CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-10042 manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model 29.05.2026 9.2
CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators 29.05.2026 9.1
CVE-2026-46376 FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface 29.05.2026 9.3
CVE-2026-10071 Interinfo|DreamMaker - Arbitrary File Upload 29.05.2026 9.3
CVE-2026-45043 RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root 29.05.2026 9.3
CVE-2026-45312 RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution 29.05.2026 9.9
CVE-2026-8326 Remote Spark SparkView Path Traversal in RDP Drive Redirection leading to RCE 29.05.2026 10
CVE-2026-9508 Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar 29.05.2026 10
CVE-2025-41269 29.05.2026 9.3
CVE-2025-41270 29.05.2026 9.3
CVE-2025-41272 29.05.2026 9.3
CVE-2025-41273 29.05.2026 9.3
CVE-2025-41274 29.05.2026 9.3
CVE-2025-41275 29.05.2026 9.3
CVE-2025-41276 29.05.2026 9.3
CVE-2025-41277 29.05.2026 9.3
CVE-2026-9559 29.05.2026 9.9
CVE-2026-49201 Acer Wave 7 router: Hardcoded Cryptographic Key 29.05.2026 10
CVE-2026-9558 29.05.2026 9.9
CVE-2026-49197 Predator Connect W6x: Improper Authentication 29.05.2026 10
CVE-2026-49199 Predator Connect W6x: RCE via MQTT 29.05.2026 10
CVE-2026-49200 Acer Wave 7 router: Broken Access Control 29.05.2026 10
CVE-2026-3655 OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification 29.05.2026 9.8
CVE-2026-8732 WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action 29.05.2026 9.8
CVE-2026-8809 Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter 29.05.2026 9.8
CVE-2026-44848 Portainer: Missing authorization on Docker plugin endpoints allows host RCE 28.05.2026 9.4
CVE-2026-44849 Portainer: Endpoint security bypass via Swarm service create/update 29.05.2026 9.4
CVE-2026-34311 29.05.2026 9.8
CVE-2026-45288 Marten has an SQL injection vulnerability in its full-text search regConfig parameter 28.05.2026 9.8
CVE-2026-46775 28.05.2026 9.9
CVE-2026-46817 28.05.2026 9.8
CVE-2026-46819 28.05.2026 9.1
CVE-2026-46822 28.05.2026 9.9
CVE-2026-46824 28.05.2026 9.9
CVE-2026-46833 29.05.2026 9
CVE-2026-46839 28.05.2026 9.9
CVE-2026-46840 28.05.2026 10
CVE-2026-9645 ScadaBR Authenticated Remote Code Execution 28.05.2026 9.9
CVE-2026-9037 Download of code without integrity check in XCharge C6 28.05.2026 9.3
CVE-2026-45039 RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation 28.05.2026 9.8
CVE-2026-43898 SandboxJS: Sandbox escape via Function.caller leakage of internal call op 28.05.2026 10
CVE-2026-45058 electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark 28.05.2026 9.4
CVE-2026-45311 CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval 28.05.2026 9.6
CVE-2026-45323 MeshCore Card: XSS vulnerability through meshcore node name 28.05.2026 9.6
CVE-2026-45353 electerm: Local code through electerm's single-instance socket 28.05.2026 9.3
CVE-2026-45374 CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files 28.05.2026 9.6
CVE-2026-24444 SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php 28.05.2026 9.3
CVE-2026-44477 CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE 28.05.2026 9.4
CVE-2026-45261 GitButler: Link injection via forge integration enables arbitrary script execution 28.05.2026 9.3
CVE-2026-44672 mapfish-print: Remote Code Injection (RCE) in Dynamic table 28.05.2026 9.3
CVE-2026-8979 Authentication Bypass 28.05.2026 9.3
CVE-2026-8980 Privilege Escalation 28.05.2026 9.3
CVE-2026-4408 Samba: remote code execution in samr 29.05.2026 9
CVE-2026-32998 29.05.2026 9.4
CVE-2026-32999 28.05.2026 9.1
CVE-2026-9739 28.05.2026 9.4
CVE-2026-45083 Goobi viewer: Unauthenticated Solr Streaming Expression Proxy 28.05.2026 9.8
CVE-2026-44590 Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml 28.05.2026 9.3
CVE-2026-8362 Gladinet Triofox Stack-based Buffer Overflow in WOSDefaultHttpModule.dll 28.05.2026 9.8
CVE-2026-8363 Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll 28.05.2026 9.8
CVE-2026-8364 Gladinet Triofox Missing Authentication for Critical Functions 28.05.2026 9.8
CVE-2026-44887 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path) 28.05.2026 9.8
CVE-2026-44888 Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger) 28.05.2026 9.8
CVE-2026-45102 OneUptime: RCE due to Node.js' vm module escape via error objects and infinite recursion 27.05.2026 9.9
CVE-2026-45087 Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode 28.05.2026 10
CVE-2026-46425 Budibase: SCIM endpoints lack role-based authorization, BASIC users CRUD tenant users 28.05.2026 9.9
