CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-8598 Unauthenticated Export Service in ZKTeco CCTV Cameras 20.05.2026 9.1
CVE-2026-8467 Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground 20.05.2026 9.5
CVE-2026-22314 20.05.2026 9
CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation 20.05.2026 9.1
CVE-2026-9059 NextGEN Gallery - SQL Injection 20.05.2026 9.3
CVE-2026-9065 Surecart - SQL Injection 20.05.2026 9.3
CVE-2026-24207 20.05.2026 9.8
CVE-2026-7637 Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie 20.05.2026 9.8
CVE-2026-6555 ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files' 20.05.2026 9.8
CVE-2026-7284 Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register 20.05.2026 9.8
CVE-2026-34234 CtrlPanel: Unauthenticated RCE using installer script 19.05.2026 10
CVE-2026-33642 Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check 19.05.2026 9.9
CVE-2026-47357 19.05.2026 9.3
CVE-2026-47358 19.05.2026 9.3
CVE-2026-2586 20.05.2026 9.1
CVE-2026-2587 20.05.2026 9.6
CVE-2026-44159 Tyler Identity Local (TID-L) default administrative credentials 19.05.2026 9.3
CVE-2026-8711 NGINX JavaScript vulnerability 20.05.2026 9.2
CVE-2026-42097 Authentication Bypass in Sparx Pro Cloud Server 19.05.2026 9.3
CVE-2026-43633 HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal 19.05.2026 9.5
CVE-2026-4883 Piotnet Forms <= 2.1.40 - Unauthenticated Arbitrary File Upload via Form File Upload 19.05.2026 9.8
CVE-2026-2611 Improper Origin Validation in mlflow/mlflow 19.05.2026 9.6
CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector) 19.05.2026 9.2
CVE-2026-4885 Piotnet Addons for Elementor Pro <= 7.1.70 - Unauthenticated Arbitrary File Upload via Form File Upload 19.05.2026 9.8
CVE-2026-27130 Dokploy has Command Injection in its Service Operations 19.05.2026 9.9
CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service 19.05.2026 9.8
CVE-2026-8838 Remote Code Execution via eval() Injection in amazon-redshift-python-driver 19.05.2026 9.3
CVE-2026-8836 lwIP snmpv3 USM snmp_msg.c snmp_parse_inbound_frame stack-based overflow 18.05.2026 9.3
CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability 20.05.2026 10
CVE-2026-45829 19.05.2026 10
CVE-2026-41947 Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints 18.05.2026 9.1
CVE-2026-41948 Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access 18.05.2026 9.2
CVE-2026-4320 Authorization Bypass in ICMS Content Management by Creartia Internet Consulting 18.05.2026 9.3
CVE-2018-25320 ACL Analytics 11.x - 13.0.0.579 Arbitrary Code Execution 18.05.2026 9.3
CVE-2018-25332 GitBucket 4.23.1 Unauthenticated Remote Code Execution 18.05.2026 9.3
CVE-2018-25335 WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload 18.05.2026 9.3
CVE-2020-37228 iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass 18.05.2026 9.3
CVE-2020-37239 libbabl 0.1.62 Broken Double Free Detection Memory Safety 18.05.2026 9.3
CVE-2021-47952 python jsonpickle 2.0.0 Remote Code Execution via py/repr 18.05.2026 9.3
CVE-2026-44551 Open WebUI: LDAP Empty Password Authentication Bypass 19.05.2026 9.1
CVE-2021-47965 WordPress Plugin WP Super Edit 2.5.4 Unrestricted File Upload 15.05.2026 9.3
CVE-2026-45010 phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint 15.05.2026 9.1
CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha 15.05.2026 9.8
CVE-2026-42155 Magento LTS: Weak API Session ID — Predictable MD5 of Time-Derived Inputs 15.05.2026 9.3
CVE-2026-44717 MCP Calculate Server: Prompt Injection to RCE 15.05.2026 9.8
CVE-2026-45035 Tabby: RCE via `tabby://run` URL Scheme 20.05.2026 9.4
