| CVE-2026-2031 |
Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure and Remote Code Execution. |
15.05.2026 |
10 |
| CVE-2026-41552 |
Path Traversal in PDF Export Module |
15.05.2026 |
9.2 |
| CVE-2026-41553 |
Remote Code Execution in PDF Export Module |
15.05.2026 |
10 |
| CVE-2026-7182 |
Path Traversal in Diagram |
15.05.2026 |
9.2 |
| CVE-2026-5229 |
Receive Notifications After Form Submitting – Form Notify for Any Forms <= 1.1.10 - Unauthenticated Authentication Bypass via LINE OAuth Callback |
15.05.2026 |
9.8 |
| CVE-2026-8398 |
|
15.05.2026 |
9.3 |
| CVE-2026-0481 |
|
15.05.2026 |
9.2 |
| CVE-2026-44212 |
PrestaShop: Stored XSS executable in customer service view |
15.05.2026 |
9.3 |
| CVE-2026-44666 |
HRConvert2: Missing Sanitization enables Unauthenticated Remote Command Execution |
15.05.2026 |
9.3 |
| CVE-2026-8634 |
Crabbox < v0.12.0 Environment Variable Information Disclosure |
15.05.2026 |
9.3 |
| CVE-2026-22599 |
Strapi Vulnerable to SQL Injection in Content Type Builder |
14.05.2026 |
9.3 |
| CVE-2026-27886 |
Strapi may leak sensitive data via relational filtering due to lack of query sanitization |
14.05.2026 |
9.2 |
| CVE-2026-41315 |
mdserver-web: Missing Authorization and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
14.05.2026 |
9.3 |
| CVE-2026-44523 |
Note Mark: JWT Secret Weakness allows Full Account Takeover via token forgery |
15.05.2026 |
10 |
| CVE-2026-44588 |
SiYuan: URL-encoded title bypasses `escapeAriaLabel`, decoded by `decodeURIComponent` into a tooltip-XSS |
15.05.2026 |
9.4 |
| CVE-2026-44592 |
Gradient: Unauthenticated worker on /proto → arbitrary NAR write / cache poisoning |
14.05.2026 |
9.4 |
| CVE-2026-44670 |
SiYuan: Stored XSS via Attribute View name to Electron renderer RCE in SiYuan |
15.05.2026 |
9.4 |
| CVE-2026-45375 |
SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution |
14.05.2026 |
9 |
| CVE-2026-41615 |
Microsoft Authenticator Information Disclosure Vulnerability |
15.05.2026 |
9.6 |
| CVE-2026-44542 |
FileBrowser Quantum: Unauthenticated Path Traversal in Public Share Delete Allows Arbitrary File Deletion |
15.05.2026 |
9.1 |
| CVE-2026-20182 |
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability |
15.05.2026 |
10 |
| CVE-2026-42555 |
Valtimo: SpEL injection via StandardEvaluationContext allows Remote Code Execution by admin users |
14.05.2026 |
9.1 |
| CVE-2026-42281 |
MagicMirror²: Unauthenticated SSRF via /cors endpoint |
14.05.2026 |
9.2 |
| CVE-2026-42589 |
Gotenberg: Unauthenticated RCE via ExifTool Metadata Key Injection |
14.05.2026 |
9.8 |
| CVE-2026-42596 |
Gotenberg: Unauthenticated SSRF via default deny-list bypass in downloadFrom and webhook |
14.05.2026 |
9.4 |
| CVE-2026-42457 |
vCluster Platform: Stored XSS can lead to privilege escalation |
14.05.2026 |
9 |
| CVE-2026-44482 |
soundcloud-rpc: Remote Code Execution via XSS in Track Title |
14.05.2026 |
9.6 |
| CVE-2026-44484 |
Compromise of PyTorch Lightning PyPi Package Versions |
14.05.2026 |
9.3 |
| CVE-2025-11024 |
SQLi in Akıllı Ticaret's E-Commerce Pack |
14.05.2026 |
9.8 |
| CVE-2026-2347 |
IDOR in Akıllı Ticaret's E-Commerce Pack |
14.05.2026 |
9.8 |
| CVE-2026-6512 |
InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters |
14.05.2026 |
9.1 |
| CVE-2026-6271 |
