CVE Field Guide

Critical CVEs

CVE Title Updated Score
CVE-2026-9256 NGINX ngx_http_rewrite_module vulnerability 22.05.2026 9.2
CVE-2026-8670 Insecure session handling on metrics web server 22.05.2026 9.6
CVE-2026-9277 shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op` 22.05.2026 9.2
CVE-2026-9054 Invalid IP packets cause a kernel panic 22.05.2026 9.2
CVE-2026-33000 22.05.2026 9.1
CVE-2026-34908 22.05.2026 10
CVE-2026-34909 22.05.2026 10
CVE-2026-34910 22.05.2026 10
CVE-2026-6960 BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field 21.05.2026 9.8
CVE-2026-8134 Concrete CMS 9.5.0 and below is vulnerable to Authenticated RCE via Composer customTemplate Path Traversal leading to PHP File Inclusion 22.05.2026 9.4
CVE-2026-48241 Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php 21.05.2026 9.2
CVE-2026-48242 Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php 21.05.2026 9.2
CVE-2026-39531 WordPress WP Directory Kit plugin <= 1.5.0 - SQL Injection vulnerability 21.05.2026 9.3
CVE-2025-71210 21.05.2026 9.8
CVE-2025-71211 21.05.2026 9.8
CVE-2026-5118 Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role' 21.05.2026 9.8
CVE-2026-5433 Improper Sanitization in CNM Web Interface 21.05.2026 9.1
CVE-2026-44050 Heap buffer overflow in CNID daemon comm_rcv() 22.05.2026 9.9
CVE-2026-6279 Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler 21.05.2026 9.8
CVE-2026-48172 22.05.2026 10
CVE-2026-9152 Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction 21.05.2026 10
CVE-2026-8631 HP Linux Imaging and Printing Software – Potential Escalation of Privilege and Arbitrary Code Execution 21.05.2026 9.3
CVE-2026-39405 Frappe has Path Transversal via SCORM 21.05.2026 9.4
CVE-2026-9139 Taiko AG1000-01A Rev 7.3/8 Hard-coded Credentials via login.zhtml 21.05.2026 9.3
CVE-2026-9141 Taiko AG1000-01A Rev 7.3/8 Authentication Bypass via Web Interface 21.05.2026 9.3
CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash 21.05.2026 9.3
CVE-2026-33137 XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName} 21.05.2026 9.3
CVE-2026-45444 WordPress Gift Cards For WooCommerce Pro plugin <= 4.2.6 - Arbitrary File Upload vulnerability 21.05.2026 10
CVE-2026-9102 Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write 20.05.2026 9.4
CVE-2026-9129 Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read 20.05.2026 9.4
CVE-2026-20223 Cisco Secure Workload Unauthorized API Access Vulnerability 21.05.2026 10
CVE-2026-8598 Unauthenticated Export Service in ZKTeco CCTV Cameras 20.05.2026 9.1
CVE-2026-8467 Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground 22.05.2026 9.5
CVE-2026-22314 20.05.2026 9
CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation 20.05.2026 9.1
CVE-2026-9059 NextGEN Gallery - SQL Injection 20.05.2026 9.3
CVE-2026-9065 Surecart - SQL Injection 20.05.2026 9.3
CVE-2026-24207 20.05.2026 9.8
CVE-2026-7637 Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie 20.05.2026 9.8
CVE-2026-6555 ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files' 20.05.2026 9.8
CVE-2026-7284 Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register 20.05.2026 9.8
CVE-2026-34234 CtrlPanel: Unauthenticated RCE using installer script 20.05.2026 10
CVE-2026-33642 Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check 19.05.2026 9.9
CVE-2026-47357 19.05.2026 9.3
CVE-2026-47358 19.05.2026 9.3
CVE-2026-2586 20.05.2026 9.1
CVE-2026-2587 20.05.2026 9.6
CVE-2026-44159 Tyler Identity Local (TID-L) default administrative credentials 19.05.2026 9.3
CVE-2026-8711 NGINX JavaScript vulnerability 21.05.2026 9.2
CVE-2026-42097 Authentication Bypass in Sparx Pro Cloud Server 19.05.2026 9.3
CVE-2026-43633 HestiaCP 1.9.0-1.9.4 Deserialization RCE via Web Terminal 19.05.2026 9.5
CVE-2026-4883 Piotnet Forms <= 2.1.40 - Unauthenticated Arbitrary File Upload via Form File Upload 19.05.2026 9.8
CVE-2026-43493 crypto: pcrypt - Fix handling of MAY_BACKLOG requests 20.05.2026 9.8
CVE-2026-2611 Improper Origin Validation in mlflow/mlflow 19.05.2026 9.6
CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector) 19.05.2026 9.2
CVE-2026-4885 Piotnet Addons for Elementor Pro <= 7.1.70 - Unauthenticated Arbitrary File Upload via Form File Upload 19.05.2026 9.8
CVE-2026-27130 Dokploy has Command Injection in its Service Operations 19.05.2026 9.9
CVE-2026-25244 WebdriverIO has Command Injection in the BrowserStack Service 19.05.2026 9.8