CVE-2026-48150 Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign 27.05.2026 9
CVE-2026-44315 free5GC: NEF 3gpp-pfd-management API is unauthenticated; forged bearer tokens can create, read, and delete PFD transactions 27.05.2026 9.4
CVE-2026-44326 free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer tokens can create, read, patch, and delete subscriptions 27.05.2026 9.4
CVE-2026-44327 free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM handler 28.05.2026 10
CVE-2026-44329 free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology read/write requests reach handlers 28.05.2026 10
CVE-2026-44330 free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD data and create/delete PFD subscriptions 27.05.2026 10
CVE-2026-48027 Compromised Nx Console version 18.95.0 28.05.2026 9.3
CVE-2026-49103 27.05.2026 9.4
CVE-2026-35087 Authentication Bypass in Slican telephone exchanges 27.05.2026 9.3
CVE-2026-35090 Authentication Bypass in Slican telephone exchanges 27.05.2026 9.3
CVE-2026-7524 Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System Access and Potential Remote Code Execution 28.05.2026 9.8
CVE-2026-8175 Multiple vulnerabilities in Aspera applications. 28.05.2026 9.8
CVE-2026-42727 WordPress Active Products Tables for WooCommerce plugin <= 1.0.8 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42731 WordPress miniorange otp verification plugin <= 5.4.9 - Privilege Escalation vulnerability 27.05.2026 9.8
CVE-2026-42740 WordPress Tainacan plugin <= 1.0.3 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42747 WordPress Easy Form Builder plugin <= 4.0.6 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42748 WordPress WPify Woo Czech plugin <= 5.4.1 - Arbitrary File Upload vulnerability 27.05.2026 9.9
CVE-2026-42755 WordPress TableOn plugin <= 1.0.5.1 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-42756 WordPress QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly plugin <= 3.2.7 - Arbitrary File Deletion vulnerability 27.05.2026 9.9
CVE-2026-42757 WordPress WebinarIgnition plugin < 4.08.253 - Arbitrary File Deletion vulnerability 27.05.2026 9.9
CVE-2026-42758 WordPress WebinarIgnition plugin < 4.08.253 - Privilege Escalation vulnerability 27.05.2026 9.8
CVE-2026-42761 WordPress Active Products Tables for WooCommerce plugin <= 1.0.9 - SQL Injection vulnerability 27.05.2026 9.3
CVE-2026-48906 Extension - tassos.gr - Arbitrary File Deletion in Novarain/Tassos Framework < 6.1.0 for Joomla 27.05.2026 9.3
CVE-2025-12686 27.05.2026 9.8
CVE-2026-49002 Broken Access Control Vulnerabily in ZTE ZXUniPOS NDS-LTE product 28.05.2026 9.1
CVE-2026-8054 Unauthenticated SQL Injection in dotCMS Publish Audit API 27.05.2026 10
CVE-2026-8760 Login with OTP <= 1.6 - Unauthenticated Authentication Bypass via OTP Brute Force 27.05.2026 9.8
CVE-2026-9312 Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to internal services via path traversal in upload endpoint 28.05.2026 9.2
CVE-2026-44895 GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools 27.05.2026 9.2
CVE-2026-44444 Lumiverse: Spindle extension install runs untrusted lifecycle scripts before security scan 27.05.2026 9.1
CVE-2026-44449 Lumiverse: SMB `exists()` basename injection via smbclient `!cmd` escape 27.05.2026 9.1
CVE-2026-44450 Lumiverse: RCE via MCP stdio argument injection 26.05.2026 9.9
CVE-2026-44451 Lumiverse: TSX component sandbox escape via DOM ref and string-split identifier bypass 27.05.2026 9.3
CVE-2026-9642 Delta Electronics DIAView Patch Bypass 26.05.2026 9.8
CVE-2026-3660 IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication Bypass 28.05.2026 9.8
CVE-2026-44668 Faction: Unauthenticated Read, Modify, and Delete of Boilerplate Templates 27.05.2026 9.8
CVE-2026-46624 Twenty: SQL Injection via the timeZone field 26.05.2026 9.9
CVE-2026-47202 Kavita: Pre-Auth Account Takeover 27.05.2026 9.3
CVE-2026-7251 Eppendorf BioFlo 320 Use of hard-coded password 26.05.2026 9.3
CVE-2026-8633 IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by multiple vulnerabilities when using when using Web Server Plug-ins 27.05.2026 9.8
CVE-2026-2264 Server-Side Request Forgery and Credential Exfiltration in Google Cloud Apigee via SetIntegrationRequest Policy. 26.05.2026 9.2
CVE-2026-45721 Algernon: handler.lua discovery walks parent directories above the server root 26.05.2026 9
CVE-2026-45247 Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection 26.05.2026 9.3
CVE-2026-7374 Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability 28.05.2026 9.9
