| CVE-2025-11262 |
Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting |
29.05.2026 |
7.2 |
| CVE-2026-3655 |
OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification |
29.05.2026 |
9.8 |
| CVE-2026-49322 |
Indian Scout Bobber 2025 Infotainment-to-WCM weak authentication allows recovery of user PIN from observed exchange |
29.05.2026 |
4.3 |
| CVE-2026-4776 |
|
29.05.2026 |
7.1 |
| CVE-2026-9243 |
The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter |
29.05.2026 |
6.4 |
| CVE-2025-11993 |
WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection |
29.05.2026 |
8.8 |
| CVE-2025-14042 |
Automotive Car Dealership Business WordPress Theme <= 13.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Portfolio Project Details |
29.05.2026 |
6.4 |
| CVE-2026-6275 |
StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname |
29.05.2026 |
6.4 |
| CVE-2026-6324 |
Libsoup: libsoup: http request smuggling via unsigned to signed conversion error |
29.05.2026 |
|
| CVE-2026-8732 |
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action |
29.05.2026 |
9.8 |
| CVE-2026-9493 |
BankPro E-Service Technology|Service Center - Insecure Direct Object Reference |
29.05.2026 |
|
| CVE-2026-9714 |
Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute |
29.05.2026 |
6.4 |
| CVE-2026-2128 |
Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie |
29.05.2026 |
5.3 |
| CVE-2026-7430 |
Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import |
29.05.2026 |
4.4 |
| CVE-2026-8995 |
Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action |
29.05.2026 |
4.3 |
| CVE-2026-7480 |
|
29.05.2026 |
|
| CVE-2026-8070 |
|
29.05.2026 |
|
| CVE-2026-6891 |
|
28.05.2026 |
5 |
| CVE-2026-6892 |
|
29.05.2026 |
5 |
| CVE-2026-5343 |
SAML SSO - Service Provider - Critical - Authentication bypass - SA-CONTRIB-2026-031 |
28.05.2026 |
|
| CVE-2026-6816 |
TFA Basic Plugins - Access Bypass |
28.05.2026 |
|
| CVE-2026-10000 |
|
28.05.2026 |
|
| CVE-2026-10001 |
|
28.05.2026 |
|
| CVE-2026-10002 |
|
28.05.2026 |
|
| CVE-2026-10003 |
|
28.05.2026 |
|
| CVE-2026-10004 |
|
28.05.2026 |
|
| CVE-2026-10005 |
|
28.05.2026 |
|
| CVE-2026-10006 |
|
28.05.2026 |
|
| CVE-2026-10007 |
|
28.05.2026 |
|
| CVE-2026-10008 |
|
28.05.2026 |
|
| CVE-2026-10009 |
|
28.05.2026 |
|
| CVE-2026-10010 |
|
28.05.2026 |
|
| CVE-2026-10011 |
|
28.05.2026 |
|
| CVE-2026-10012 |
|
28.05.2026 |
|
| CVE-2026-10013 |
|
28.05.2026 |
|
| CVE-2026-10014 |
|
28.05.2026 |
|
| CVE-2026-10015 |
|
28.05.2026 |
|
| CVE-2026-10016 |
|
28.05.2026 |
|
| CVE-2026-10017 |
|
28.05.2026 |
|
| CVE-2026-10018 |
|
28.05.2026 |
|
| CVE-2026-10019 |
|
28.05.2026 |
|
| CVE-2026-10020 |
|
28.05.2026 |
|
| CVE-2026-10021 |
|
28.05.2026 |
|
| CVE-2026-10022 |
|
28.05.2026 |
|
| CVE-2026-10028 |
Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of service via circular certificate chain |
28.05.2026 |
|
| CVE-2026-8809 |
Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter |
28.05.2026 |
9.8 |
| CVE-2026-9872 |
|
28.05.2026 |
|
| CVE-2026-9873 |
|
28.05.2026 |
|
| CVE-2026-9874 |
|
28.05.2026 |
|
| CVE-2026-9875 |
|
28.05.2026 |
|
| CVE-2026-9876 |
|
28.05.2026 |
|
| CVE-2026-9877 |
|
28.05.2026 |
|
| CVE-2026-9878 |
|
28.05.2026 |
|
| CVE-2026-9879 |