CVE-2026-8838 Remote Code Execution via eval() Injection in amazon-redshift-python-driver 19.05.2026 9.3
CVE-2026-8836 lwIP snmpv3 USM snmp_msg.c snmp_parse_inbound_frame stack-based overflow 18.05.2026 9.3
CVE-2026-42822 Azure Local Disconnected Operations (ALDO) Elevation of Privilege Vulnerability 20.05.2026 10
CVE-2026-45829 19.05.2026 10
CVE-2026-41947 Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints 18.05.2026 9.1
CVE-2026-41948 Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access 18.05.2026 9.2
CVE-2026-4320 Authorization Bypass in ICMS Content Management by Creartia Internet Consulting 18.05.2026 9.3
CVE-2018-25320 ACL Analytics 11.x - 13.0.0.579 Arbitrary Code Execution 18.05.2026 9.3
CVE-2018-25332 GitBucket 4.23.1 Unauthenticated Remote Code Execution 18.05.2026 9.3
CVE-2018-25335 WordPress Plugin Peugeot Music 1.0 Arbitrary File Upload 18.05.2026 9.3
CVE-2020-37228 iDS6 DSSPro Digital Signage System 6.2 CAPTCHA Security Bypass 18.05.2026 9.3
CVE-2020-37239 libbabl 0.1.62 Broken Double Free Detection Memory Safety 18.05.2026 9.3
CVE-2021-47952 python jsonpickle 2.0.0 Remote Code Execution via py/repr 18.05.2026 9.3
CVE-2026-44551 Open WebUI: LDAP Empty Password Authentication Bypass 19.05.2026 9.1

Latest Updates

CVE Title Updated Score
CVE-2022-31231 22.05.2026 5.9
CVE-2022-34363 22.05.2026 6.5
CVE-2026-25680 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html 22.05.2026
CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html 22.05.2026
CVE-2026-27136 Invoking duplicate attributes can cause XSS in golang.org/x/net/html 22.05.2026
CVE-2026-39821 Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna 22.05.2026
CVE-2026-42502 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html 22.05.2026
CVE-2026-42506 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html 22.05.2026
CVE-2026-5171 22.05.2026
CVE-2026-7325 22.05.2026
CVE-2026-8477 22.05.2026
CVE-2026-9047 22.05.2026
CVE-2026-9223 22.05.2026
CVE-2026-9224 22.05.2026
CVE-2026-9245 22.05.2026
CVE-2026-9246 22.05.2026
CVE-2026-9247 22.05.2026
CVE-2026-9248 22.05.2026
CVE-2026-9249 22.05.2026
CVE-2026-9251 22.05.2026
CVE-2021-21508 22.05.2026 6.7
CVE-2025-32751 22.05.2026 5.5
CVE-2025-45145 22.05.2026
CVE-2025-46371 22.05.2026 3.6
CVE-2026-8340 Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion 22.05.2026
CVE-2026-8347 Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in Express association Reorder dialog 22.05.2026
CVE-2026-8353 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme 22.05.2026
CVE-2026-8992 22.05.2026 8.8
CVE-2026-9256 NGINX ngx_http_rewrite_module vulnerability 22.05.2026 8.1
CVE-2025-26483 22.05.2026 6.1
CVE-2025-32745 22.05.2026 4.2
CVE-2025-32746 22.05.2026 4
CVE-2025-32747 22.05.2026 5.3
CVE-2025-32749 22.05.2026 5.3
CVE-2026-8670 Insecure session handling on metrics web server 22.05.2026 9.6
CVE-2026-8671 Log Files contain encrypted secrets 22.05.2026 7.5
CVE-2026-8672 Default credentials for internal DB 22.05.2026 5.1
CVE-2026-8673 Password re-initialization mechanism sends passwords in plain text 22.05.2026 5.9
CVE-2026-8997 Heap Buffer Overflow in vifm 22.05.2026
CVE-2026-9277 shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op` 22.05.2026 8.1
CVE-2026-44417 Apache CXF: Incomplete fix for CVE-2025-48913 (Untrusted JMS configuration can lead to RCE) 22.05.2026
CVE-2026-44618 Apache CXF: XXE vulnerability in WS-Transfer functionality 22.05.2026
CVE-2026-44930 Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository 22.05.2026
CVE-2026-3473 Improper file ownership validation in the Boards API allows unauthorised file access 22.05.2026 5.9
CVE-2026-3636 Sanitize team member data returned by API 22.05.2026 4.3
CVE-2026-4635 Persistent notification timing attack causing server denial of service 22.05.2026 6.5
CVE-2026-4646 Insufficient input validation in GitHub plugin API causes denial of service 22.05.2026 4.3
CVE-2026-5308 Missing request body size limits on Zoom plugin HTTP endpoints 22.05.2026 4.9
CVE-2026-5740 Unauthenticated WebSocket binary frame causes denial of service in Mattermost Server 22.05.2026 7.5
CVE-2026-5755 Denial of service via crafted TIFF file upload 22.05.2026 6.5
CVE-2026-25606 SQL Injection in STER 22.05.2026
CVE-2026-25607 Weak password encoding in STER 22.05.2026
CVE-2026-25608 Lack of traffic encryption in STER 22.05.2026
CVE-2026-7615 Widget Context <= 1.3.3 - Cross-Site Request Forgery to Settings Update via 'wl' Parameter 22.05.2026 4.3