CVE-2026-9543 Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection 26.05.2026 9.3
CVE-2026-42773 WordPress eMagicOne Store Manager plugin <= 1.3.2 - SQL Injection vulnerability 26.05.2026 9.3
CVE-2026-42774 WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability 26.05.2026 9.3
CVE-2026-9477 Totolink A8000RU Web Management cstecgi.cgi setAccessDeviceCfg os command injection 26.05.2026 9.3
CVE-2026-9478 Totolink A8000RU Web Management cstecgi.cgi setParentalRules os command injection 27.05.2026 9.3
CVE-2026-9475 Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection 26.05.2026 9.3
CVE-2026-9476 Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection 28.05.2026 9.3
CVE-2026-9058 Improper Certificate Verification in Szafir SDK 26.05.2026 9.3
CVE-2026-9457 Totolink A8000RU Web Management cstecgi.cgi UploadFirmwareFile os command injection 26.05.2026 9.3
CVE-2026-9458 Totolink A8000RU Web Management cstecgi.cgi setWanCfg os command injection 28.05.2026 9.3
CVE-2026-9454 Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCertGenerationCfg os command injection 28.05.2026 9.3
CVE-2026-9455 Totolink A8000RU Web Management cstecgi.cgi UploadOpenVpnCert os command injection 26.05.2026 9.3
CVE-2026-9456 Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCfg os command injection 26.05.2026 9.3
CVE-2026-9435 Totolink A8000RU Web Management cstecgi.cgi setQosCfg os command injection 26.05.2026 9.3
CVE-2026-9436 Totolink A8000RU Web Management cstecgi.cgi setL2tpServerCfg os command injection 28.05.2026 9.3
CVE-2026-2651 Missing Authorization Validation in mlflow/mlflow 27.05.2026 9
CVE-2026-9432 Totolink A8000RU Web Management cstecgi.cgi setWiFiAdvancedCfg os command injection 26.05.2026 9.3
CVE-2026-9433 Totolink A8000RU Web Management cstecgi.cgi setMacFilterRules os command injection 26.05.2026 9.3
CVE-2026-9434 Totolink A8000RU Web Management cstecgi.cgi setWiFiWpsCfg os command injection 28.05.2026 9.3
CVE-2026-9407 Totolink A8000RU Web Management cstecgi.cgi setFirewallType os command injection 26.05.2026 9.3
CVE-2026-9408 Totolink A8000RU Web Management cstecgi.cgi setStaticDhcpRules os command injection 26.05.2026 9.3
CVE-2026-9405 Totolink A8000RU Web Management cstecgi.cgi setGameSpeedCfg os command injection 26.05.2026 9.3
CVE-2026-9406 Totolink A8000RU Web Management cstecgi.cgi setRemoteCfg os command injection 27.05.2026 9.3
CVE-2026-9404 Totolink A8000RU Web Management cstecgi.cgi setDdnsCfg os command injection 24.05.2026 9.3
CVE-2026-9397 Besen BS20 EV Charging Station OTA Update Installation improper authorization 26.05.2026 9.2
CVE-2026-9388 Totolink A8000RU Web Management cstecgi.cgi setScheduleCfg os command injection 26.05.2026 9.3
CVE-2026-9386 Totolink A8000RU Web Management cstecgi.cgi setLanguageCfg os command injection 26.05.2026 9.3
CVE-2026-9387 Totolink A8000RU Web Management cstecgi.cgi setUpgradeFW os command injection 26.05.2026 9.3
CVE-2026-9384 Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection 26.05.2026 9.3
CVE-2026-9385 Totolink A8000RU Web Management cstecgi.cgi setTracerouteCfg os command injection 27.05.2026 9.3
CVE-2018-25350 userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php 26.05.2026 9.3
CVE-2018-25357 Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php 26.05.2026 9.3
CVE-2026-23652 Microsoft Power Pages Remote Code Execution Vulnerability 27.05.2026 10
CVE-2026-33843 Microsoft Azure Active Directory B2C Elevation of Privilege Vulnerability 27.05.2026 9.1
CVE-2026-40411 Azure Virtual Network Gateway Remote Code Execution Vulnerability 26.05.2026 9.9
CVE-2026-40412 Azure Orbital Spatio Remote Code Execution Vulnerability 26.05.2026 10
CVE-2026-41090 Microsoft Copilot Tampering Vulnerability 27.05.2026 9.3
CVE-2026-41104 Microsoft Planetary Computer Pro Information Disclosure Vulnerability 26.05.2026 10
CVE-2026-42901 Microsoft Entra ID Elevation of Privilege Vulnerability 27.05.2026 10
CVE-2026-47280 Azure Resource Manager Elevation of Privilege Vulnerability 27.05.2026 10
CVE-2026-48700 24.05.2026 9.3
CVE-2026-32253 Sunshine: Authentication bypass via improper client certificate validation 26.05.2026 9.8
CVE-2026-33712 TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls 22.05.2026 10

Latest Updates

CVE Title Updated Score
CVE-2026-10042 manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model 29.05.2026 9.8
CVE-2026-10062 TRENDnet TEW-432BRP formSetRoute stack-based overflow 29.05.2026
CVE-2026-10063 TRENDnet TEW-432BRP formWPS stack-based overflow 29.05.2026
CVE-2026-39292 29.05.2026
