CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2026-3655	OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification	29.05.2026	9.8
CVE-2026-8732	WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action	29.05.2026	9.8
CVE-2026-8809	Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter	28.05.2026	9.8
CVE-2026-44848	Portainer: Missing authorization on Docker plugin endpoints allows host RCE	28.05.2026	9.4
CVE-2026-44849	Portainer: Endpoint security bypass via Swarm service create/update	28.05.2026	9.4
CVE-2026-34311		29.05.2026	9.8
CVE-2026-45288	Marten has an SQL injection vulnerability in its full-text search regConfig parameter	28.05.2026	9.8
CVE-2026-46775		28.05.2026	9.9
CVE-2026-46817		28.05.2026	9.8
CVE-2026-46819		28.05.2026	9.1
CVE-2026-46822		28.05.2026	9.9
CVE-2026-46824		28.05.2026	9.9
CVE-2026-46833		29.05.2026	9
CVE-2026-46839		28.05.2026	9.9
CVE-2026-46840		28.05.2026	10
CVE-2026-9645	ScadaBR Authenticated Remote Code Execution	28.05.2026	9.9
CVE-2026-9037	Download of code without integrity check in XCharge C6	28.05.2026	9.3
CVE-2026-45039	RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation	28.05.2026	9.8
CVE-2026-43898	SandboxJS: Sandbox escape via Function.caller leakage of internal call op	28.05.2026	10
CVE-2026-45058	electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark	28.05.2026	9.4
CVE-2026-45311	CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval	28.05.2026	9.6
CVE-2026-45323	MeshCore Card: XSS vulnerability through meshcore node name	28.05.2026	9.6
CVE-2026-45353	electerm: Local code through electerm's single-instance socket	28.05.2026	9.3
CVE-2026-45374	CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files	28.05.2026	9.6
CVE-2026-24444	SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php	28.05.2026	9.3
CVE-2026-44477	CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE	28.05.2026	9.4
CVE-2026-45261	GitButler: Link injection via forge integration enables arbitrary script execution	28.05.2026	9.3
CVE-2026-44672	mapfish-print: Remote Code Injection (RCE) in Dynamic table	28.05.2026	9.3
CVE-2026-8979	Authentication Bypass	28.05.2026	9.3
CVE-2026-8980	Privilege Escalation	28.05.2026	9.3
CVE-2026-4408	Samba: remote code execution in samr	29.05.2026	9
CVE-2026-32998		29.05.2026	9.4
CVE-2026-32999		28.05.2026	9.1
CVE-2026-9739		28.05.2026	9.4
CVE-2026-45083	Goobi viewer: Unauthenticated Solr Streaming Expression Proxy	28.05.2026	9.8
CVE-2026-44590	Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml	28.05.2026	9.3
CVE-2026-8362	Gladinet Triofox Stack-based Buffer Overflow in WOSDefaultHttpModule.dll	28.05.2026	9.8
CVE-2026-8363	Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll	28.05.2026	9.8
CVE-2026-8364	Gladinet Triofox Missing Authentication for Critical Functions	28.05.2026	9.8
CVE-2026-44887	Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)	28.05.2026	9.8
CVE-2026-44888	Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger)	28.05.2026	9.8
CVE-2026-45102	OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion	27.05.2026	9.9
CVE-2026-45087	Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode	28.05.2026	10
CVE-2026-46425	Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users	28.05.2026	9.9
CVE-2026-48150	Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign	27.05.2026	9
CVE-2026-44315	free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions	27.05.2026	9.4
CVE-2026-44326	free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions	27.05.2026	9.4
CVE-2026-44327	free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler	28.05.2026	10
CVE-2026-44329	free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers	28.05.2026	10
CVE-2026-44330	free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions	27.05.2026	10
