| CVE-2026-41947 |
Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints |
18.05.2026 |
9.1 |
| CVE-2026-41948 |
Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access |
18.05.2026 |
9.2 |
| CVE-2026-4320 |
Authorization Bypass in ICMS Content Management by Creartia Internet Consulting |
18.05.2026 |
9.3 |
| CVE-2018-25320 |
ACL Analytics 11.x - 13.0.0.579 Arbitrary Code Execution |
17.05.2026 |
9.3 |
| CVE-2018-25332 |
GitBucket 4.23.1 Unauthenticated Remote Code Execution |
17.05.2026 |
9.3 |
| CVE-2018-25335 |
WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload |
18.05.2026 |
9.3 |
| CVE-2020-37228 |
iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass |
16.05.2026 |
9.3 |
| CVE-2020-37239 |
libbabl 0.1.62 Broken Double Free Detection Memory Safety |
16.05.2026 |
9.3 |
| CVE-2021-47952 |
python jsonpickle 2.0.0 Remote Code Execution via py/repr |
16.05.2026 |
9.3 |
| CVE-2026-44551 |
Open WebUI: LDAP Empty Password Authentication Bypass |
18.05.2026 |
9.1 |
| CVE-2021-47965 |
WordPress Plugin WP Super Edit 2.5.4 Unrestricted File Upload |
15.05.2026 |
9.3 |
| CVE-2026-45010 |
phpMyFAQ - Unauthenticated Two-Factor Authentication Brute-Force via /admin/check Endpoint |
15.05.2026 |
9.1 |
| CVE-2026-46364 |
phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha |
15.05.2026 |
9.8 |
| CVE-2026-42155 |
Magento LTS: Weak API Session ID — Predictable MD5 of Time-Derived Inputs |
15.05.2026 |
9.3 |
| CVE-2026-44717 |
MCP Calculate Server: Prompt Injection to RCE |
15.05.2026 |
9.8 |
| CVE-2026-45035 |
Tabby: RCE via `tabby://run` URL Scheme |
15.05.2026 |
9.4 |
| CVE-2026-41258 |
OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRange |
15.05.2026 |
9.1 |
| CVE-2026-44699 |
LibJWT: Algorithm confusion allows JWT forgery with RSA JWK as empty-key HMAC |
15.05.2026 |
9.1 |
| CVE-2026-2031 |
Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution. |
15.05.2026 |
10 |
| CVE-2026-41552 |
Path Traversal in PDF Export Module |
15.05.2026 |
9.2 |
| CVE-2026-41553 |
Remote Code Execution in PDF Export Module |
15.05.2026 |
10 |
| CVE-2026-7182 |
Path Traversal in Diagram |
15.05.2026 |
9.2 |
| CVE-2026-5229 |
Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback |
15.05.2026 |
9.8 |
| CVE-2026-8398 |
|
16.05.2026 |
9.3 |
| CVE-2026-0481 |
|
15.05.2026 |
9.2 |
| CVE-2026-44212 |
PrestaShop: Stored XSS executable in customer service view |
15.05.2026 |
9.3 |
| CVE-2026-44666 |
HRConvert2: Missing Sanitization enables Unauthenticated Remote Command Execution |
15.05.2026 |
9.3 |
| CVE-2026-8634 |
Crabbox < v0.12.0 Environment Variable Information Disclosure |
15.05.2026 |
9.3 |
| CVE-2026-22599 |
Strapi Vulnerable to SQL Injection in Content Type Builder |
14.05.2026 |
9.3 |
| CVE-2026-27886 |
Strapi may leak sensitive data via relational filtering due to lack of query sanitization |
14.05.2026 |
9.2 |
| CVE-2026-41315 |
mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
16.05.2026 |
9.3 |
| CVE-2026-44523 |
Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery |
15.05.2026 |
10 |
| CVE-2026-44588 |
SiYuan: URL-encoded title bypasses `escapeAriaLabel`, decoded by `decodeURIComponent` into a tooltip-XSS |
15.05.2026 |
9.4 |
| CVE-2026-44592 |
Gradient: Unauthenticated worker on /proto → arbitrary NAR write / cache poisoning |
16.05.2026 |
9.4 |
| CVE-2026-44670 |
SiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuan |
15.05.2026 |
9.4 |
| CVE-2026-45375 |
SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution |
16.05.2026 |
9 |
| CVE-2026-41615 |
Microsoft Authenticator Information Disclosure Vulnerability |
15.05.2026 |
9.6 |
| CVE-2026-44542 |
FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion |
15.05.2026 |