CVE-2026-41150 Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS 29.05.2026
CVE-2026-41159 Mermaid: Improper sanitization of configuration leads to CSS injection 29.05.2026
CVE-2026-45609 mcp-security: Unvalidated URL Fetching (SSRF) 29.05.2026 7.2
CVE-2026-4290 WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators 29.05.2026 9.1
CVE-2026-10060 TRENDnet TEW-432BRP formSetRoute command injection 29.05.2026
CVE-2026-10061 TRENDnet TEW-432BRP formWPS command injection 29.05.2026
CVE-2026-10072 Interinfo|DreamMaker - Arbitrary File Upload 29.05.2026
CVE-2026-10073 Interinfo|DreamMaker - Arbitrary File Read 29.05.2026
CVE-2026-10074 Interinfo|DreamMaker - Arbitrary File Read 29.05.2026
CVE-2026-10075 Interinfo|DreamMaker - Path Traversal 29.05.2026
CVE-2026-40510 OpenSC < 0.27.0-rc1 Stack Buffer Overflow via piv_process_history() in card-piv.c 29.05.2026
CVE-2026-40528 OpenSC < 0.27.0 Buffer Overrun in do_key_value() via profile.c 29.05.2026
CVE-2026-44237 FreePBX: Authenticated Access can lead to Subsequent OAuth2 Authentication Bypass in API Module 29.05.2026
CVE-2026-44238 FreePBX: Authenticated SQL Injection via ORDER BY in CDR Reports 29.05.2026
CVE-2026-44239 FreePBX: Authenticated Local File Inclusion in Dashboard Module 29.05.2026
CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection 29.05.2026 8.3
CVE-2026-45555 Roslyn CodeLens MCP Server: Untrusted Roslyn Analyzer Execution via get_diagnostics Leads to Arbitrary Code Execution 29.05.2026 7.8
CVE-2026-45578 WWBN AVideo Live: OS command injection in on_publish.php execAsync via unescaped m3u8 URL 29.05.2026 8.8
CVE-2026-45580 WWBN AVideo Live: stored XSS via unescaped stream key in modeYoutubeLive.php class attribute 29.05.2026 5.4
CVE-2026-45582 n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters 29.05.2026 6.5
CVE-2026-45610 WWBN AVideo plugin/LoginControl/set.json.php: 2FA toggle endpoint has no CSRF protection, letting an attacker page silently disable a logged-in victim's 2FA 29.05.2026 5.7
CVE-2026-45615 mouse07410/asn1c: 1-byte Heap Out-of-Bounds Read in `INTEGER_decode_oer` via Malformed OER Payload 29.05.2026 8.2
CVE-2026-45619 AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post 29.05.2026 6.5
CVE-2026-45620 AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticated user enumeration 29.05.2026 5.3
CVE-2026-45707 n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete 29.05.2026 8.1
CVE-2026-45731 WWBN AVideo: Authenticated Arbitrary File Read in view/update.php 29.05.2026
CVE-2026-46337 WWBN AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image404Raw.php` 29.05.2026
CVE-2026-46376 FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Interface 29.05.2026
CVE-2026-46510 Prototype pollution in form-data-objectizer via bracket-notation form keys 29.05.2026 8.2
CVE-2026-47694 WWBN AVideo: Stored XSS via unescaped Gallery category description 29.05.2026 5.4
CVE-2026-47696 WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint 29.05.2026
CVE-2026-49316 Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown 29.05.2026 4.6
CVE-2026-49317 Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot 29.05.2026 2.4
CVE-2026-49318 Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at boot 29.05.2026 2.4
CVE-2026-49325 Indian Scout Bobber 2025 WCM voltage-based shutdown 29.05.2026 4.6
CVE-2026-10071 Interinfo|DreamMaker - Arbitrary File Upload 29.05.2026
CVE-2026-45043 RustFS: ImportIam Allows Creation of Backdoor Service Accounts Under Any Parent Including Root 29.05.2026
CVE-2026-45312 RAGFlow: Server-Side Template Injection in Prompt Generator leads to Remote Code Execution 29.05.2026 9.9
CVE-2026-45551 Group-Office: Authenticated Stored XSS in Administrator Context via Arbitrary Cross-User Setting Write 29.05.2026
CVE-2026-45611 29.05.2026
CVE-2026-48527 HaxCMS has a stored Cross-Site Scripting (XSS) bypass in saveNode endpoint 29.05.2026 8.7
CVE-2026-49323 Indian Scout Bobber 2025 WCM-to-ECM weak authentication 29.05.2026 4.3
CVE-2026-49324 Indian Scout Bobber 2025 WCM brute-force 29.05.2026 4.6
CVE-2026-8326 Remote Spark SparkView Path Traversal in RDP Drive Redirection leading to RCE 29.05.2026
CVE-2026-9508 Incorrect Permission Assignment for Critical Resource vulnerability in Suprema's BioStar 29.05.2026
CVE-2026-9509 Uncaught exception vulnerability in Suprema's BioStar 29.05.2026
CVE-2025-41265 29.05.2026
CVE-2025-41266 29.05.2026
CVE-2025-41267 29.05.2026
CVE-2025-41268 29.05.2026
CVE-2025-41269 29.05.2026
CVE-2025-41270 29.05.2026
CVE-2025-41271 29.05.2026