CVE-2026-7636 Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint 22.05.2026 4.3
CVE-2026-7798 FluentCRM <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery via 'SubscribeURL' Parameter 22.05.2026 5.4
CVE-2026-8381 Broken Access Control in TeamViewer DEX Platform (On Premises) 22.05.2026 5.4
CVE-2026-8679 AudioIgniter Music Player <= 2.0.2 - Unauthenticated Insecure Direct Object Reference to 'audioigniter_playlist_id' Parameter 22.05.2026 7.5
CVE-2026-8684 MotoPress Hotel Booking <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary Booking Notes Modification via mphb_update_booking_notes AJAX Action 22.05.2026 5.3
CVE-2026-8692 Vedrixa Forms <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Structure Modification via wefb_save_form_structure AJAX Action 22.05.2026 4.3
CVE-2026-9011 Ditty <= 3.1.65 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via ditty_init AJAX Action 22.05.2026 7.5
CVE-2026-5072 ptp: Potential Denial of Service via PTP Interval Shift 22.05.2026
CVE-2026-2518 FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation 22.05.2026 4.3
CVE-2026-3481 WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via 'shortcode' Parameter 22.05.2026 6.1
CVE-2026-44409 Information disclosure vulnerability in ZTE MU5250 22.05.2026 5.7
CVE-2026-4070 Alfie <= 1.2.1 - Cross-Site Request Forgery to Feed Deletion via 'delete' Parameter 22.05.2026 4.3
CVE-2026-6864 CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter 22.05.2026 6.1
CVE-2026-7249 Location Weather <= 3.0.2 - Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging 22.05.2026 4.3
CVE-2026-7509 KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] 22.05.2026 6.4
CVE-2026-9018 Easy Elements for Elementor – Addons & Website Templates <= 1.4.5 - Unauthenticated Privilege Escalation via 'custom_meta' Parameter 22.05.2026 8.8
CVE-2026-9104 Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title 22.05.2026 6.4
CVE-2026-39827 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-39828 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-39829 Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-39830 Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-39831 Invoking bypass of FIDO/U2F security keys physical interaction in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-39832 Invoking agent constraints dropped when forwarding keys in golang.org/x/crypto/ssh/agent 22.05.2026
CVE-2026-39833 Invoking key constraints not enforced in golang.org/x/crypto/ssh/agent 22.05.2026
CVE-2026-39834 Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-42508 Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts 22.05.2026
CVE-2026-46595 Invoking VerifiedPublicKeyCallback permissions skip enforcement in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-46597 Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh 22.05.2026
CVE-2026-46598 Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent 22.05.2026
CVE-2026-4834 WP ERP Pro <= 1.5.1 - Unauthenticated SQL Injection via 'search_key' Parameter 22.05.2026 7.5
CVE-2026-9053 22.05.2026
CVE-2026-9054 Invalid IP packets cause a kernel panic 22.05.2026
CVE-2026-33000 22.05.2026 9.1
CVE-2026-34908 22.05.2026 10
CVE-2026-34909 22.05.2026 10
CVE-2026-34910 22.05.2026 10
CVE-2026-34911 22.05.2026 7.7
CVE-2026-9264 Cross-Site Scripting in SketchUp Dynamic Components 22.05.2026
CVE-2026-5297 21.05.2026
CVE-2026-4093 Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels) 22.05.2026
CVE-2026-4929 Simple Hierarchical Select (Drupal 7) XSS in term-derived output 22.05.2026
CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block 22.05.2026
CVE-2026-8139 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName 22.05.2026
CVE-2026-8409 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/delete 22.05.2026
CVE-2026-22678 Webmin < 2.641 Stored XSS via System and Server Status 22.05.2026
CVE-2026-5091 Catalyst::Plugin::Authentication versions through 0.10024 for Perl is susceptible to timing attacks 22.05.2026
CVE-2026-6960 BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field 21.05.2026 9.8
CVE-2026-7879 Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submit_password() 22.05.2026
CVE-2026-7881 Concrete CMS 9.5.0 and below is vulnerable to IDOR in the Express Entry Detail block 22.05.2026
CVE-2026-7882 Concrete CMS 9.5.0 and below is vulnerable to CSRF via the DeleteFile controller 22.05.2026