CVE-2026-48027	Compromised Nx Console version 18.95.0	28.05.2026	9.3
CVE-2026-49103		27.05.2026	9.4
CVE-2026-35087	Authentication Bypass in Slican telephone exchanges	27.05.2026	9.3
CVE-2026-35090	Authentication Bypass in Slican telephone exchanges	27.05.2026	9.3
CVE-2026-7524	Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System Access and Potential Remote Code Execution	28.05.2026	9.8
CVE-2026-8175	Multiple vulnerabilities in Aspera applications.	28.05.2026	9.8
CVE-2026-42727	WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42731	WordPress miniorange otp verification plugin <= 5.4.9 - Privilege Escalation vulnerability	27.05.2026	9.8
CVE-2026-42740	WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42747	WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42748	WordPress WPify Woo Czech plugin <= 5.4.1 - Arbitrary File Upload vulnerability	27.05.2026	9.9
CVE-2026-42755	WordPress TableOn plugin <= 1.0.5.1 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-42756	WordPress QuickWebP – Compress / Optimize Images & Convert WebP \| SEO Friendly plugin <= 3.2.7 - Arbitrary File Deletion vulnerability	27.05.2026	9.9
CVE-2026-42757	WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File Deletion vulnerability	27.05.2026	9.9
CVE-2026-42758	WordPress WebinarIgnition plugin < 4.08.253 - Privilege Escalation vulnerability	27.05.2026	9.8
CVE-2026-42761	WordPress Active Products Tables for WooCommerce plugin <= 1.0.9 - SQL Injection vulnerability	27.05.2026	9.3
CVE-2026-48906	Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla	27.05.2026	9.3
CVE-2025-12686		27.05.2026	9.8
CVE-2026-49002	Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product	28.05.2026	9.1
CVE-2026-8054	Unauthenticated SQL Injection in dotCMS Publish Audit API	27.05.2026	10
CVE-2026-8760	Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force	27.05.2026	9.8
CVE-2026-9312	Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint	28.05.2026	9.2
CVE-2026-44895	GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools	27.05.2026	9.2
CVE-2026-44444	Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan	27.05.2026	9.1
CVE-2026-44449	Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape	27.05.2026	9.1
CVE-2026-44450	Lumiverse: RCE via MCP stdio argument injection	26.05.2026	9.9
CVE-2026-44451	Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass	27.05.2026	9.3
CVE-2026-9642	Delta Electronics DIAView Patch Bypass	26.05.2026	9.8
CVE-2026-3660	IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass	28.05.2026	9.8
CVE-2026-44668	Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates	27.05.2026	9.8
CVE-2026-46624	Twenty: SQL Injection via the timeZone field	26.05.2026	9.9
CVE-2026-47202	Kavita: Pre-Auth Account Takeover	27.05.2026	9.3
CVE-2026-7251	Eppendorf BioFlo 320 Use of hard-coded password	26.05.2026	9.3
CVE-2026-8633	IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins	27.05.2026	9.8
CVE-2026-2264	Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy.	26.05.2026	9.2
CVE-2026-45721	Algernon: handler.lua discovery walks parent directories above the server root	26.05.2026	9
CVE-2026-45247	Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection	26.05.2026	9.3
CVE-2026-7374	Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability	28.05.2026	9.9
CVE-2026-9543	Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection	26.05.2026	9.3
CVE-2026-42773	WordPress eMagicOne Store Manager plugin <= 1.3.2 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-42774	WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-9477	Totolink A8000RU Web Management cstecgi.cgi setAccessDeviceCfg os command injection	26.05.2026	9.3