CVE-2025-41272 29.05.2026
CVE-2025-41273 29.05.2026
CVE-2025-41274 29.05.2026
CVE-2025-41275 29.05.2026
CVE-2025-41276 29.05.2026
CVE-2025-41277 29.05.2026
CVE-2025-41278 29.05.2026
CVE-2025-41279 29.05.2026
CVE-2025-41280 29.05.2026
CVE-2025-41281 29.05.2026
CVE-2026-9559 29.05.2026 9.9
CVE-2026-9808 29.05.2026 7.1
CVE-2026-9809 29.05.2026 7.6
CVE-2026-9811 29.05.2026 5.4
CVE-2025-12714 Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification 29.05.2026 5.3
CVE-2026-10078 Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring 29.05.2026
CVE-2026-42965 Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypasses destination validation 29.05.2026
CVE-2026-46579 Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl-client headers on http frontend 29.05.2026
CVE-2026-49201 Acer Wave 7 router: Hardcoded Cryptographic Key 29.05.2026
CVE-2026-9557 29.05.2026 6.4
CVE-2026-9558 29.05.2026 9.9
CVE-2026-10039 Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter 29.05.2026 4.9
CVE-2026-10052 Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap and smtp config validation endpoints 29.05.2026
CVE-2026-10056 CORS misconfiguration in Nx Witness VMS allows session token exfiltration via cross-origin request 29.05.2026 7.5
CVE-2026-10057 ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting 29.05.2026
CVE-2026-10058 ITP Technology|ITS Intelligent SCADA System - Stored Cross-Site Scripting 29.05.2026
CVE-2026-49195 Predator Connect W6x: unauthenticated Debug Service 29.05.2026
CVE-2026-49196 Predator Connect W6x: Web Interface Command Injection 29.05.2026
CVE-2026-49197 Predator Connect W6x: Improper Authentication 29.05.2026
CVE-2026-49198 Predator Connect W6x: MQTT Broker Access Control 29.05.2026
CVE-2026-49199 Predator Connect W6x: RCE via MQTT 29.05.2026
CVE-2026-49200 Acer Wave 7 router: Broken Access Control 29.05.2026
CVE-2026-6075 Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form 29.05.2026 8.1
CVE-2026-9189 Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification) 29.05.2026 5.3
CVE-2025-11262 Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting 29.05.2026 7.2
CVE-2026-3655 OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification 29.05.2026 9.8
CVE-2026-49322 Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user PIN from observed exchange 29.05.2026 4.3
CVE-2026-4776 29.05.2026 7.1
CVE-2026-9243 The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter 29.05.2026 6.4
CVE-2025-11993 WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection 29.05.2026 8.8
CVE-2025-14042 Automotive Car Dealership Business WordPress Theme <= 13.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Portfolio Project Details 29.05.2026 6.4
CVE-2026-6275 StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname 29.05.2026 6.4
CVE-2026-6324 Libsoup: libsoup: http request smuggling via unsigned to signed conversion error 29.05.2026
CVE-2026-8732 WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action 29.05.2026 9.8
CVE-2026-9493 BankPro E-Service Technology|Service Center - Insecure Direct Object Reference 29.05.2026
CVE-2026-9714 Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute 29.05.2026 6.4
CVE-2026-2128 Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie 29.05.2026 5.3
CVE-2026-7430 Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import 29.05.2026 4.4
CVE-2026-8995 Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action 29.05.2026 4.3
CVE-2026-7480 29.05.2026
CVE-2026-8070 29.05.2026
CVE-2026-6891 28.05.2026 5
CVE-2026-6892 29.05.2026 5
CVE-2026-5343 SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031 28.05.2026
CVE-2026-6816 TFA Basic Plugins - Access Bypass 28.05.2026
CVE-2026-10000 29.05.2026
CVE-2026-10001 29.05.2026
CVE-2026-10002 28.05.2026
CVE-2026-10003 29.05.2026
CVE-2026-10004 28.05.2026
CVE-2026-10005 29.05.2026
CVE-2026-10006 29.05.2026
CVE-2026-10007 29.05.2026
CVE-2026-10008 28.05.2026
CVE-2026-10009 29.05.2026
CVE-2026-10010 28.05.2026
CVE-2026-10011 28.05.2026
CVE-2026-10012 29.05.2026
CVE-2026-10013 29.05.2026
CVE-2026-10014 29.05.2026
CVE-2026-10015 29.05.2026
CVE-2026-10016 29.05.2026
CVE-2026-10017 28.05.2026
CVE-2026-10018 28.05.2026
CVE-2026-10019 28.05.2026
CVE-2026-10020 28.05.2026
CVE-2026-10021 29.05.2026
CVE-2026-10022 29.05.2026
CVE-2026-10028 Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of service via circular certificate chain 29.05.2026
CVE-2026-8809 Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter 29.05.2026 9.8
CVE-2026-9872 28.05.2026
CVE-2026-9873 29.05.2026
CVE-2026-9874 28.05.2026