Career Section <= 1.7 - Unauthenticated Arbitrary File Upload |
14.05.2026 |
9.8 |
| CVE-2026-6510 |
InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe' |
14.05.2026 |
9.8 |
| CVE-2026-8181 |
Burst Statistics 3.4.0 - 3.4.1.1 - Authentication Bypass to Admin Account Takeover |
14.05.2026 |
9.8 |
| CVE-2026-44193 |
OPNsense: RCE via XMLRPC endpoint using `opnsense.restore_config_section` method |
14.05.2026 |
9.1 |
| CVE-2026-44194 |
OPNsense: RCE on user managment |
14.05.2026 |
9.1 |
| CVE-2026-45158 |
OPNsense: Command Injection via Attacker-Controlled DHCP Config |
14.05.2026 |
9.1 |
| CVE-2026-44442 |
ERPNext: Unauthorised Document modification due to missing validation |
14.05.2026 |
9.9 |
| CVE-2026-44377 |
CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE |
14.05.2026 |
9.1 |
| CVE-2026-44381 |
MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute listings |
14.05.2026 |
9.3 |
| CVE-2026-45053 |
CubeCart: Authenticated Arbitrary File Upload to RCE in REST Files API |
13.05.2026 |
9.1 |
| CVE-2026-45714 |
CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE |
14.05.2026 |
9.1 |
| CVE-2026-44351 |
fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass |
14.05.2026 |
9.1 |
| CVE-2026-44364 |
misp-modules website - Missing CSRF protection in the website home blueprint |
14.05.2026 |
9.3 |
| CVE-2026-43997 |
vm2: Sandbox Escape |
14.05.2026 |
10 |
| CVE-2026-43999 |
vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape |
15.05.2026 |
9.9 |
| CVE-2026-44005 |
vm2: Sandbox escape |
15.05.2026 |
10 |
| CVE-2026-44006 |
vm2: Sandbox Escape |
15.05.2026 |
10 |
| CVE-2026-44007 |
vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution |
15.05.2026 |
9.1 |
| CVE-2026-44008 |
vm2: Snabox breakout via `neutralizeArraySpeciesBatch` |
15.05.2026 |
9.8 |
| CVE-2026-44009 |
vm2: Sandbox Breakout Through Null Proto Exception |
15.05.2026 |
9.8 |
| CVE-2026-45411 |
vm2: Sandbox Breakout Using Async Generator |
15.05.2026 |
9.8 |
| CVE-2020-37168 |
Ecommerce Systempay 1.0 Production Key Brute Force |
14.05.2026 |
9.3 |
| CVE-2026-42945 |
NGINX ngx_http_rewrite_module vulnerability |
14.05.2026 |
9.2 |
| CVE-2026-40621 |
|
13.05.2026 |
9.3 |
| CVE-2026-42062 |
|
13.05.2026 |
9.3 |
| CVE-2026-41050 |
Helm impersonation bypass of `RESTClientGetter` retains `cluster-admin` during template rendering |
14.05.2026 |
9.9 |
| CVE-2025-11159 |
Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component |
13.05.2026 |
9.1 |
| CVE-2026-32661 |
|
13.05.2026 |
9.3 |
| CVE-2026-41901 |
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions |
13.05.2026 |
9 |
| CVE-2026-42288 |
ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD |
12.05.2026 |
10 |
| CVE-2026-44547 |
ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2 |
13.05.2026 |
9.6 |
| CVE-2026-42854 |
arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE |
13.05.2026 |
9.8 |
| CVE-2026-42196 |
django-s3file: Relative path traversal |
13.05.2026 |
9.9 |
| CVE-2026-43948 |
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass |
13.05.2026 |
9.9 |
| CVE-2026-44257 |
efw4.X: RCE via zipslip |
12.05.2026 |
9.3 |
| CVE-2026-44258 |
efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution |
14.05.2026 |
9.3 |
| CVE-2026-44262 |