|
28.05.2026 |
|
| CVE-2026-9880 |
|
28.05.2026 |
|
| CVE-2026-9881 |
|
28.05.2026 |
|
| CVE-2026-9882 |
|
28.05.2026 |
|
| CVE-2026-9883 |
|
28.05.2026 |
|
| CVE-2026-9884 |
|
28.05.2026 |
|
| CVE-2026-9885 |
|
28.05.2026 |
|
| CVE-2026-9886 |
|
28.05.2026 |
|
| CVE-2026-9887 |
|
28.05.2026 |
|
| CVE-2026-9888 |
|
28.05.2026 |
|
| CVE-2026-9889 |
|
28.05.2026 |
|
| CVE-2026-9890 |
|
28.05.2026 |
|
| CVE-2026-9891 |
|
28.05.2026 |
|
| CVE-2026-9892 |
|
28.05.2026 |
|
| CVE-2026-9893 |
|
28.05.2026 |
|
| CVE-2026-9894 |
|
28.05.2026 |
|
| CVE-2026-9895 |
|
28.05.2026 |
|
| CVE-2026-9896 |
|
28.05.2026 |
|
| CVE-2026-9897 |
|
28.05.2026 |
|
| CVE-2026-9898 |
|
28.05.2026 |
|
| CVE-2026-9899 |
|
28.05.2026 |
|
| CVE-2026-9900 |
|
28.05.2026 |
|
| CVE-2026-9901 |
|
28.05.2026 |
|
| CVE-2026-9902 |
|
28.05.2026 |
|
| CVE-2026-9903 |
|
28.05.2026 |
|
| CVE-2026-9904 |
|
28.05.2026 |
|
| CVE-2026-9905 |
|
28.05.2026 |
|
| CVE-2026-9906 |
|
28.05.2026 |
|
| CVE-2026-9907 |
|
28.05.2026 |
|
| CVE-2026-9908 |
|
28.05.2026 |
|
| CVE-2026-9909 |
|
28.05.2026 |
|
| CVE-2026-9910 |
|
28.05.2026 |
|
| CVE-2026-9911 |
|
28.05.2026 |
|
| CVE-2026-9912 |
|
28.05.2026 |
|
| CVE-2026-9913 |
|
28.05.2026 |
|
| CVE-2026-9914 |
|
28.05.2026 |
|
| CVE-2026-9915 |
|
28.05.2026 |
|
| CVE-2026-9916 |
|
28.05.2026 |
|
| CVE-2026-9917 |
|
28.05.2026 |
|
| CVE-2026-9918 |
|
28.05.2026 |
|
| CVE-2026-9919 |
|
28.05.2026 |
|
| CVE-2026-9920 |
|
28.05.2026 |
|
| CVE-2026-9921 |
|
28.05.2026 |
|
| CVE-2026-9922 |
|
28.05.2026 |
|
| CVE-2026-9923 |
|
28.05.2026 |
|
| CVE-2026-9924 |
|
28.05.2026 |
|
| CVE-2026-9925 |
|
28.05.2026 |
|
| CVE-2026-9926 |
|
28.05.2026 |
|
| CVE-2026-9927 |
|
28.05.2026 |
|
| CVE-2026-9928 |
|
28.05.2026 |
|
| CVE-2026-9929 |
|
28.05.2026 |
|
| CVE-2026-9930 |
|
28.05.2026 |
|
| CVE-2026-9931 |
|
28.05.2026 |
|
| CVE-2026-9932 |
|
28.05.2026 |
|
| CVE-2026-9933 |
|
28.05.2026 |
|
| CVE-2026-9934 |
|
28.05.2026 |
|
| CVE-2026-9935 |
|
28.05.2026 |
|
| CVE-2026-9936 |
|
28.05.2026 |
|
| CVE-2026-9937 |
|
28.05.2026 |
|
| CVE-2026-9938 |
|
28.05.2026 |
|
| CVE-2026-9939 |
|
28.05.2026 |
|
| CVE-2026-9940 |
|
28.05.2026 |
|
| CVE-2026-9941 |
|
28.05.2026 |
|
| CVE-2026-9942 |
|
28.05.2026 |
|
| CVE-2026-9943 |
|
28.05.2026 |
|
| CVE-2026-9944 |
|
28.05.2026 |
|
| CVE-2026-9945 |
|
28.05.2026 |
|
| CVE-2026-9946 |
|
28.05.2026 |
|
| CVE-2026-9947 |
|
28.05.2026 |
|
| CVE-2026-9948 |
|
28.05.2026 |
|
| CVE-2026-9949 |
|
28.05.2026 |
|
| CVE-2026-9950 |
|
28.05.2026 |
|
| CVE-2026-9951 |
|
28.05.2026 |
|
| CVE-2026-9952 |
|
28.05.2026 |
|
| CVE-2026-9953 |
|
28.05.2026 |
|
| CVE-2026-9954 |
|
28.05.2026 |
|
| CVE-2026-9955 |
|
28.05.2026 |
|
| CVE-2026-9956 |
|
28.05.2026 |
|
| CVE-2026-9957 |
|
28.05.2026 |
|
| CVE-2026-9958 |
|
28.05.2026 |
|
| CVE-2026-9959 |
|
28.05.2026 |
|
| CVE-2026-9960 |
|
28.05.2026 |
|
| CVE-2026-9961 |
|
28.05.2026 |
|
| CVE-2026-9962 |
|
28.05.2026 |
|
| CVE-2026-9963 |
|
28.05.2026 |
|
| CVE-2026-9964 |
|
28.05.2026 |
|
| CVE-2026-9965 |
|
28.05.2026 |
|
| CVE-2026-9966 |
|
28.05.2026 |
|
| CVE-2026-9967 |
|
28.05.2026 |
|
| CVE-2026-9968 |
|
28.05.2026 |
|
| CVE-2026-9969 |
|
28.05.2026 |
|
| CVE-2026-9970 |
|
28.05.2026 |
|
| CVE-2026-9971 |
|
28.05.2026 |
|