CVE-2026-9875 28.05.2026
CVE-2026-9876 28.05.2026
CVE-2026-9877 28.05.2026
CVE-2026-9878 29.05.2026
CVE-2026-9879 29.05.2026
CVE-2026-9880 28.05.2026
CVE-2026-9881 28.05.2026
CVE-2026-9882 28.05.2026
CVE-2026-9883 29.05.2026
CVE-2026-9884 29.05.2026
CVE-2026-9885 28.05.2026
CVE-2026-9886 28.05.2026
CVE-2026-9887 28.05.2026
CVE-2026-9888 28.05.2026
CVE-2026-9889 28.05.2026
CVE-2026-9890 28.05.2026
CVE-2026-9891 28.05.2026
CVE-2026-9892 28.05.2026
CVE-2026-9893 28.05.2026
CVE-2026-9894 28.05.2026
CVE-2026-9895 28.05.2026
CVE-2026-9896 29.05.2026
CVE-2026-9897 29.05.2026
CVE-2026-9898 28.05.2026
CVE-2026-9899 28.05.2026
CVE-2026-9900 28.05.2026
CVE-2026-9901 29.05.2026
CVE-2026-9902 28.05.2026
CVE-2026-9903 28.05.2026
CVE-2026-9904 28.05.2026
CVE-2026-9905 28.05.2026
CVE-2026-9906 28.05.2026
CVE-2026-9907 28.05.2026
CVE-2026-9908 28.05.2026
CVE-2026-9909 29.05.2026
CVE-2026-9910 29.05.2026
CVE-2026-9911 28.05.2026
CVE-2026-9912 28.05.2026
CVE-2026-9913 28.05.2026
CVE-2026-9914 28.05.2026
CVE-2026-9915 28.05.2026
CVE-2026-9916 28.05.2026
CVE-2026-9917 28.05.2026
CVE-2026-9918 28.05.2026
CVE-2026-9919 28.05.2026
CVE-2026-9920 28.05.2026
CVE-2026-9921 28.05.2026
CVE-2026-9922 29.05.2026
CVE-2026-9923 28.05.2026
CVE-2026-9924 28.05.2026
CVE-2026-9925 28.05.2026
CVE-2026-9926 28.05.2026
CVE-2026-9927 29.05.2026
CVE-2026-9928 29.05.2026
CVE-2026-9929 28.05.2026
CVE-2026-9930 28.05.2026
CVE-2026-9931 28.05.2026
CVE-2026-9932 28.05.2026
CVE-2026-9933 28.05.2026
CVE-2026-9934 29.05.2026
CVE-2026-9935 28.05.2026
CVE-2026-9936 29.05.2026
CVE-2026-9937 29.05.2026
CVE-2026-9938 29.05.2026
CVE-2026-9939 29.05.2026
CVE-2026-9940 28.05.2026
CVE-2026-9941 29.05.2026
CVE-2026-9942 28.05.2026
CVE-2026-9943 28.05.2026
CVE-2026-9944 28.05.2026
CVE-2026-9945 29.05.2026
CVE-2026-9946 29.05.2026
CVE-2026-9947 29.05.2026
CVE-2026-9948 28.05.2026
CVE-2026-9949 29.05.2026
CVE-2026-9950 28.05.2026
CVE-2026-9951 29.05.2026
CVE-2026-9952 29.05.2026
CVE-2026-9953 28.05.2026
CVE-2026-9954 28.05.2026
CVE-2026-9955 28.05.2026
CVE-2026-9956 29.05.2026
CVE-2026-9957 29.05.2026
CVE-2026-9958 28.05.2026
CVE-2026-9959 28.05.2026
CVE-2026-9960 29.05.2026
CVE-2026-9961 28.05.2026
CVE-2026-9962 29.05.2026
CVE-2026-9963 29.05.2026
CVE-2026-9964 28.05.2026
CVE-2026-9965 28.05.2026
CVE-2026-9966 28.05.2026
CVE-2026-9967 28.05.2026
CVE-2026-9968 29.05.2026
CVE-2026-9969 29.05.2026
CVE-2026-9970 29.05.2026
CVE-2026-9971 28.05.2026
CVE-2026-9972 28.05.2026
CVE-2026-9973 29.05.2026
CVE-2026-9974 28.05.2026
CVE-2026-9975 28.05.2026
CVE-2026-9976 29.05.2026
CVE-2026-9977 28.05.2026
CVE-2026-9978 29.05.2026
CVE-2026-9979 28.05.2026
CVE-2026-9980 28.05.2026
CVE-2026-9981 28.05.2026
CVE-2026-9982 28.05.2026
CVE-2026-9983 29.05.2026
CVE-2026-9984 29.05.2026
CVE-2026-9985 28.05.2026
CVE-2026-9986 28.05.2026
CVE-2026-9987 29.05.2026
CVE-2026-9988 28.05.2026
CVE-2026-9989 28.05.2026
CVE-2026-9990 28.05.2026
CVE-2026-9991 28.05.2026
CVE-2026-9992 29.05.2026
CVE-2026-9993 29.05.2026
CVE-2026-9994 29.05.2026
CVE-2026-9995 29.05.2026
CVE-2026-9996 28.05.2026
CVE-2026-9997 29.05.2026
CVE-2026-9998 28.05.2026
CVE-2026-9999 28.05.2026
CVE-2026-44973 Billy: Path traversal vulnerabilities 28.05.2026 8.1
CVE-2026-45023 AutoGP: Credit system bypassed via direct block execution in POST /api/blocks/{block_id}/execute 29.05.2026 5.4
CVE-2026-45364 Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation 28.05.2026 7.3
CVE-2026-45410 Time-based user enumeration in TREK authentication endpoint 28.05.2026 5.3
CVE-2026-49299 29.05.2026
CVE-2026-10044 ai-goofish-monitor Unauthenticated Arbitrary File Read via GET /api/prompts/ 29.05.2026 7.5
CVE-2026-39929 Lakeside SysTrack Agent LsiAgent.exe Out-of-Bounds Read via UDP 28.05.2026
CVE-2026-44848 Portainer: Missing authorization on Docker plugin endpoints allows host RCE 28.05.2026
CVE-2026-44849 Portainer: Endpoint security bypass via Swarm service create/update 29.05.2026
CVE-2026-44850 Portainer: Bind-mount restriction bypass via HostConfig.Mounts 28.05.2026 8.5
CVE-2026-44881 Portainer: Arbitrary File Read via Git Symlink Injection in Stack Auto-Update 28.05.2026
CVE-2026-44882 Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization 28.05.2026 8.1
CVE-2026-44883 Portainer: JWT accepted in URL query leaks tokens to logs and referers 28.05.2026
CVE-2026-44884 Portainer: Missing authorization on custom template file endpoint exposes template content 29.05.2026
CVE-2026-44885 Portainer: Path traversal in backup archive extraction allows arbitrary file write 28.05.2026 5.5