Scramble: Remote code execution via evaluation of user-controlled input in validation rules |
13.05.2026 |
9.4 |
| CVE-2026-42889 |
Relay Server WebSocket authentication bypass when token is omitted |
13.05.2026 |
9.1 |
| CVE-2026-44221 |
ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases |
13.05.2026 |
9 |
| CVE-2026-44225 |
Pulpy: Incomplete filesystem sandbox in pulpy.fs bridge allows packaged web apps to read arbitrary user files |
14.05.2026 |
9.3 |
| CVE-2026-45185 |
|
14.05.2026 |
9.8 |
| CVE-2026-34659 |
Adobe Connect | Deserialization of Untrusted Data (CWE-502) |
13.05.2026 |
9.6 |
| CVE-2026-34660 |
Adobe Connect | Incorrect Authorization (CWE-863) |
13.05.2026 |
9.3 |
| CVE-2026-8430 |
SPIP < 4.4.14 Remote Code Execution via nginx |
14.05.2026 |
9.2 |
| CVE-2026-8431 |
Ops Manager RCE via webhook body |
12.05.2026 |
9.4 |
| CVE-2026-29204 |
|
12.05.2026 |
9.1 |
| CVE-2026-42048 |
Langflow: Path Traversal in Langflow Knowledge Bases API |
13.05.2026 |
9.6 |
| CVE-2026-42300 |
DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header |
13.05.2026 |
9.3 |
| CVE-2026-44183 |
Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled |
13.05.2026 |
9.8 |
| CVE-2026-44196 |
Pingvin Share X: TOTP Authentication Bypass via Password-only Login |
14.05.2026 |
9.1 |
| CVE-2026-26083 |
|
13.05.2026 |
9.1 |
| CVE-2026-33117 |
Azure SDK for Java Security Feature Bypass Vulnerability |
14.05.2026 |
9.1 |
| CVE-2026-40379 |
Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability |
14.05.2026 |
9.3 |
| CVE-2026-40402 |
Windows Hyper-V Elevation of Privilege Vulnerability |
14.05.2026 |
9.3 |
| CVE-2026-41089 |
Windows Netlogon Remote Code Execution Vulnerability |
14.05.2026 |
9.8 |
| CVE-2026-41096 |
Windows DNS Client Remote Code Execution Vulnerability |
14.05.2026 |
9.8 |
| CVE-2026-41103 |
Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability |
14.05.2026 |
9.1 |
| CVE-2026-42823 |
Azure Logic Apps Elevation of Privilege Vulnerability |
14.05.2026 |
9.9 |
| CVE-2026-42833 |
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
14.05.2026 |
9.1 |
| CVE-2026-42898 |
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
14.05.2026 |
9.9 |
| CVE-2026-44277 |
|
13.05.2026 |
9.1 |
| CVE-2026-44343 |
WGDashboard: Critical Vulnerability in 4.3.2 |
12.05.2026 |
9.3 |
| CVE-2026-20794 |
|
13.05.2026 |
9.3 |
| CVE-2026-43992 |
JunoClaw: MCP write tools exposed raw BIP-39 mnemonic as a tool-call parameter |
13.05.2026 |
9.8 |
| CVE-2026-30805 |
Insecure Default Initialization in API Authentication leads to Authentication Bypass |
12.05.2026 |
9.1 |
| CVE-2026-8043 |
|
12.05.2026 |
9.6 |
| CVE-2026-45091 |
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) |
12.05.2026 |
9.1 |
| CVE-2025-6577 |
SQLi in Akilli Commerce's E-Commerce Website |
12.05.2026 |
9.8 |
| CVE-2026-8072 |
Insecure generation of SAT access credentials in Ingecon EMS Board |
12.05.2026 |
9.2 |
| CVE-2026-25786 |
|
12.05.2026 |
9.3 |
| CVE-2026-25787 |
|
12.05.2026 |
9.3 |
| CVE-2026-41551 |
|
12.05.2026 |
9.3 |
| CVE-2026-7428 |
Insecure default administrative credentials in AlloyDB for PostgreSQL |
12.05.2026 |
9.2 |
| CVE-2026-41872 |
|
12.05.2026 |
9.1 |
| CVE-2026-34260 |
SQL injection vulnerability in SAP S/4HANA (SAP Enterprise Search for ABAP) |