| CVE-2026-9972 |
|
28.05.2026 |
|
| CVE-2026-9973 |
|
28.05.2026 |
|
| CVE-2026-9974 |
|
28.05.2026 |
|
| CVE-2026-9975 |
|
28.05.2026 |
|
| CVE-2026-9976 |
|
28.05.2026 |
|
| CVE-2026-9977 |
|
28.05.2026 |
|
| CVE-2026-9978 |
|
28.05.2026 |
|
| CVE-2026-9979 |
|
28.05.2026 |
|
| CVE-2026-9980 |
|
28.05.2026 |
|
| CVE-2026-9981 |
|
28.05.2026 |
|
| CVE-2026-9982 |
|
28.05.2026 |
|
| CVE-2026-9983 |
|
28.05.2026 |
|
| CVE-2026-9984 |
|
28.05.2026 |
|
| CVE-2026-9985 |
|
28.05.2026 |
|
| CVE-2026-9986 |
|
28.05.2026 |
|
| CVE-2026-9987 |
|
28.05.2026 |
|
| CVE-2026-9988 |
|
28.05.2026 |
|
| CVE-2026-9989 |
|
28.05.2026 |
|
| CVE-2026-9990 |
|
28.05.2026 |
|
| CVE-2026-9991 |
|
28.05.2026 |
|
| CVE-2026-9992 |
|
28.05.2026 |
|
| CVE-2026-9993 |
|
28.05.2026 |
|
| CVE-2026-9994 |
|
28.05.2026 |
|
| CVE-2026-9995 |
|
28.05.2026 |
|
| CVE-2026-9996 |
|
28.05.2026 |
|
| CVE-2026-9997 |
|
28.05.2026 |
|
| CVE-2026-9998 |
|
28.05.2026 |
|
| CVE-2026-9999 |
|
28.05.2026 |
|
| CVE-2026-44973 |
Billy: Path traversal vulnerabilities |
28.05.2026 |
8.1 |
| CVE-2026-45023 |
AutoGP: Credit system bypassed via direct block execution in POST /api/blocks/{block_id}/execute |
28.05.2026 |
5.4 |
| CVE-2026-45364 |
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation |
28.05.2026 |
7.3 |
| CVE-2026-45410 |
Time-based user enumeration in TREK authentication endpoint |
28.05.2026 |
5.3 |
| CVE-2026-49299 |
|
28.05.2026 |
|
| CVE-2026-10044 |
ai-goofish-monitor Unauthenticated Arbitrary File Read via GET /api/prompts/ |
28.05.2026 |
7.5 |
| CVE-2026-39929 |
Lakeside SysTrack Agent LsiAgent.exe Out-of-Bounds Read via UDP |
28.05.2026 |
|
| CVE-2026-44848 |
Portainer: Missing authorization on Docker plugin endpoints allows host RCE |
28.05.2026 |
|
| CVE-2026-44849 |
Portainer: Endpoint security bypass via Swarm service create/update |
28.05.2026 |
|
| CVE-2026-44850 |
Portainer: Bind-mount restriction bypass via HostConfig.Mounts |
28.05.2026 |
8.5 |
| CVE-2026-44881 |
Portainer: Arbitrary File Read via Git Symlink Injection in Stack Auto-Update |
28.05.2026 |
|
| CVE-2026-44882 |
Portainer: Kubernetes middleware continues after token validation failure, bypassing endpoint authorization |
28.05.2026 |
8.1 |
| CVE-2026-44883 |
Portainer: JWT accepted in URL query leaks tokens to logs and referers |
28.05.2026 |
|
| CVE-2026-44884 |
Portainer: Missing authorization on custom template file endpoint exposes template content |
28.05.2026 |
|
| CVE-2026-44885 |
Portainer: Path traversal in backup archive extraction allows arbitrary file write |
28.05.2026 |
5.5 |
| CVE-2026-45342 |
LinkAce: IDOR in Update Policies Allows Any Authenticated User to Overwrite Other Users' Links, Lists, Tags, and Notes |
28.05.2026 |
|
| CVE-2026-45343 |
LinkAce - Stored XSS via Unsanitized SSO User's Name Rendered in Admin Audit Log Allows Session Hijacking |
28.05.2026 |
|
| CVE-2026-45344 |
LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances |
28.05.2026 |
8.1 |
| CVE-2026-45366 |
typescript-utcp: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol |
28.05.2026 |
4.7 |
| CVE-2026-45403 |
AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory |
28.05.2026 |
2 |
| CVE-2026-47713 |
AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration |
28.05.2026 |
2 |
| CVE-2026-48116 |
AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill |
28.05.2026 |
7.5 |
| CVE-2026-34311 |
|
29.05.2026 |
9.8 |
| CVE-2026-35266 |
|
28.05.2026 |
7.9 |
| CVE-2026-35277 |
|
28.05.2026 |
8.1 |
| CVE-2026-41897 |
MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field |
28.05.2026 |
|
| CVE-2026-42070 |
MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API |
28.05.2026 |
|
| CVE-2026-42071 |
MantisBT: Private Bugnote Attachment Content Leak via REST API |
28.05.2026 |
|
| CVE-2026-42398 |
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access |
28.05.2026 |
7.7 |
| CVE-2026-42399 |
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
28.05.2026 |
6.5 |
| CVE-2026-42400 |
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
28.05.2026 |
6.5 |
| CVE-2026-44655 |
MantisBT: Stored XSS on Move Attachments Admin Page |
28.05.2026 |
|
| CVE-2026-44657 |
MantisBT: Stored XSS in File Download |
28.05.2026 |
|
| CVE-2026-45288 |
Marten has an SQL injection vulnerability in its full-text search regConfig parameter |
28.05.2026 |
9.8 |
| CVE-2026-46775 |
|
28.05.2026 |
9.9 |
| CVE-2026-46817 |
|
28.05.2026 |
9.8 |
| CVE-2026-46818 |
|
28.05.2026 |
7.4 |
| CVE-2026-46819 |
|
28.05.2026 |
9.1 |
| CVE-2026-46820 |
|
28.05.2026 |
8.5 |
| CVE-2026-46821 |
|
28.05.2026 |
7.7 |
| CVE-2026-46822 |
|
28.05.2026 |
9.9 |
| CVE-2026-46823 |
|
28.05.2026 |
7.7 |
| CVE-2026-46824 |
|
28.05.2026 |
9.9 |
| CVE-2026-46826 |
|
28.05.2026 |
8.8 |
| CVE-2026-46827 |
|
28.05.2026 |
8.8 |
| CVE-2026-46828 |
|
28.05.2026 |
8.1 |
| CVE-2026-46829 |
|
28.05.2026 |
7.5 |
| CVE-2026-46830 |
|
28.05.2026 |
5.3 |
| CVE-2026-46833 |
|
29.05.2026 |
9 |
| CVE-2026-46834 |
|
28.05.2026 |
7.5 |
| CVE-2026-46835 |
|
28.05.2026 |
7.5 |
| CVE-2026-46837 |
|
28.05.2026 |
8.8 |
| CVE-2026-46839 |
|
28.05.2026 |
9.9 |
| CVE-2026-46840 |
|
28.05.2026 |
10 |
| CVE-2026-46841 |
|
28.05.2026 |
5.3 |
| CVE-2026-46842 |
|
28.05.2026 |
5.3 |
| CVE-2026-46843 |
|
28.05.2026 |
5.3 |
| CVE-2026-49093 |
Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access |
28.05.2026 |
6.3 |
| CVE-2026-49094 |
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
28.05.2026 |
6.5 |
| CVE-2026-49095 |
Improper Input Validation in Kibana Fleet Leading to Privilege Escalation |
28.05.2026 |
7.2 |
| CVE-2026-9645 |
ScadaBR Authenticated Remote Code Execution |
28.05.2026 |
9.9 |
| CVE-2026-9646 |
ScadaBR Unauthenticated Reflected Cross-Site Scripting |
28.05.2026 |
6.1 |
| CVE-2026-32847 |
DeepCode 1.2.0 Path Traversal via SPA Catch-All Route in main.py |
28.05.2026 |
|
| CVE-2026-33462 |
Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts |
28.05.2026 |
4.6 |
| CVE-2026-33463 |
Operation on a Resource after Expiration or Termination in Kibana Leading to Unauthorized File Access |
28.05.2026 |
5.3 |
| CVE-2026-33464 |
Uncontrolled Resource Consumption in Kibana Leading to Denial of Service |
28.05.2026 |
6.5 |
| CVE-2026-33590 |
Insecure default permissions in Portainer CE |
28.05.2026 |
|
| CVE-2026-42401 |
Improper Neutralization of Input During Web Page Generation in Kibana Leading to Stored HTML Injection |
28.05.2026 |
4.1 |
| CVE-2026-49127 |
Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be |
28.05.2026 |
|
| CVE-2026-49128 |
Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling |
28.05.2026 |
|
| CVE-2026-49129 |
Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin |
28.05.2026 |
|
| CVE-2026-49130 |
Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx |
28.05.2026 |
|
| CVE-2026-9037 |
Download of code without integrity check in XCharge C6 |
28.05.2026 |
|
| CVE-2026-9038 |
Stack-based buffer overflow in XCharge C6 |
28.05.2026 |
|
| CVE-2026-9039 |
Initialization of a resource with an insecure default in XCharge C6 |
28.05.2026 |
|
| CVE-2026-30760 |
|
28.05.2026 |
|
| CVE-2026-30761 |
|
28.05.2026 |
|
| CVE-2026-42998 |
|
28.05.2026 |
6 |
| CVE-2026-42999 |
|
28.05.2026 |
6 |
| CVE-2026-43000 |
|
28.05.2026 |
6 |
| CVE-2026-43979 |
Local Deep Research: HTML Injection via Unescaped User Input in PDF Export (`pdf_service.py:_markdown_to_html`) |
28.05.2026 |
5 |
| CVE-2026-44394 |
|
28.05.2026 |
6 |
| CVE-2026-45039 |
RustFS: Internode RPC HMAC secret falls back to public default credential, enabling peer impersonation |
28.05.2026 |
9.8 |
| CVE-2026-45040 |
RustFS: Sensitive Information Leakage (SessionToken and SecretAccessKey) in RustFS Logs [Debug Mode] |
28.05.2026 |
|
| CVE-2026-45041 |
RustFS: Hard-coded RSA private key in license verifier permits arbitrary license forgery |
28.05.2026 |
|
| CVE-2026-45042 |
RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source |
28.05.2026 |
|
| CVE-2026-45044 |
RustFS: Authentication bypass in /profile/cpu and /profile/memory allows unauthenticated access to profiling handlers |
28.05.2026 |
|
| CVE-2026-45332 |
Automad Broken Access Control: unauthenticated exposure of administrator bcrypt password hashes and TOTP secrets via public API endpoint |
28.05.2026 |
7.5 |
| CVE-2026-46509 |
deepobj: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
28.05.2026 |
8.2 |
| CVE-2026-46526 |
Local Deep Research: SSRF bypass in `safe_get` |
28.05.2026 |
5 |
| CVE-2026-46685 |
RustFS: Reflective CORS with credentials on S3 listener; unauthenticated license metadata endpoint on console |
28.05.2026 |
|
| CVE-2026-47136 |
RustFS: Unauthenticated RustFS console license endpoint exposes license metadata |
28.05.2026 |
|
| CVE-2026-47326 |
Memory leak in Ubuntu Linux AppArmor large notification response allocation |
28.05.2026 |
5.5 |
| CVE-2026-47327 |
NULL pointer dereference in Ubuntu Linux AppArmor notification handling |
28.05.2026 |
3.3 |
| CVE-2026-47328 |
Invalid pointer deallocation in Ubuntu Linux AppArmor notification handling |
28.05.2026 |
6.1 |
| CVE-2026-47329 |
Incorrect validation of field size in Ubuntu Linux AppArmor notification responses |
28.05.2026 |
3.3 |
| CVE-2026-47330 |
Use of uninitialized value in Ubuntu Linux AppArmor notification handling |
28.05.2026 |
3.3 |
| CVE-2026-47331 |
Use-after-free in Ubuntu Linux AppArmor notification handling |
29.05.2026 |
7.8 |
| CVE-2026-47332 |
Out-of-bounds read in Ubuntu Linux AppArmor notification handling |
28.05.2026 |
5.5 |
| CVE-2026-47333 |
Out-of-bounds read in Ubuntu Linux AppArmor notification handling |
29.05.2026 |
7.8 |
| CVE-2026-47334 |
Deadlock or kernel panic in Ubuntu Linux AppArmor notification handling |