CVE-2026-9478	Totolink A8000RU Web Management cstecgi.cgi setParentalRules os command injection	27.05.2026	9.3
CVE-2026-9475	Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection	26.05.2026	9.3
CVE-2026-9476	Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection	28.05.2026	9.3
CVE-2026-9058	Improper Certificate Verification in Szafir SDK	26.05.2026	9.3
CVE-2026-9457	Totolink A8000RU Web Management cstecgi.cgi UploadFirmwareFile os command injection	26.05.2026	9.3
CVE-2026-9458	Totolink A8000RU Web Management cstecgi.cgi setWanCfg os command injection	28.05.2026	9.3
CVE-2026-9454	Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCertGenerationCfg os command injection	28.05.2026	9.3
CVE-2026-9455	Totolink A8000RU Web Management cstecgi.cgi UploadOpenVpnCert os command injection	26.05.2026	9.3
CVE-2026-9456	Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCfg os command injection	26.05.2026	9.3
CVE-2026-9435	Totolink A8000RU Web Management cstecgi.cgi setQosCfg os command injection	26.05.2026	9.3
CVE-2026-9436	Totolink A8000RU Web Management cstecgi.cgi setL2tpServerCfg os command injection	28.05.2026	9.3
CVE-2026-2651	Missing Authorization Validation in mlflow/mlflow	27.05.2026	9
CVE-2026-9432	Totolink A8000RU Web Management cstecgi.cgi setWiFiAdvancedCfg os command injection	26.05.2026	9.3
CVE-2026-9433	Totolink A8000RU Web Management cstecgi.cgi setMacFilterRules os command injection	26.05.2026	9.3
CVE-2026-9434	Totolink A8000RU Web Management cstecgi.cgi setWiFiWpsCfg os command injection	28.05.2026	9.3
CVE-2026-9407	Totolink A8000RU Web Management cstecgi.cgi setFirewallType os command injection	26.05.2026	9.3
CVE-2026-9408	Totolink A8000RU Web Management cstecgi.cgi setStaticDhcpRules os command injection	26.05.2026	9.3
CVE-2026-9405	Totolink A8000RU Web Management cstecgi.cgi setGameSpeedCfg os command injection	26.05.2026	9.3
CVE-2026-9406	Totolink A8000RU Web Management cstecgi.cgi setRemoteCfg os command injection	27.05.2026	9.3
CVE-2026-9404	Totolink A8000RU Web Management cstecgi.cgi setDdnsCfg os command injection	24.05.2026	9.3
CVE-2026-9397	Besen BS20 EV Charging Station OTA Update Installation improper authorization	26.05.2026	9.2
CVE-2026-9388	Totolink A8000RU Web Management cstecgi.cgi setScheduleCfg os command injection	26.05.2026	9.3
CVE-2026-9386	Totolink A8000RU Web Management cstecgi.cgi setLanguageCfg os command injection	26.05.2026	9.3
CVE-2026-9387	Totolink A8000RU Web Management cstecgi.cgi setUpgradeFW os command injection	26.05.2026	9.3
CVE-2026-9384	Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection	26.05.2026	9.3
CVE-2026-9385	Totolink A8000RU Web Management cstecgi.cgi setTracerouteCfg os command injection	27.05.2026	9.3
CVE-2018-25350	userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php	26.05.2026	9.3
CVE-2018-25357	Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php	26.05.2026	9.3
CVE-2026-23652	Microsoft Power Pages Remote Code Execution Vulnerability	27.05.2026	10
CVE-2026-33843	Microsoft Azure Active Directory B2C Elevation of Privilege Vulnerability	27.05.2026	9.1
CVE-2026-40411	Azure Virtual Network Gateway Remote Code Execution Vulnerability	26.05.2026	9.9
CVE-2026-40412	Azure Orbital Spatio Remote Code Execution Vulnerability	26.05.2026	10
CVE-2026-41090	Microsoft Copilot Tampering Vulnerability	27.05.2026	9.3
CVE-2026-41104	Microsoft Planetary Computer Pro Information Disclosure Vulnerability	26.05.2026	10
CVE-2026-42901	Microsoft Entra ID Elevation of Privilege Vulnerability	27.05.2026	10
CVE-2026-47280	Azure Resource Manager Elevation of Privilege Vulnerability	27.05.2026	10
CVE-2026-48700		24.05.2026	9.3
CVE-2026-32253	Sunshine: Authentication bypass via improper client certificate validation	26.05.2026	9.8
CVE-2026-33712	TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls	22.05.2026	10