CVE-2026-41258 OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRange 15.05.2026 9.1
CVE-2026-44699 LibJWT: Algorithm confusion allows JWT forgery with RSA JWK as empty-key HMAC 15.05.2026 9.1
CVE-2026-2031 Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution. 15.05.2026 10
CVE-2026-41552 Path Traversal in PDF Export Module 15.05.2026 9.2
CVE-2026-41553 Remote Code Execution in PDF Export Module 15.05.2026 10
CVE-2026-7182 Path Traversal in Diagram 15.05.2026 9.2
CVE-2026-5229 Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback 15.05.2026 9.8
CVE-2026-8398 16.05.2026 9.3
CVE-2026-0481 15.05.2026 9.2
CVE-2026-44212 PrestaShop: Stored XSS executable in customer service view 15.05.2026 9.3
CVE-2026-44666 HRConvert2: Missing Sanitization enables Unauthenticated Remote Command Execution 15.05.2026 9.3
CVE-2026-8634 Crabbox < v0.12.0 Environment Variable Information Disclosure 15.05.2026 9.3
CVE-2026-22599 Strapi Vulnerable to SQL Injection in Content Type Builder 14.05.2026 9.3
CVE-2026-27886 Strapi may leak sensitive data via relational filtering due to lack of query sanitization 14.05.2026 9.2
CVE-2026-41315 mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 16.05.2026 9.3
CVE-2026-44523 Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery 15.05.2026 10
CVE-2026-44588 SiYuan: URL-encoded title bypasses `escapeAriaLabel`, decoded by `decodeURIComponent` into a tooltip-XSS 15.05.2026 9.4
CVE-2026-44592 Gradient: Unauthenticated worker on /proto → arbitrary NAR write / cache poisoning 16.05.2026 9.4
CVE-2026-44670 SiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuan 15.05.2026 9.4
CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution 16.05.2026 9
CVE-2026-41615 Microsoft Authenticator Information Disclosure Vulnerability 20.05.2026 9.6
CVE-2026-44542 FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion 15.05.2026 9.1
CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability 15.05.2026 10
CVE-2026-42555 Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users 14.05.2026 9.1
CVE-2026-42281 MagicMirror²: Unauthenticated SSRF via /cors endpoint 14.05.2026 9.2
CVE-2026-42589 Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection 14.05.2026 9.8
CVE-2026-42596 Gotenberg: Unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook 15.05.2026 9.4
CVE-2026-42457 vCluster Platform: Stored XSS can lead to privilege escalation 14.05.2026 9
CVE-2026-44482 soundcloud-rpc: Remote Code Execution via XSS in Track Title 14.05.2026 9.6
CVE-2026-44484 Compromise of PyTorch Lightning PyPi Package Versions 15.05.2026 9.3
CVE-2025-11024 SQLi in Akıllı Ticaret's E-Commerce Pack 14.05.2026 9.8
CVE-2026-2347 IDOR in Akıllı Ticaret's E-Commerce Pack 14.05.2026 9.8
CVE-2026-6512 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters 14.05.2026 9.1
CVE-2026-6271 Career Section <= 1.7 - Unauthenticated Arbitrary File Upload 14.05.2026 9.8
CVE-2026-6510 InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe' 14.05.2026 9.8
CVE-2026-8181 Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover 14.05.2026 9.8

Latest Updates

CVE Title Updated Score
CVE-2023-7346 Ledger Bitcoin App 2.1.0 Address Derivation Error via Miniscript 20.05.2026 4
CVE-2025-32750 20.05.2026 7.5
CVE-2026-39047 20.05.2026
CVE-2026-4293 Kieback & Peter DDC Building Controllers Cross-site Scripting 20.05.2026 5.3
CVE-2026-5783 Reflected XSS in Beyaz Computer's CityPLus 20.05.2026 7.6
CVE-2026-8486 Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation 20.05.2026 5.3