9.1 |
| CVE-2026-20182 |
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability |
15.05.2026 |
10 |
| CVE-2026-42555 |
Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users |
14.05.2026 |
9.1 |
| CVE-2026-42281 |
MagicMirror²: Unauthenticated SSRF via /cors endpoint |
14.05.2026 |
9.2 |
| CVE-2026-42589 |
Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection |
14.05.2026 |
9.8 |
| CVE-2026-42596 |
Gotenberg: Unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook |
15.05.2026 |
9.4 |
| CVE-2026-42457 |
vCluster Platform: Stored XSS can lead to privilege escalation |
14.05.2026 |
9 |
| CVE-2026-44482 |
soundcloud-rpc: Remote Code Execution via XSS in Track Title |
14.05.2026 |
9.6 |
| CVE-2026-44484 |
Compromise of PyTorch Lightning PyPi Package Versions |
15.05.2026 |
9.3 |
| CVE-2025-11024 |
SQLi in Akıllı Ticaret's E-Commerce Pack |
14.05.2026 |
9.8 |
| CVE-2026-2347 |
IDOR in Akıllı Ticaret's E-Commerce Pack |
14.05.2026 |
9.8 |
| CVE-2026-6512 |
InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters |
14.05.2026 |
9.1 |
| CVE-2026-6271 |
Career Section <= 1.7 - Unauthenticated Arbitrary File Upload |
14.05.2026 |
9.8 |
| CVE-2026-6510 |
InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe' |
14.05.2026 |
9.8 |
| CVE-2026-8181 |
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover |
14.05.2026 |
9.8 |
| CVE-2026-44193 |
OPNsense: RCE via XMLRPC endpoint using `opnsense.restore_config_section` method |
16.05.2026 |
9.1 |
| CVE-2026-44194 |
OPNsense: RCE on user managment |
16.05.2026 |
9.1 |
| CVE-2026-45158 |
OPNsense: Command Injection via Attacker-Controlled DHCP Config |
14.05.2026 |
9.1 |
| CVE-2026-44442 |
ERPNext: Unauthorised Document modification due to missing validation |
14.05.2026 |
9.9 |
| CVE-2026-44377 |
CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE |
14.05.2026 |
9.1 |
| CVE-2026-44381 |
MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings |
14.05.2026 |
9.3 |
| CVE-2026-45053 |
CubeCart: Authenticated Arbitrary File Upload to RCE in REST Files API |
15.05.2026 |
9.1 |
| CVE-2026-45714 |
CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE |
14.05.2026 |
9.1 |
| CVE-2026-44351 |
fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass |
14.05.2026 |
9.1 |
| CVE-2026-44364 |
misp-modules website - Missing CSRF protection in the website home blueprint |
14.05.2026 |
9.3 |
| CVE-2026-43997 |
vm2: Sandbox Escape |
14.05.2026 |
10 |
| CVE-2026-43999 |
vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape |
15.05.2026 |
9.9 |
| CVE-2026-44005 |
vm2: Sandbox escape |
15.05.2026 |
10 |
| CVE-2026-44006 |
vm2: Sandbox Escape |
15.05.2026 |
10 |
| CVE-2026-44007 |
vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution |
15.05.2026 |
9.1 |
| CVE-2026-44008 |
vm2: Snabox breakout via `neutralizeArraySpeciesBatch` |
15.05.2026 |
9.8 |
| CVE-2026-44009 |
vm2: Sandbox Breakout Through Null Proto Exception |
15.05.2026 |
9.8 |
| CVE-2026-45411 |
vm2: Sandbox Breakout Using Async Generator |
15.05.2026 |
9.8 |
| CVE-2020-37168 |
Ecommerce Systempay 1.0 Production Key Brute Force |
14.05.2026 |
9.3 |
| CVE-2026-42945 |
NGINX ngx_http_rewrite_module vulnerability |
14.05.2026 |
9.2 |
| CVE-2026-40621 |
|
13.05.2026 |
9.3 |
| CVE-2026-42062 |
|
13.05.2026 |
9.3 |
| CVE-2026-41050 |
Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering |
14.05.2026 |
9.9 |
| CVE-2025-11159 |
Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component |
13.05.2026 |
9.1 |
| CVE-2026-32661 |
|
13.05.2026 |
9.3 |
| CVE-2026-41901 |
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions |
13.05.2026 |
9 |
| CVE-2026-42288 |
ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD |
18.05.2026 |
10 |