12.05.2026 |
9.6 |
| CVE-2026-34263 |
Missing authentication check in SAP Commerce cloud configuration |
15.05.2026 |
9.6 |
| CVE-2026-45321 |
Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys |
12.05.2026 |
9.6 |
| CVE-2026-43899 |
DeepChat: Incomplete Fix for CVE-2025-55733 leads to Remote Code Execution via Markdown Links bypassing `isValidExternalUrl` |
12.05.2026 |
9.6 |
| CVE-2026-43900 |
DeepChat: Persistent DOM XSS via HTML Entity Encoding in `<antArtifact>` SVG Rendering (Bypass of `svgSanitizer.ts`) |
12.05.2026 |
9.3 |
| CVE-2026-42882 |
oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching |
13.05.2026 |
9.4 |
| CVE-2026-42869 |
SOCFortress CoPilot: Hardcoded JWT secret allows unauthenticated full admin compromise and lateral movement into all integrated SOC tools |
12.05.2026 |
10 |
| CVE-2026-42864 |
FireFighter: Unauthenticated SSRF in Raid jira_bot endpoint allows IAM credential theft |
11.05.2026 |
9.9 |
| CVE-2026-42607 |
Grav: Remote Code Execution (RCE) via Malicious Plugin ZIP Upload in Direct Install Feature |
12.05.2026 |
9.1 |
| CVE-2026-42613 |
Grav: Privilege Escalation via Missing Server-Side Validation of groups/access |
12.05.2026 |
9.4 |
| CVE-2026-44643 |
Angular Expressions - Remote Code Execution using filters |
11.05.2026 |
9.3 |
| CVE-2026-7813 |
pgAdmin 4: Cross-user data access and shared-server privilege escalation in server mode |
11.05.2026 |
9.4 |
| CVE-2026-40636 |
|
12.05.2026 |
9.8 |
| CVE-2021-47923 |
OpenCart 3.0.3.8 Session Fixation via OCSESSID Cookie |
11.05.2026 |
9.3 |
| CVE-2021-47932 |
WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated |
11.05.2026 |
9.3 |
| CVE-2021-47933 |
WordPress MStore API 2.0.6 Arbitrary File Upload |
11.05.2026 |
9.3 |
| CVE-2021-47936 |
OpenCATS 0.9.4 Remote Code Execution via Resume Upload |
11.05.2026 |
9.3 |
| CVE-2021-47940 |
WordPress Download From Files 1.48 Arbitrary File Upload |
11.05.2026 |
9.3 |
| CVE-2026-6722 |
Use-After-Free in SOAP using Apache map |
12.05.2026 |
9.5 |
| CVE-2026-42569 |
phpvms: /importer authorization bypass causing full database wipe |
12.05.2026 |
9.4 |
| CVE-2026-42571 |
Privilege Escalation Attack affecting Pelican Web UI |
12.05.2026 |
9 |
| CVE-2026-42601 |
ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView |
11.05.2026 |
9.3 |
| CVE-2026-42560 |
auth: Patreon provider assigns the same local user ID to every authenticated Patreon account, enabling cross‑user impersonation |
11.05.2026 |
9.1 |
| CVE-2026-44313 |
LinkWarden: Server-Side Request Forgery (SSRF) in Link Creation via fetchTitleAndHeaders Function |
11.05.2026 |
9.1 |
| CVE-2026-42354 |
Sentry: Improper authentication on SAML SSO process allows user identity linking |
11.05.2026 |
9.1 |
| CVE-2026-42454 |
Termix: OS Command Injection in Docker Container Management Endpoints |
14.05.2026 |
9.9 |
| CVE-2026-42298 |
Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev |
11.05.2026 |
10 |
| CVE-2026-42302 |
FastGPT: Unauthenticated Remote Code Execution (RCE) via code-server Misconfiguration in agent-sandbox |
12.05.2026 |
9.8 |
| CVE-2026-42287 |
Emlog: SQL Injection Vulnerability in log_model.php within addLog() and updateLog() Functions |
11.05.2026 |
10 |
| CVE-2026-42193 |
Plunk: SNS webhook forgery |
11.05.2026 |
9.1 |