Latest Updates

CVE	Title	Updated	Score
CVE-2025-11262	Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting	29.05.2026	7.2
CVE-2026-3655	OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification	29.05.2026	9.8
CVE-2026-49322	Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user PIN from observed exchange	29.05.2026	4.3
CVE-2026-4776		29.05.2026	7.1
CVE-2026-9243	The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter	29.05.2026	6.4
CVE-2025-11993	WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection	29.05.2026	8.8
CVE-2025-14042	Automotive Car Dealership Business WordPress Theme <= 13.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Portfolio Project Details	29.05.2026	6.4
CVE-2026-6275	StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname	29.05.2026	6.4
CVE-2026-6324	Libsoup: libsoup: http request smuggling via unsigned to signed conversion error	29.05.2026
CVE-2026-8732	WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action	29.05.2026	9.8
CVE-2026-9493	BankPro E-Service Technology｜Service Center - Insecure Direct Object Reference	29.05.2026
CVE-2026-9714	Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute	29.05.2026	6.4
CVE-2026-2128	Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie	29.05.2026	5.3
CVE-2026-7430	Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import	29.05.2026	4.4
CVE-2026-8995	Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action	29.05.2026	4.3
CVE-2026-7480		29.05.2026
CVE-2026-8070		29.05.2026
CVE-2026-6891		28.05.2026	5
CVE-2026-6892		29.05.2026	5
CVE-2026-5343	SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031	28.05.2026
CVE-2026-6816	TFA Basic Plugins - Access Bypass	28.05.2026
CVE-2026-10000		28.05.2026
CVE-2026-10001		28.05.2026
CVE-2026-10002		28.05.2026
CVE-2026-10003		28.05.2026
CVE-2026-10004		28.05.2026
CVE-2026-10005		28.05.2026
CVE-2026-10006		28.05.2026
CVE-2026-10007		28.05.2026
CVE-2026-10008		28.05.2026
CVE-2026-10009		28.05.2026
CVE-2026-10010		28.05.2026
CVE-2026-10011		28.05.2026
CVE-2026-10012		28.05.2026
CVE-2026-10013		28.05.2026
CVE-2026-10014		28.05.2026
CVE-2026-10015		28.05.2026
CVE-2026-10016		28.05.2026
CVE-2026-10017		28.05.2026
CVE-2026-10018		28.05.2026
CVE-2026-10019		28.05.2026
CVE-2026-10020		28.05.2026
CVE-2026-10021		28.05.2026
CVE-2026-10022		28.05.2026
CVE-2026-10028	Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of service via circular certificate chain	28.05.2026
CVE-2026-8809	Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter	28.05.2026	9.8
CVE-2026-9872		28.05.2026
CVE-2026-9873		28.05.2026
CVE-2026-9874		28.05.2026
CVE-2026-9875		28.05.2026
CVE-2026-9876		28.05.2026
CVE-2026-9877		28.05.2026
CVE-2026-9878		28.05.2026
CVE-2026-9879		28.05.2026
CVE-2026-9880		28.05.2026
CVE-2026-9881		28.05.2026
CVE-2026-9882		28.05.2026
CVE-2026-9883		28.05.2026
CVE-2026-9884		28.05.2026
CVE-2026-9885		28.05.2026
CVE-2026-9886		28.05.2026
CVE-2026-9887		28.05.2026
CVE-2026-9888		28.05.2026
CVE-2026-9889		28.05.2026
CVE-2026-9890		28.05.2026
CVE-2026-9891		28.05.2026
CVE-2026-9892		28.05.2026
CVE-2026-9893		28.05.2026
CVE-2026-9894		28.05.2026
CVE-2026-9895		28.05.2026
CVE-2026-9896		28.05.2026
CVE-2026-9897		28.05.2026
CVE-2026-9898		28.05.2026
CVE-2026-9899		28.05.2026
CVE-2026-9900		28.05.2026
CVE-2026-9901		28.05.2026
CVE-2026-9902		28.05.2026
CVE-2026-9903		28.05.2026
CVE-2026-9904		28.05.2026
CVE-2026-9905		28.05.2026
CVE-2026-9906		28.05.2026
CVE-2026-9907		28.05.2026
CVE-2026-9908		28.05.2026
CVE-2026-9909		28.05.2026
CVE-2026-9910		28.05.2026
CVE-2026-9911		28.05.2026
CVE-2026-9912		28.05.2026
CVE-2026-9913		28.05.2026
CVE-2026-9914		28.05.2026
CVE-2026-9915		28.05.2026
CVE-2026-9916		28.05.2026
CVE-2026-9917		28.05.2026