| CVE-2026-44547 |
ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2 |
13.05.2026 |
9.6 |
| CVE-2026-42854 |
arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE |
13.05.2026 |
9.8 |
| CVE-2026-42196 |
django-s3file: Relative path traversal |
13.05.2026 |
9.9 |
| CVE-2026-43948 |
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass |
13.05.2026 |
9.9 |
| CVE-2026-44257 |
efw4.X: RCE via zipslip |
18.05.2026 |
9.3 |
| CVE-2026-44258 |
efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution |
14.05.2026 |
9.3 |
| CVE-2026-44262 |
Scramble: Remote code execution via evaluation of user-controlled input in validation rules |
13.05.2026 |
9.4 |
| CVE-2026-42889 |
Relay Server WebSocket authentication bypass when token is omitted |
13.05.2026 |
9.1 |
| CVE-2026-44221 |
ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases |
13.05.2026 |
9 |
| CVE-2026-44225 |
Pulpy: Incomplete filesystem sandbox in pulpy.fs bridge allows packaged web apps to read arbitrary user files |
14.05.2026 |
9.3 |
| CVE-2026-45185 |
|
14.05.2026 |
9.8 |
| CVE-2026-34659 |
Adobe Connect | Deserialization of Untrusted Data (CWE-502) |
13.05.2026 |
9.6 |
| CVE-2026-34660 |
Adobe Connect | Incorrect Authorization (CWE-863) |
13.05.2026 |
9.3 |
| CVE-2026-8430 |
SPIP < 4.4.14 Remote Code Execution via nginx |
14.05.2026 |
9.2 |
| CVE-2026-8431 |
Ops Manager RCE via webhook body |
12.05.2026 |
9.4 |
| CVE-2026-29204 |
|
12.05.2026 |
9.1 |
| CVE-2026-42048 |
Langflow: Path Traversal in Langflow Knowledge Bases API |
13.05.2026 |
9.6 |
| CVE-2026-42300 |
DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header |
13.05.2026 |
9.3 |
| CVE-2026-44183 |
Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled |
13.05.2026 |
9.8 |
| CVE-2026-44196 |
Pingvin Share X: TOTP Authentication Bypass via Password-only Login |
14.05.2026 |
9.1 |
| CVE-2026-26083 |
|
13.05.2026 |
9.1 |
| CVE-2026-33117 |
Azure SDK for Java Security Feature Bypass Vulnerability |
15.05.2026 |
9.1 |
| CVE-2026-40379 |
Azure Entra ID Spoofing Vulnerability |
15.05.2026 |
9.3 |
| CVE-2026-40402 |
Windows Hyper-V Elevation of Privilege Vulnerability |
15.05.2026 |
9.3 |
| CVE-2026-41089 |
Windows Netlogon Remote Code Execution Vulnerability |
15.05.2026 |
9.8 |
| CVE-2026-41096 |
Windows DNS Client Remote Code Execution Vulnerability |
15.05.2026 |
9.8 |
| CVE-2026-41103 |
Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability |
15.05.2026 |
9.1 |
| CVE-2026-42823 |
Azure Logic Apps Elevation of Privilege Vulnerability |
15.05.2026 |
9.9 |
| CVE-2026-42833 |
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
15.05.2026 |
9.1 |
| CVE-2026-42898 |
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
15.05.2026 |
9.9 |
| CVE-2026-44277 |
|
13.05.2026 |
9.1 |
| CVE-2026-44343 |
WGDashboard: Critical Vulnerability in 4.3.2 |
12.05.2026 |
9.3 |
| CVE-2026-20794 |
|
13.05.2026 |
9.3 |
| CVE-2026-43992 |
JunoClaw: MCP write tools exposed raw BIP-39 mnemonic as a tool-call parameter |
13.05.2026 |
9.8 |
| CVE-2026-30805 |
Insecure Default Initialization in API Authentication leads to Authentication Bypass |
12.05.2026 |
9.1 |
| CVE-2026-8043 |
|
12.05.2026 |
9.6 |
| CVE-2026-45091 |
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) |
12.05.2026 |
9.1 |
| CVE-2025-6577 |
SQLi in Akilli Commerce's E-Commerce Website |
12.05.2026 |
9.8 |
| CVE-2026-8072 |
Insecure generation of SAT access credentials in Ingecon EMS Board |
12.05.2026 |
9.2 |
| CVE-2026-25786 |
|
12.05.2026 |
9.3 |
| CVE-2026-25787 |
|
12.05.2026 |
9.3 |
| CVE-2026-41551 |
|
12.05.2026 |
9.3 |
| CVE-2026-7428 |
Insecure default administrative credentials in AlloyDB for PostgreSQL |
12.05.2026 |
9.2 |
| CVE-2026-41872 |
|
12.05.2026 |
9.1 |