CVE-2026-45342 LinkAce: IDOR in Update Policies Allows Any Authenticated User to Overwrite Other Users' Links, Lists, Tags, and Notes 28.05.2026
CVE-2026-45343 LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking 28.05.2026
CVE-2026-45344 LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances 28.05.2026 8.1
CVE-2026-45366 typescript-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol 29.05.2026 4.7
CVE-2026-45403 AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory 28.05.2026 2
CVE-2026-47713 AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration 28.05.2026 2
CVE-2026-48116 AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill 28.05.2026 7.5
CVE-2026-34311 29.05.2026 9.8
CVE-2026-35266 28.05.2026 7.9
CVE-2026-35277 28.05.2026 8.1
CVE-2026-41897 MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field 28.05.2026
CVE-2026-42070 MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API 28.05.2026
CVE-2026-42071 MantisBT: Private Bugnote Attachment Content Leak via REST API 29.05.2026
CVE-2026-42398 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access 28.05.2026 7.7
CVE-2026-42399 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service 28.05.2026 6.5
CVE-2026-42400 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service 28.05.2026 6.5
CVE-2026-44655 MantisBT: Stored XSS on Move Attachments Admin Page 28.05.2026
CVE-2026-44657 MantisBT: Stored XSS in File Download 28.05.2026
CVE-2026-45288 Marten has an SQL injection vulnerability in its full-text search regConfig parameter 28.05.2026 9.8
CVE-2026-46775 28.05.2026 9.9
CVE-2026-46817 28.05.2026 9.8
CVE-2026-46818 28.05.2026 7.4
CVE-2026-46819 28.05.2026 9.1
CVE-2026-46820 28.05.2026 8.5
CVE-2026-46821 28.05.2026 7.7
CVE-2026-46822 28.05.2026 9.9
CVE-2026-46823 28.05.2026 7.7
CVE-2026-46824 28.05.2026 9.9
CVE-2026-46826 28.05.2026 8.8
CVE-2026-46827 28.05.2026 8.8
CVE-2026-46828 28.05.2026 8.1
CVE-2026-46829 28.05.2026 7.5
CVE-2026-46830 28.05.2026 5.3
CVE-2026-46833 29.05.2026 9
CVE-2026-46834 28.05.2026 7.5
CVE-2026-46835 28.05.2026 7.5
CVE-2026-46837 28.05.2026 8.8
CVE-2026-46839 28.05.2026 9.9
CVE-2026-46840 28.05.2026 10
CVE-2026-46841 28.05.2026 5.3
CVE-2026-46842 28.05.2026 5.3
CVE-2026-46843 28.05.2026 5.3
CVE-2026-49093 Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access 28.05.2026 6.3
CVE-2026-49094 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service 28.05.2026 6.5
CVE-2026-49095 Improper Input Validation in Kibana Fleet Leading to Privilege Escalation 28.05.2026 7.2
CVE-2026-9645 ScadaBR Authenticated Remote Code Execution 28.05.2026 9.9
CVE-2026-9646 ScadaBR Unauthenticated Reflected Cross-Site Scripting 28.05.2026 6.1
CVE-2026-32847 DeepCode 1.2.0 Path Traversal via SPA Catch-All Route in main.py 28.05.2026
CVE-2026-33462 Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts 28.05.2026 4.6
CVE-2026-33463 Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access 28.05.2026 5.3
CVE-2026-33464 Uncontrolled Resource Consumption in Kibana Leading to Denial of Service 28.05.2026 6.5
CVE-2026-33590 Insecure default permissions in Portainer CE 28.05.2026
CVE-2026-42401 Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection 28.05.2026 4.1
CVE-2026-49127 Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be 28.05.2026
CVE-2026-49128 Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling 29.05.2026
CVE-2026-49129 Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin 29.05.2026
CVE-2026-49130 Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx 28.05.2026
CVE-2026-9037 Download of code without integrity check in XCharge C6 28.05.2026
CVE-2026-9038 Stack-based buffer overflow in XCharge C6 28.05.2026
CVE-2026-9039 Initialization of a resource with an insecure default in XCharge C6 28.05.2026
CVE-2026-30760 28.05.2026
CVE-2026-30761 28.05.2026
CVE-2026-42998 28.05.2026 6
CVE-2026-42999 28.05.2026 6
CVE-2026-43000 28.05.2026 6
CVE-2026-43979 Local Deep Research: HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`) 28.05.2026 5
CVE-2026-44394 28.05.2026 6
CVE-2026-45039 RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation 28.05.2026 9.8
CVE-2026-45040 RustFS: Sensitive Information Leakage (SessionToken and SecretAccessKey) in RustFS Logs [Debug Mode] 28.05.2026
CVE-2026-45041 RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery 29.05.2026
CVE-2026-45042 RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source 28.05.2026
CVE-2026-45044 RustFS: Authentication bypass in /profile/cpu and /profile/memory allows unauthenticated access to profiling handlers 28.05.2026