CVE-2026-9918		28.05.2026
CVE-2026-9919		28.05.2026
CVE-2026-9920		28.05.2026
CVE-2026-9921		28.05.2026
CVE-2026-9922		28.05.2026
CVE-2026-9923		28.05.2026
CVE-2026-9924		28.05.2026
CVE-2026-9925		28.05.2026
CVE-2026-9926		28.05.2026
CVE-2026-9927		28.05.2026
CVE-2026-9928		28.05.2026
CVE-2026-9929		28.05.2026
CVE-2026-9930		28.05.2026
CVE-2026-9931		28.05.2026
CVE-2026-9932		28.05.2026
CVE-2026-9933		28.05.2026
CVE-2026-9934		28.05.2026
CVE-2026-9935		28.05.2026
CVE-2026-9936		28.05.2026
CVE-2026-9937		28.05.2026
CVE-2026-9938		28.05.2026
CVE-2026-9939		28.05.2026
CVE-2026-9940		28.05.2026
CVE-2026-9941		28.05.2026
CVE-2026-9942		28.05.2026
CVE-2026-9943		28.05.2026
CVE-2026-9944		28.05.2026
CVE-2026-9945		28.05.2026
CVE-2026-9946		28.05.2026
CVE-2026-9947		28.05.2026
CVE-2026-9948		28.05.2026
CVE-2026-9949		28.05.2026
CVE-2026-9950		28.05.2026
CVE-2026-9951		28.05.2026
CVE-2026-9952		28.05.2026
CVE-2026-9953		28.05.2026
CVE-2026-9954		28.05.2026
CVE-2026-9955		28.05.2026
CVE-2026-9956		28.05.2026
CVE-2026-9957		28.05.2026
CVE-2026-9958		28.05.2026
CVE-2026-9959		28.05.2026
CVE-2026-9960		28.05.2026
CVE-2026-9961		28.05.2026
CVE-2026-9962		28.05.2026
CVE-2026-9963		28.05.2026
CVE-2026-9964		28.05.2026
CVE-2026-9965		28.05.2026
CVE-2026-9966		28.05.2026
CVE-2026-9967		28.05.2026
CVE-2026-9968		28.05.2026
CVE-2026-9969		28.05.2026
CVE-2026-9970		28.05.2026
CVE-2026-9971		28.05.2026
CVE-2026-9972		28.05.2026
CVE-2026-9973		28.05.2026
CVE-2026-9974		28.05.2026
CVE-2026-9975		28.05.2026
CVE-2026-9976		28.05.2026
CVE-2026-9977		28.05.2026
CVE-2026-9978		28.05.2026
CVE-2026-9979		28.05.2026
CVE-2026-9980		28.05.2026
CVE-2026-9981		28.05.2026
CVE-2026-9982		28.05.2026
CVE-2026-9983		28.05.2026
CVE-2026-9984		28.05.2026
CVE-2026-9985		28.05.2026
CVE-2026-9986		28.05.2026
CVE-2026-9987		28.05.2026
CVE-2026-9988		28.05.2026
CVE-2026-9989		28.05.2026
CVE-2026-9990		28.05.2026
CVE-2026-9991		28.05.2026
CVE-2026-9992		28.05.2026
CVE-2026-9993		28.05.2026
CVE-2026-9994		28.05.2026
CVE-2026-9995		28.05.2026
CVE-2026-9996		28.05.2026
CVE-2026-9997		28.05.2026
CVE-2026-9998		28.05.2026
CVE-2026-9999		28.05.2026
CVE-2026-44973	Billy: Path traversal vulnerabilities	28.05.2026	8.1
CVE-2026-45023	AutoGP: Credit system bypassed via direct block execution in POST /api/blocks/{block_id}/execute	28.05.2026	5.4
CVE-2026-45364	Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation	28.05.2026	7.3
CVE-2026-45410	Time-based user enumeration in TREK authentication endpoint	28.05.2026	5.3
CVE-2026-49299		28.05.2026
CVE-2026-10044	ai-goofish-monitor Unauthenticated Arbitrary File Read via GET /api/prompts/	28.05.2026	7.5
CVE-2026-39929	Lakeside SysTrack Agent LsiAgent.exe Out-of-Bounds Read via UDP	28.05.2026
CVE-2026-44848	Portainer: Missing authorization on Docker plugin endpoints allows host RCE	28.05.2026
CVE-2026-44849	Portainer: Endpoint security bypass via Swarm service create/update	28.05.2026
CVE-2026-44850	Portainer: Bind-mount restriction bypass via HostConfig.Mounts	28.05.2026	8.5
CVE-2026-44881	Portainer: Arbitrary File Read via Git Symlink Injection in Stack Auto-Update	28.05.2026
CVE-2026-44882	Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization	28.05.2026	8.1
CVE-2026-44883	Portainer: JWT accepted in URL query leaks tokens to logs and referers	28.05.2026
CVE-2026-44884	Portainer: Missing authorization on custom template file endpoint exposes template content	28.05.2026
CVE-2026-44885	Portainer: Path traversal in backup archive extraction allows arbitrary file write	28.05.2026	5.5
CVE-2026-45342	LinkAce: IDOR in Update Policies Allows Any Authenticated User to Overwrite Other Users' Links, Lists, Tags, and Notes	28.05.2026
CVE-2026-45343	LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking	28.05.2026