CVE-2026-8487 Incorrect default permissions vulnerability in Progress Software MOVEit Automation 20.05.2026 6.5
CVE-2026-8488 Allocation of resources without limits or throttling vulnerability in Progress Software MOVEit Automation 20.05.2026 4.3
CVE-2026-8598 Unauthenticated Export Service in ZKTeco CCTV Cameras 20.05.2026
CVE-2026-9084 MISP OIDC authentication bypass via automatic email-based account linking under insecure IdP configurations 20.05.2026
CVE-2026-21836 HCL DominoIQ is affected by broken access control 20.05.2026 6.5
CVE-2026-22554 20.05.2026 7.8
CVE-2026-24425 Twig 2.16.x & 3.9.0-3.25.x Sandbox Bypass via SourcePolicyInterface 20.05.2026
CVE-2026-47068 Cross-session PubSub topic injection via URL parameter in phoenix_storybook 20.05.2026
CVE-2026-8467 Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground 20.05.2026
CVE-2026-8469 Unauthenticated denial-of-service via BEAM atom table exhaustion in phoenix_storybook 20.05.2026
CVE-2026-8485 Uncontrolled Memory Allocation vulnerability in Progress Software MOVEit Automation 20.05.2026 5.9
CVE-2025-11954 CSRF in Sitemio's WISECP 20.05.2026 8
CVE-2026-24573 WordPress Visualizer plugin < 4.0.0 - Cross Site Scripting (XSS) vulnerability 20.05.2026 6.5
CVE-2026-27405 WordPress WpBookingly plugin <= 1.2.9 - Broken Access Control vulnerability 20.05.2026 6.5
CVE-2026-27424 WordPress Image Photo Gallery Final Tiles Grid plugin <= 3.6.11 - Broken Access Control vulnerability 20.05.2026 4.3
CVE-2026-29518 Rsync < 3.4.3 TOCTOU Race Condition Allows Symlink-Based Arbitrary File Write 20.05.2026
CVE-2026-3039 BIND 9 server memory exhaustion during GSS-API TKEY negotiation 20.05.2026 7.5
CVE-2026-3592 Amplification vulnerabilities via self-pointed glue records 20.05.2026 5.3
CVE-2026-3593 Heap use-after-free vulnerability in BIND 9 DNS-over-HTTPS implementation 20.05.2026 7.4
CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability 20.05.2026 7.8
CVE-2026-42383 WordPress YITH WooCommerce Product Add-Ons plugin <= 4.29.0 - SQL Injection vulnerability 20.05.2026 7.6
CVE-2026-42834 Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability 20.05.2026 7.8
CVE-2026-45443 WordPress PDF for Elementor Forms + Drag And Drop Template Builder plugin <= 5.5.1 - Broken Access Control vulnerability 20.05.2026 5
CVE-2026-45498 Microsoft Defender Denial of Service Vulnerability 20.05.2026 4
CVE-2026-45584 Microsoft Defender Remote Code Execution Vulnerability 20.05.2026 8.1
CVE-2026-5946 Invalid handling of CLASS != IN 20.05.2026 7.5
CVE-2026-5947 SIG(0) validation during query flood may lead to undefined behavior 20.05.2026 7.5
CVE-2026-5950 Unbounded resend loop in BIND 9 resolver 20.05.2026 5.3
CVE-2025-31973 HCL BigFix Service Management (SM) is susceptible to a Configuration – 'Insecure Use of Base Image Version' 20.05.2026 4
CVE-2025-31985 HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header 20.05.2026 3.7
CVE-2026-0856 20.05.2026 7.8
CVE-2026-0857 20.05.2026 6
CVE-2026-22314 20.05.2026 9
CVE-2026-22315 20.05.2026 7.2
CVE-2026-25602 20.05.2026 4.4
CVE-2026-32792 Packet of death with DNSCrypt 20.05.2026
CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation 20.05.2026
CVE-2026-35070 20.05.2026 6.4
CVE-2026-40622 Another 'ghost domain names' attack variant 20.05.2026
CVE-2026-41054 Missing exit out of permission check in haveged could lead to root exploit 20.05.2026 7.8
CVE-2026-41292 Long list of incoming EDNS options degrades performance 20.05.2026
CVE-2026-42534 Jostle logic bypass degrades resolution performance 20.05.2026
CVE-2026-42923 Degradation of service with unbounded NSEC3 hash calculations 20.05.2026