CVE-2026-7886 Concrete CMS 9.5.0 and below is vulnerable to IDOR in AddMessage/UpdateMessage via attachments[] parameter 22.05.2026
CVE-2026-7887 For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status 22.05.2026
CVE-2026-8236 Concrete CMS 9.5.0 and below is vulnerable to IDOR combined with a missing authentication gate for endpoint /ccm/system/dialogs/file/usage/{fID} 22.05.2026
CVE-2026-8237 Concrete CMS 9.5.0 and below is vulnerable to IDOR in the`/ccm/frontend/conversations/message_detail` endpoint 22.05.2026
CVE-2026-8238 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/message_page' allowing unauthenticated read of any conversation message 22.05.2026
CVE-2026-8239 Concrete CMS 9.5.0 and below is vulnerable to IDOR in '/ccm/frontend/conversations/get_rating' 22.05.2026
CVE-2026-8240 Concrete CMS 9.5.0 and below is vulnerable to unauthenticated page metadata disclosure in Backend\SummaryTemplate 22.05.2026
CVE-2026-8245 Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection 22.05.2026
CVE-2026-8327 Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. 22.05.2026
CVE-2026-8337 Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys when sites are running concurrent public surveys and private surveys 22.05.2026
CVE-2026-8410 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/logs/bulk/delete 22.05.2026
CVE-2026-8411 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/delete 22.05.2026
CVE-2026-8412 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/cache 22.05.2026
CVE-2026-8413 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/page/bulk/design 22.05.2026
CVE-2026-8414 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/event/duplicate 22.05.2026
CVE-2026-8415 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/dialog/express/association/reorder 22.05.2026
CVE-2026-8416 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id) 22.05.2026
CVE-2026-8427 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id) 22.05.2026
CVE-2026-8432 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star() 22.05.2026
CVE-2026-8433 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescan() 22.05.2026
CVE-2026-8434 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file rescanMultiple() 22.05.2026
CVE-2026-8435 Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion() 22.05.2026
CVE-2026-47101 LiteLLM < 1.83.14 Privilege Escalation via API Key Generation 21.05.2026
CVE-2026-47102 LiteLLM < 1.83.10 Privilege Escalation via User Update 22.05.2026
CVE-2026-6826 Concrete 9.5.0 and below has file usage disclosure via missing permission check in Usage controller 22.05.2026
CVE-2026-8140 Concrete CMS 9.5.0 and below is vulnerable to CSRF on download() in the package install controller 22.05.2026
CVE-2026-8197 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via OAuth integration name 22.05.2026
CVE-2026-8203 Concrete CMS 9.5.0 and below has Stored XSS on the height parameter 22.05.2026
CVE-2026-8204 Concrete CMS 9.5.0 and below is vulnerable to Authorization Bypass in the Calendar Event Frontend Dialog 22.05.2026
CVE-2026-8205 Concrete CMS 9.5.0 and below is vulnerable to authorization bypass in Calendar Block since action_get_events does not check canView on the calendar 22.05.2026
CVE-2026-8350 Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group 22.05.2026
CVE-2026-8421 Concrete CMS 9.5.0 and below is vulnerable to CSRF on install_package() with conditional token bypass leading to RCE 22.05.2026
CVE-2026-8426 Concrete CMS 9.5.0 and below is vulnerable to CSRF on prepare_remote_upgrade() leading to one-request RCE via package overwrite 22.05.2026
CVE-2026-8428 CSRF token is not validated in the core CMS update controller for Concrete CMS 9.5.0 and below 22.05.2026
CVE-2026-8134 Concrete CMS 9.5.0 and below is vulnerable to Authenticated RCE via Composer customTemplate Path Traversal leading to PHP File Inclusion 22.05.2026
CVE-2026-8135 Concrete CMS 9.5.0 and below is vulnerable to RCE due to insecure deserialization occurring in the ExpressEntryList block controller. 22.05.2026
CVE-2026-8352 21.05.2026
CVE-2026-8417 Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update controller 22.05.2026
CVE-2026-47114 IINA < 1.4.3 Command Execution via iina://open URL Scheme 22.05.2026
CVE-2026-4843 GSheet For Woo Importer <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Reset 22.05.2026 4.3