CVE-2026-45344	LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances	28.05.2026	8.1
CVE-2026-45366	typescript-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol	28.05.2026	4.7
CVE-2026-45403	AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory	28.05.2026	2
CVE-2026-47713	AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration	28.05.2026	2
CVE-2026-48116	AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill	28.05.2026	7.5
CVE-2026-34311		29.05.2026	9.8
CVE-2026-35266		28.05.2026	7.9
CVE-2026-35277		28.05.2026	8.1
CVE-2026-41897	MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field	28.05.2026
CVE-2026-42070	MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API	28.05.2026
CVE-2026-42071	MantisBT: Private Bugnote Attachment Content Leak via REST API	28.05.2026
CVE-2026-42398	Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access	28.05.2026	7.7
CVE-2026-42399	Uncontrolled Resource Consumption in Kibana Leading to Denial of Service	28.05.2026	6.5
CVE-2026-42400	Uncontrolled Resource Consumption in Kibana Leading to Denial of Service	28.05.2026	6.5
CVE-2026-44655	MantisBT: Stored XSS on Move Attachments Admin Page	28.05.2026
CVE-2026-44657	MantisBT: Stored XSS in File Download	28.05.2026
CVE-2026-45288	Marten has an SQL injection vulnerability in its full-text search regConfig parameter	28.05.2026	9.8
CVE-2026-46775		28.05.2026	9.9
CVE-2026-46817		28.05.2026	9.8
CVE-2026-46818		28.05.2026	7.4
CVE-2026-46819		28.05.2026	9.1
CVE-2026-46820		28.05.2026	8.5
CVE-2026-46821		28.05.2026	7.7
CVE-2026-46822		28.05.2026	9.9
CVE-2026-46823		28.05.2026	7.7
CVE-2026-46824		28.05.2026	9.9
CVE-2026-46826		28.05.2026	8.8
CVE-2026-46827		28.05.2026	8.8
CVE-2026-46828		28.05.2026	8.1
CVE-2026-46829		28.05.2026	7.5
CVE-2026-46830		28.05.2026	5.3
CVE-2026-46833		29.05.2026	9
CVE-2026-46834		28.05.2026	7.5
CVE-2026-46835		28.05.2026	7.5
CVE-2026-46837		28.05.2026	8.8
CVE-2026-46839		28.05.2026	9.9
CVE-2026-46840		28.05.2026	10
CVE-2026-46841		28.05.2026	5.3
CVE-2026-46842		28.05.2026	5.3
CVE-2026-46843		28.05.2026	5.3
CVE-2026-49093	Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access	28.05.2026	6.3
CVE-2026-49094	Uncontrolled Resource Consumption in Kibana Leading to Denial of Service	28.05.2026	6.5
CVE-2026-49095	Improper Input Validation in Kibana Fleet Leading to Privilege Escalation	28.05.2026	7.2
CVE-2026-9645	ScadaBR Authenticated Remote Code Execution	28.05.2026	9.9
CVE-2026-9646	ScadaBR Unauthenticated Reflected Cross-Site Scripting	28.05.2026	6.1
CVE-2026-32847	DeepCode 1.2.0 Path Traversal via SPA Catch-All Route in main.py	28.05.2026
CVE-2026-33462	Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts	28.05.2026	4.6
CVE-2026-33463	Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access	28.05.2026	5.3
CVE-2026-33464	Uncontrolled Resource Consumption in Kibana Leading to Denial of Service	28.05.2026	6.5
CVE-2026-33590	Insecure default permissions in Portainer CE	28.05.2026
CVE-2026-42401	Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection	28.05.2026	4.1
CVE-2026-49127	Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be	28.05.2026
CVE-2026-49128	Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling	28.05.2026
CVE-2026-49129	Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin	28.05.2026
CVE-2026-49130	Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx	28.05.2026
CVE-2026-9037	Download of code without integrity check in XCharge C6	28.05.2026
CVE-2026-9038	Stack-based buffer overflow in XCharge C6	28.05.2026
CVE-2026-9039	Initialization of a resource with an insecure default in XCharge C6	28.05.2026
CVE-2026-30760		28.05.2026
CVE-2026-30761		28.05.2026
CVE-2026-42998		28.05.2026	6
CVE-2026-42999		28.05.2026	6
CVE-2026-43000		28.05.2026	6
