2026 |
9.8 |
| CVE-2026-44668 |
Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates |
27.05.2026 |
9.8 |
| CVE-2026-46624 |
Twenty: SQL Injection via the timeZone field |
26.05.2026 |
9.9 |
| CVE-2026-47202 |
Kavita: Pre-Auth Account Takeover |
27.05.2026 |
9.3 |
| CVE-2026-7251 |
Eppendorf BioFlo 320 Use of hard-coded password |
26.05.2026 |
9.3 |
| CVE-2026-8633 |
IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins |
27.05.2026 |
9.8 |
| CVE-2026-2264 |
Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy. |
26.05.2026 |
9.2 |
| CVE-2026-45721 |
Algernon: handler.lua discovery walks parent directories above the server root |
26.05.2026 |
9 |
| CVE-2026-45247 |
Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection |
26.05.2026 |
9.3 |
| CVE-2026-7374 |
Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability |
28.05.2026 |
9.9 |
| CVE-2026-9543 |
Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection |
26.05.2026 |
9.3 |
| CVE-2026-42773 |
WordPress eMagicOne Store Manager plugin <= 1.3.2 - SQL Injection vulnerability |
26.05.2026 |
9.3 |
| CVE-2026-42774 |
WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability |
26.05.2026 |
9.3 |
| CVE-2026-9477 |
Totolink A8000RU Web Management cstecgi.cgi setAccessDeviceCfg os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9478 |
Totolink A8000RU Web Management cstecgi.cgi setParentalRules os command injection |
27.05.2026 |
9.3 |
| CVE-2026-9475 |
Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9476 |
Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection |
28.05.2026 |
9.3 |
| CVE-2026-9058 |
Improper Certificate Verification in Szafir SDK |
26.05.2026 |
9.3 |
| CVE-2026-9457 |
Totolink A8000RU Web Management cstecgi.cgi UploadFirmwareFile os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9458 |
Totolink A8000RU Web Management cstecgi.cgi setWanCfg os command injection |
28.05.2026 |
9.3 |
| CVE-2026-9454 |
Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCertGenerationCfg os command injection |
28.05.2026 |
9.3 |
| CVE-2026-9455 |
Totolink A8000RU Web Management cstecgi.cgi UploadOpenVpnCert os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9456 |
Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCfg os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9435 |
Totolink A8000RU Web Management cstecgi.cgi setQosCfg os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9436 |
Totolink A8000RU Web Management cstecgi.cgi setL2tpServerCfg os command injection |
28.05.2026 |
9.3 |
| CVE-2026-2651 |
Missing Authorization Validation in mlflow/mlflow |
27.05.2026 |
9 |
| CVE-2026-9432 |
Totolink A8000RU Web Management cstecgi.cgi setWiFiAdvancedCfg os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9433 |
Totolink A8000RU Web Management cstecgi.cgi setMacFilterRules os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9434 |
Totolink A8000RU Web Management cstecgi.cgi setWiFiWpsCfg os command injection |
28.05.2026 |
9.3 |
| CVE-2026-9407 |
Totolink A8000RU Web Management cstecgi.cgi setFirewallType os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9408 |
Totolink A8000RU Web Management cstecgi.cgi setStaticDhcpRules os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9405 |
Totolink A8000RU Web Management cstecgi.cgi setGameSpeedCfg os command injection |
26.05.2026 |
9.3 |
| CVE-2026-9406 |
Totolink A8000RU Web Management cstecgi.cgi setRemoteCfg os command injection |
27.05.2026 |
9.3 |
| CVE-2026-9404 |
Totolink A8000RU Web Management cstecgi.cgi setDdnsCfg os command injection |
29.05.2026 |
9.3 |
| CVE-2026-9397 |
Besen BS20 EV Charging Station OTA Update Installation improper authorization |
26.05.2026 |
9.2 |