CVE-2026-42944 Heap overflow with multiple NSID, COOKIE, PADDING EDNS options 20.05.2026
CVE-2026-42959 Crash during DNSSEC validation of malicious content 20.05.2026
CVE-2026-42960 Possible cache poisoning via promiscuous records for the authority section 20.05.2026
CVE-2026-44390 Unbounded name compression in certain cases causes degradation of service 20.05.2026
CVE-2026-44608 Use after free and crash under special conditions in RPZ code 20.05.2026
CVE-2026-44933 Path Traversal in Plugin Loading in libzypp 20.05.2026 7.8
CVE-2026-6728 Slider Revolution <= 7.0.9 - Unauthenticated Sensitive Information Exposure via 'sliders/stream' 20.05.2026 5.3
CVE-2026-9064 389-ds-base: 389-ds-base: unbounded ldap controls count in get_ldapmessage_controls_ext() causes cpu and heap amplification (remote dos) 20.05.2026
CVE-2026-9059 NextGEN Gallery - SQL Injection 20.05.2026
CVE-2026-9065 Surecart - SQL Injection 20.05.2026
CVE-2026-5200 AcyMailing <= 10.8.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via 'acymailing_router' 20.05.2026 8.8
CVE-2026-6405 Anomify AI <= 0.3.6 - Cross-Site Request Forgery 20.05.2026 4.3
CVE-2026-2955 AI Chatbot & Workflow Automation by AIWU <= 1.4.14 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For' Header 20.05.2026 6.4
CVE-2026-44392 20.05.2026
CVE-2026-47783 20.05.2026 8.1
CVE-2026-47784 20.05.2026 8.1
CVE-2026-5776 Email Encoder < 2.4.7 - Unauthenticated Stored XSS 20.05.2026
CVE-2026-6566 Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API 20.05.2026 4.3
CVE-2026-7385 Decent Comments < 3.0.2 - Unauthenticated Email Address Disclosure 20.05.2026
CVE-2026-5075 All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data 20.05.2026 4.3
CVE-2026-7522 Advanced Database Cleaner – Premium <= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion via 'template' 20.05.2026 8.8
CVE-2026-9056 Security fix for Qlik Talend Administration Center cross-site scripting vulnerability 20.05.2026 5.4
CVE-2026-9057 Security fix for Qlik Talend Administration Center URL access control vulnerability 20.05.2026 8.2
CVE-2025-15369 Xpro Addons — 140+ Widgets for Elementor <= 1.5.0 - Missing Authorization to Unauthenticated Xpro Template Creation 20.05.2026 5.3
CVE-2025-33255 20.05.2026 7.5
CVE-2026-24142 20.05.2026 6.3
CVE-2026-24160 20.05.2026 5.5
CVE-2026-24163 20.05.2026 7.5
CVE-2026-24206 20.05.2026 7.3
CVE-2026-24207 20.05.2026 9.8
CVE-2026-24208 20.05.2026 5.3
CVE-2026-24209 20.05.2026 7.5
CVE-2026-24210 20.05.2026 7.5
CVE-2026-24213 20.05.2026 8
CVE-2026-24214 20.05.2026 8
CVE-2026-24215 20.05.2026 5.7
CVE-2026-7460 mailcow-dockerized 2026-03b - Stored XSS in Queue Manager via unescaped 20.05.2026
CVE-2026-7637 Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie 20.05.2026 9.8
CVE-2026-9003 TONNET|E-LAN Hybrid Recording System - SQL Injection 20.05.2026
CVE-2026-9010 Boost <= 2.0.3 - Unauthenticated Blind SQL Injection via Multiple Parameters 20.05.2026 7.5
CVE-2026-3985 Creative Mail – Easier WordPress & WooCommerce Email Marketing <= 1.6.9 - Unauthenticated SQL Injection via 'checkout_uuid' Parameter 20.05.2026 7.5
CVE-2026-5293 診断ジェネレータ作成プラグイン <= 1.4.16 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'js' Parameter 20.05.2026 6.4
CVE-2026-6072 Oliver POS <= 2.4.2.6 - Unauthenticated Authorization Bypass Through User-Controlled Key to 'OliverAuth' Header 20.05.2026 6.5
CVE-2026-6391 Sentence To SEO (keywords, description and tags) <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters 20.05.2026 6.1
CVE-2026-6394 Nexa Blocks <= 1.1.1 - Unauthenticated Blind Server-Side Request Forgery via 'demo_json_file' Parameter 20.05.2026 5.4
CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page 20.05.2026 6.1
CVE-2026-6397 Sticky <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute 20.05.2026 6.4
CVE-2026-6399 General Options <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'ad_contact_number' Parameter 20.05.2026 4.4
CVE-2026-6400 Child Height Predictor by Ostheimer <= 1.3 - Cross-Site Request Forgery to Settings Update via Plugin Settings Form 20.05.2026 4.3
CVE-2026-6401 Bottom Bar <= 0.1.7 - Cross-Site Request Forgery to Settings Update 20.05.2026 4.3
CVE-2026-6404 Anomify AI <= 0.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter 20.05.2026 4.4
CVE-2026-6452 Bigfishgames Syndicate <= 1.2 - Cross-Site Request Forgery to Settings Reset and Update 20.05.2026 4.3
CVE-2026-6456 Account Switcher <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation 20.05.2026 8.8
CVE-2026-6549 Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute 20.05.2026 6.4
CVE-2026-6555 ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files' 20.05.2026 9.8
CVE-2026-7284 Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register 20.05.2026 9.8
CVE-2026-7462 VatanSMS WP SMS <= 1.01 - Reflected Cross-Site Scripting via 'page' Parameter 20.05.2026 6.1
CVE-2026-7467 Read More & Accordion <= 3.5.7 - Privilege Escalation via importData 20.05.2026 8.8
CVE-2026-7472 Read More & Accordion <= 3.5.7 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter 20.05.2026 4.9
CVE-2026-8038 Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute 20.05.2026 6.4
CVE-2026-8418 Games Catalog <= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game/Post Deletion 20.05.2026 4.3
CVE-2026-8419 Amazon Scraper <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update 20.05.2026 4.3
CVE-2026-8420 BLOGCHAT Chat System <= 1.3.6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Update 20.05.2026 6.1
CVE-2026-8423 JaviBola Custom Theme Test <= 2.0.5 - Cross-Site Request Forgery 20.05.2026 4.3
CVE-2026-8424 Remove Yellow BGBOX <= 1.0 - Cross-Site Request Forgery 20.05.2026 4.3
CVE-2026-8610 TypeSquare Webfonts for ConoHa <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via 'fontThemeUseType' Parameter 20.05.2026 4.3
CVE-2026-8624 LJ comments import: reloaded <= 0.97.1 - Reflected Cross-Site Scripting via PHP_SELF Parameter 20.05.2026 6.1
CVE-2026-8626 SponsorMe <= 0.5.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter 20.05.2026 6.1
CVE-2026-8627 Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter 20.05.2026 6.1
CVE-2026-8685 Infility Global <= 2.15.16 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter 20.05.2026 6.5
CVE-2026-43617 Rsync < 3.4.3 Authorization Bypass via Hostname Resolution 20.05.2026
CVE-2026-43618 Rsync < 3.4.3 Integer Overflow Information Disclosure 20.05.2026
CVE-2026-43619 Rsync < 3.4.3 Symlink Race Condition via Path-Based Syscalls 20.05.2026
CVE-2026-43620 Rsync < 3.4.3 Out-of-Bounds Array Read via recv_files() 20.05.2026
CVE-2026-45232 Rsync < 3.4.3 Off-by-One Stack Write via HTTP Proxy 20.05.2026
CVE-2026-39309 Trilium Notes: macOS TCC Bypass via Prompt Spoofing 19.05.2026 5.5
CVE-2026-35593 Trilium Notes has Local File Inclusion via upload modified file API endpoint 20.05.2026 6.8
CVE-2026-45585 Windows BitLocker Security Feature Bypass Vulnerability 20.05.2026 6.8
CVE-2026-34754 MantisBT allows unauthorized users to upload attachments to restricted issues via REST API 20.05.2026 4.3
CVE-2026-34970 MantisBT Bugnote Revision Page Leaks Private Issue Metadata After Issue Access Is Revoked 20.05.2026