CVE-2026-43979	Local Deep Research: HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`)	28.05.2026	5
CVE-2026-44394		28.05.2026	6
CVE-2026-45039	RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation	28.05.2026	9.8
CVE-2026-45040	RustFS: Sensitive Information Leakage (SessionToken and SecretAccessKey) in RustFS Logs [Debug Mode]	28.05.2026
CVE-2026-45041	RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery	28.05.2026
CVE-2026-45042	RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source	28.05.2026
CVE-2026-45044	RustFS: Authentication bypass in /profile/cpu and /profile/memory allows unauthenticated access to profiling handlers	28.05.2026
CVE-2026-45332	Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint	28.05.2026	7.5
CVE-2026-46509	deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')	28.05.2026	8.2
CVE-2026-46526	Local Deep Research: SSRF bypass in `safe_get`	28.05.2026	5
CVE-2026-46685	RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata endpoint on console	28.05.2026
CVE-2026-47136	RustFS: Unauthenticated RustFS console license endpoint exposes license metadata	28.05.2026
CVE-2026-47326	Memory leak in Ubuntu Linux AppArmor large notification response allocation	28.05.2026	5.5
CVE-2026-47327	NULL pointer dereference in Ubuntu Linux AppArmor notification handling	28.05.2026	3.3
CVE-2026-47328	Invalid pointer deallocation in Ubuntu Linux AppArmor notification handling	28.05.2026	6.1
CVE-2026-47329	Incorrect validation of field size in Ubuntu Linux AppArmor notification responses	28.05.2026	3.3
CVE-2026-47330	Use of uninitialized value in Ubuntu Linux AppArmor notification handling	28.05.2026	3.3
CVE-2026-47331	Use-after-free in Ubuntu Linux AppArmor notification handling	29.05.2026	7.8
CVE-2026-47332	Out-of-bounds read in Ubuntu Linux AppArmor notification handling	28.05.2026	5.5
CVE-2026-47333	Out-of-bounds read in Ubuntu Linux AppArmor notification handling	29.05.2026	7.8
CVE-2026-47334	Deadlock or kernel panic in Ubuntu Linux AppArmor notification handling	28.05.2026	5.5
CVE-2026-47335	NULL pointer dereference in Ubuntu Linux AppArmor notification handling	28.05.2026	5.5
CVE-2026-47336	Use of uninitialized value in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation rules	28.05.2026	3.3
CVE-2026-47337	NULL pointer dereference in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation	28.05.2026	3.3
CVE-2026-4944	Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control	28.05.2026
CVE-2026-34126	Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C	28.05.2026
CVE-2026-43898	SandboxJS: Sandbox escape via Function.caller leakage of internal call op	28.05.2026	10
CVE-2026-44794	Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference	28.05.2026	5.4
CVE-2026-44796	Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS)	28.05.2026	6.5
CVE-2026-44797	Nautobot: Webhook definitions could be used for server-side request forgery (SSRF)	28.05.2026	8.5
CVE-2026-44798	Nautobot: GitRepository.current_head field should not be writable through REST API	28.05.2026	7.1
CVE-2026-45021	Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin	28.05.2026
CVE-2026-45058	electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark	28.05.2026
CVE-2026-45296	OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding	28.05.2026	7.7
CVE-2026-45297	Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch	28.05.2026
CVE-2026-45306	pyLoad: Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory	28.05.2026	6.5
CVE-2026-45307	Speakr: Open redirect in is_safe_url via parser mismatch on next parameter	28.05.2026	6.1
CVE-2026-45310	CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool	28.05.2026	7.4
CVE-2026-45311	CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval	28.05.2026	9.6