28.05.2026 |
5.5 |
| CVE-2026-47335 |
NULL pointer dereference in Ubuntu Linux AppArmor notification handling |
28.05.2026 |
5.5 |
| CVE-2026-47336 |
Use of uninitialized value in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation rules |
28.05.2026 |
3.3 |
| CVE-2026-47337 |
NULL pointer dereference in Ubuntu Linux AppArmor IPv4/IPv6 socket mediation |
28.05.2026 |
3.3 |
| CVE-2026-4944 |
Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control |
28.05.2026 |
|
| CVE-2026-34126 |
Bluetooth Communication Uses Unencrypted Transmission During Initial Setup on TP-Link's Tapo L535E, P300 and D100C |
28.05.2026 |
|
| CVE-2026-43898 |
SandboxJS: Sandbox escape via Function.caller leakage of internal call op |
28.05.2026 |
10 |
| CVE-2026-44794 |
Nautobot: REST API permits creation of GenericForeignKey references to objects that the user should not be able to reference |
28.05.2026 |
5.4 |
| CVE-2026-44796 |
Nautobot: Object bulk rename UI actions vulnerable to denial of service by crafted regular expression (REDoS) |
28.05.2026 |
6.5 |
| CVE-2026-44797 |
Nautobot: Webhook definitions could be used for server-side request forgery (SSRF) |
28.05.2026 |
8.5 |
| CVE-2026-44798 |
Nautobot: GitRepository.current_head field should not be writable through REST API |
28.05.2026 |
7.1 |
| CVE-2026-45021 |
Kuma: Default kuma-cp leaks admin token cross-origin via CORS wildcard + LocalhostIsAdmin |
28.05.2026 |
|
| CVE-2026-45058 |
electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark |
28.05.2026 |
|
| CVE-2026-45296 |
OpenReplay: Cross-tenant information disclosure in app_apikey projectKey routes via missing tenant binding |
28.05.2026 |
7.7 |
| CVE-2026-45297 |
Cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch |
28.05.2026 |
|
| CVE-2026-45306 |
pyLoad: Incomplete Fix for CVE-2026-33509 -storage_folder Bypass via Session Directory |
28.05.2026 |
6.5 |
| CVE-2026-45307 |
Speakr: Open redirect in is_safe_url via parser mismatch on next parameter |
28.05.2026 |
6.1 |
| CVE-2026-45310 |
CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool |
28.05.2026 |
7.4 |
| CVE-2026-45311 |
CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval |
28.05.2026 |
9.6 |
| CVE-2026-45323 |
MeshCore Card: XSS vulnerability through meshcore node name |
28.05.2026 |
9.6 |
| CVE-2026-45348 |
pyLoad: Stored XSS in Downloads view via unsanitized link URL in packages.js template literal |
28.05.2026 |
8.7 |
| CVE-2026-45353 |
electerm: Local code through electerm's single-instance socket |
28.05.2026 |
|
| CVE-2026-45373 |
CodeWhale: SSRF IPV6 bypass |
28.05.2026 |
7.4 |
| CVE-2026-45374 |
CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files |
28.05.2026 |
9.6 |
| CVE-2026-45787 |
electerm's encrypt method not safe enough |
28.05.2026 |
|
| CVE-2026-46561 |
pyLoad: SSRF via HTTP Redirect Bypass in parse_urls API |
28.05.2026 |
5 |
| CVE-2026-24444 |
SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php |
28.05.2026 |
|
| CVE-2026-38702 |
|
28.05.2026 |
|
| CVE-2026-38703 |
|
28.05.2026 |
|
| CVE-2026-38704 |
|
28.05.2026 |
|
| CVE-2026-38707 |
|
28.05.2026 |
|
| CVE-2026-41141 |
EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup |
28.05.2026 |
6.5 |
| CVE-2026-41160 |
EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modification of notes |
28.05.2026 |
4.3 |
| CVE-2026-41184 |
ServiceAccount token disclosure via install-cni container logs |
28.05.2026 |
|
| CVE-2026-41185 |
ServiceAccount token disclosure via Azure IPAM CNI plugin logs |
28.05.2026 |
|
| CVE-2026-44461 |
Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote) |
29.05.2026 |
8.6 |
| CVE-2026-44462 |
Zed: Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions |
29.05.2026 |
6.4 |
| CVE-2026-44463 |
Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions |
29.05.2026 |
8.6 |
| CVE-2026-44465 |
Zed: Zed IDE Arbitrary Code Execution via untrusted repository with poisoned .git/config |
29.05.2026 |
8.6 |
| CVE-2026-44466 |
Zed: Allowlist Bypass via Bash Arithmetic Expansion in Terminal Tool Permissions |
29.05.2026 |
8.6 |
| CVE-2026-44477 |
CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and OS RCE |
28.05.2026 |
|
| CVE-2026-44543 |
Local Path Provisioner: HelperPod Template Injection |
28.05.2026 |
8.7 |
| CVE-2026-45076 |
Synapse pagination denial of service |
28.05.2026 |
|
| CVE-2026-45078 |
Synapse CPU starvation (Denial of Service) |
28.05.2026 |
|
| CVE-2026-45261 |
GitButler: Link injection via forge integration enables arbitrary script execution |
28.05.2026 |
|
| CVE-2026-45292 |
opentelemetry-java: Unbounded Memory Allocation in W3C Baggage Propagation |
28.05.2026 |
5.3 |
| CVE-2026-47673 |
Hono: JWT middleware accepts any Authorization scheme, not only Bearer |
28.05.2026 |
4.8 |
| CVE-2026-47674 |
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 |
28.05.2026 |
5.3 |
| CVE-2026-47675 |
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection |
28.05.2026 |
4.3 |
| CVE-2026-47676 |
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths |
28.05.2026 |
5.3 |
| CVE-2026-6720 |
Calicoctl leaks cluster credentials to stderr when verbose logging is enabled |
28.05.2026 |
|
| CVE-2026-8697 |
Improper Authentication Rate Limiting on TP-Link's Archer C64 |
29.05.2026 |
|
| CVE-2026-9090 |
CVE-2026-9090 |
28.05.2026 |
|
| CVE-2026-9091 |
CVE-2026-9091 |
28.05.2026 |
|
| CVE-2026-9092 |
CVE-2026-9092 |
28.05.2026 |
|
| CVE-2026-9093 |
CVE-2026-9093 |
28.05.2026 |
|
| CVE-2026-9094 |
CVE-2026-9094 |
28.05.2026 |
|
| CVE-2026-9095 |
CVE-2026-9095 |
28.05.2026 |
|
| CVE-2026-9096 |
CVE-2026-9096 |
28.05.2026 |
|
| CVE-2026-9097 |
CVE-2026-9097 |
28.05.2026 |
|
| CVE-2026-9098 |
CVE-2026-9098 |
28.05.2026 |
|
| CVE-2026-47759 |
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes |
28.05.2026 |
8.7 |
| CVE-2026-47760 |
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs |
28.05.2026 |
8.7 |
| CVE-2026-47761 |
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection |
28.05.2026 |
8.7 |
| CVE-2026-47762 |
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments |
28.05.2026 |
8.7 |
| CVE-2026-48523 |
PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys |
28.05.2026 |
5.4 |
| CVE-2026-48524 |
PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS) |
28.05.2026 |
3.7 |
| CVE-2026-48525 |
PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS |
28.05.2026 |
5.3 |
| CVE-2026-48526 |
PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed |
29.05.2026 |
7.4 |