CVE-2026-45332 Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint 28.05.2026 7.5
CVE-2026-46509 deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 28.05.2026 8.2
CVE-2026-46526 Local Deep Research: SSRF bypass in `safe_get` 29.05.2026 5
CVE-2026-46685 RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata endpoint on console 28.05.2026
CVE-2026-47136 RustFS: Unauthenticated RustFS console license endpoint exposes license metadata 28.05.2026
CVE-2026-47326 Memory leak in Ubuntu Linux AppArmor large notification response allocation 28.05.2026 5.5
CVE-2026-47327 NULL pointer dereference in Ubuntu Linux AppArmor notification handling 28.05.2026 3.3
CVE-2026-47328 Invalid pointer deallocation in Ubuntu Linux AppArmor notification handling 28.05.2026 6.1
CVE-2026-47329 Incorrect validation of field size in Ubuntu Linux AppArmor notification responses 28.05.2026 3.3
CVE-2026-47330 Use of uninitialized value in Ubuntu Linux AppArmor notification handling 28.05.2026 3.3
CVE-2026-47331 Use-after-free in Ubuntu Linux AppArmor notification handling 29.05.2026 7.8
CVE-2026-47332 Out-of-bounds read in Ubuntu Linux AppArmor notification handling 28.05.2026 5.5
CVE-2026-47333 Out-of-bounds read in Ubuntu Linux AppArmor notification handling 29.05.2026 7.8
CVE-2026-47334 Deadlock or kernel panic in Ubuntu Linux AppArmor notification handling 28.05.2026 5.5
CVE-2026-47335 NULL pointer dereference in Ubuntu Linux AppArmor notification handling 28.05.2026 5.5
CVE-2026-47336 Use of uninitialized value in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation rules 28.05.2026 3.3
CVE-2026-47337 NULL pointer dereference in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation 28.05.2026 3.3
CVE-2026-4944 Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control 28.05.2026
CVE-2026-34126 Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C 28.05.2026
CVE-2026-43898 SandboxJS: Sandbox escape via Function.caller leakage of internal call op 28.05.2026 10
CVE-2026-44794 Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference 28.05.2026 5.4
CVE-2026-44796 Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS) 28.05.2026 6.5
CVE-2026-44797 Nautobot: Webhook definitions could be used for server-side request forgery (SSRF) 28.05.2026 8.5
CVE-2026-44798 Nautobot: GitRepository.current_head field should not be writable through REST API 28.05.2026 7.1
CVE-2026-45021 Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin 28.05.2026
CVE-2026-45058 electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark 28.05.2026
CVE-2026-45296 OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding 28.05.2026 7.7
CVE-2026-45297 Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch 28.05.2026
CVE-2026-45306 pyLoad: Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory 28.05.2026 6.5
CVE-2026-45307 Speakr: Open redirect in is_safe_url via parser mismatch on next parameter 28.05.2026 6.1
CVE-2026-45310 CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool 28.05.2026 7.4
CVE-2026-45311 CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval 28.05.2026 9.6
CVE-2026-45323 MeshCore Card: XSS vulnerability through meshcore node name 28.05.2026 9.6
CVE-2026-45348 pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal 28.05.2026 8.7
CVE-2026-45353 electerm: Local code through electerm's single-instance socket 28.05.2026
CVE-2026-45373 CodeWhale: SSRF‌ IPV6 bypass 28.05.2026 7.4
CVE-2026-45374 CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files 28.05.2026 9.6
CVE-2026-45787 electerm's encrypt method not safe enough 28.05.2026
CVE-2026-46561 pyLoad: SSRF via HTTP Redirect Bypass in parse_urls API 28.05.2026 5
CVE-2026-38702 28.05.2026
CVE-2026-38703 28.05.2026
CVE-2026-38704 28.05.2026
CVE-2026-41141 EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup 28.05.2026 6.5
CVE-2026-41160 EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes 28.05.2026 4.3
CVE-2026-44543 Local Path Provisioner: HelperPod Template Injection 28.05.2026 8.7
CVE-2026-45261 GitButler: Link injection via forge integration enables arbitrary script execution 28.05.2026
CVE-2026-45292 opentelemetry-java: Unbounded Memory Allocation in W3C Baggage Propagation 28.05.2026 5.3
CVE-2026-9091 CVE-2026-9091 28.05.2026
CVE-2026-9092 CVE-2026-9092 28.05.2026
CVE-2026-9093 CVE-2026-9093 28.05.2026
CVE-2026-9094 CVE-2026-9094 28.05.2026
CVE-2026-9095 CVE-2026-9095 28.05.2026
CVE-2026-9096 CVE-2026-9096 28.05.2026
CVE-2026-9097 CVE-2026-9097 28.05.2026
CVE-2026-9098 CVE-2026-9098 28.05.2026