CVE-2026-45323	MeshCore Card: XSS vulnerability through meshcore node name	28.05.2026	9.6
CVE-2026-45348	pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal	28.05.2026	8.7
CVE-2026-45353	electerm: Local code through electerm's single-instance socket	28.05.2026
CVE-2026-45373	CodeWhale: SSRF‌ IPV6 bypass	28.05.2026	7.4
CVE-2026-45374	CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files	28.05.2026	9.6
CVE-2026-45787	electerm's encrypt method not safe enough	28.05.2026
CVE-2026-46561	pyLoad: SSRF via HTTP Redirect Bypass in parse_urls API	28.05.2026	5
CVE-2026-24444	SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php	28.05.2026
CVE-2026-38702		28.05.2026
CVE-2026-38703		28.05.2026
CVE-2026-38704		28.05.2026
CVE-2026-38707		28.05.2026
CVE-2026-41141	EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup	28.05.2026	6.5
CVE-2026-41160	EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes	28.05.2026	4.3
CVE-2026-41184	ServiceAccount token disclosure via install-cni container logs	28.05.2026
CVE-2026-41185	ServiceAccount token disclosure via Azure IPAM CNI plugin logs	28.05.2026
CVE-2026-44461	Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)	29.05.2026	8.6
CVE-2026-44462	Zed: Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions	29.05.2026	6.4
CVE-2026-44463	Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions	29.05.2026	8.6
CVE-2026-44465	Zed: Zed IDE Arbitrary Code Execution via untrusted repository with poisoned .git/config	29.05.2026	8.6
CVE-2026-44466	Zed: Allowlist Bypass via Bash Arithmetic Expansion in Terminal Tool Permissions	29.05.2026	8.6
CVE-2026-44477	CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE	28.05.2026
CVE-2026-44543	Local Path Provisioner: HelperPod Template Injection	28.05.2026	8.7
CVE-2026-45076	Synapse pagination denial of service	28.05.2026
CVE-2026-45078	Synapse CPU starvation (Denial of Service)	28.05.2026
CVE-2026-45261	GitButler: Link injection via forge integration enables arbitrary script execution	28.05.2026
CVE-2026-45292	opentelemetry-java: Unbounded Memory Allocation in W3C Baggage Propagation	28.05.2026	5.3
CVE-2026-47673	Hono: JWT middleware accepts any Authorization scheme, not only Bearer	28.05.2026	4.8
CVE-2026-47674	Hono: IP Restriction bypasses static deny rules for non-canonical IPv6	28.05.2026	5.3
CVE-2026-47675	Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection	28.05.2026	4.3
CVE-2026-47676	Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths	28.05.2026	5.3
CVE-2026-6720	Calicoctl leaks cluster credentials to stderr when verbose logging is enabled	28.05.2026
CVE-2026-8697	Improper Authentication Rate Limiting on TP-Link's Archer C64	29.05.2026
CVE-2026-9090	CVE-2026-9090	28.05.2026
CVE-2026-9091	CVE-2026-9091	28.05.2026
CVE-2026-9092	CVE-2026-9092	28.05.2026
CVE-2026-9093	CVE-2026-9093	28.05.2026
CVE-2026-9094	CVE-2026-9094	28.05.2026
CVE-2026-9095	CVE-2026-9095	28.05.2026
CVE-2026-9096	CVE-2026-9096	28.05.2026
CVE-2026-9097	CVE-2026-9097	28.05.2026
CVE-2026-9098	CVE-2026-9098	28.05.2026
CVE-2026-47759	TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes	28.05.2026	8.7
CVE-2026-47760	TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs	28.05.2026	8.7
CVE-2026-47761	TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection	28.05.2026	8.7
CVE-2026-47762	TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments	28.05.2026	8.7
CVE-2026-48523	PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys	28.05.2026	5.4
CVE-2026-48524	PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)	28.05.2026	3.7
CVE-2026-48525	PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS	28.05.2026	5.3
CVE-2026-48526	PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed	29.05.2026	7.4