CVE Field Guide

Critical CVEs

CVE	Title	Updated	Score
CVE-2026-45247	Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection	26.05.2026	9.3
CVE-2026-7374	Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability	26.05.2026	9.9
CVE-2026-9543	Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection	26.05.2026	9.3
CVE-2026-42773	WordPress eMagicOne Store Manager plugin <= 1.3.2 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-42774	WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-9477	Totolink A8000RU Web Management cstecgi.cgi setAccessDeviceCfg os command injection	26.05.2026	9.3
CVE-2026-9478	Totolink A8000RU Web Management cstecgi.cgi setParentalRules os command injection	25.05.2026	9.3
CVE-2026-9475	Totolink A8000RU Web Management cstecgi.cgi setIpQosRules os command injection	26.05.2026	9.3
CVE-2026-9476	Totolink A8000RU Web Management cstecgi.cgi setPasswordCfg os command injection	25.05.2026	9.3
CVE-2026-9058	Improper Certificate Verification in Szafir SDK	25.05.2026	9.3
CVE-2026-9457	Totolink A8000RU Web Management cstecgi.cgi UploadFirmwareFile os command injection	26.05.2026	9.3
CVE-2026-9458	Totolink A8000RU Web Management cstecgi.cgi setWanCfg os command injection	25.05.2026	9.3
CVE-2026-9454	Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCertGenerationCfg os command injection	25.05.2026	9.3
CVE-2026-9455	Totolink A8000RU Web Management cstecgi.cgi UploadOpenVpnCert os command injection	26.05.2026	9.3
CVE-2026-9456	Totolink A8000RU Web Management cstecgi.cgi setOpenVpnCfg os command injection	26.05.2026	9.3
CVE-2026-9435	Totolink A8000RU Web Management cstecgi.cgi setQosCfg os command injection	25.05.2026	9.3
CVE-2026-9436	Totolink A8000RU Web Management cstecgi.cgi setL2tpServerCfg os command injection	25.05.2026	9.3
CVE-2026-2651	Missing Authorization Validation in mlflow/mlflow	26.05.2026	9
CVE-2026-9432	Totolink A8000RU Web Management cstecgi.cgi setWiFiAdvancedCfg os command injection	26.05.2026	9.3
CVE-2026-9433	Totolink A8000RU Web Management cstecgi.cgi setMacFilterRules os command injection	26.05.2026	9.3
CVE-2026-9434	Totolink A8000RU Web Management cstecgi.cgi setWiFiWpsCfg os command injection	25.05.2026	9.3
CVE-2026-9407	Totolink A8000RU Web Management cstecgi.cgi setFirewallType os command injection	26.05.2026	9.3
CVE-2026-9408	Totolink A8000RU Web Management cstecgi.cgi setStaticDhcpRules os command injection	26.05.2026	9.3
CVE-2026-9405	Totolink A8000RU Web Management cstecgi.cgi setGameSpeedCfg os command injection	24.05.2026	9.3
CVE-2026-9406	Totolink A8000RU Web Management cstecgi.cgi setRemoteCfg os command injection	24.05.2026	9.3
CVE-2026-9404	Totolink A8000RU Web Management cstecgi.cgi setDdnsCfg os command injection	24.05.2026	9.3
CVE-2026-9397	Besen BS20 EV Charging Station OTA Update Installation improper authorization	26.05.2026	9.2
CVE-2026-9388	Totolink A8000RU Web Management cstecgi.cgi setScheduleCfg os command injection	26.05.2026	9.3
CVE-2026-9386	Totolink A8000RU Web Management cstecgi.cgi setLanguageCfg os command injection	26.05.2026	9.3
CVE-2026-9387	Totolink A8000RU Web Management cstecgi.cgi setUpgradeFW os command injection	24.05.2026	9.3
CVE-2026-9384	Totolink A8000RU Web Management cstecgi.cgi setDiagnosisCfg os command injection	24.05.2026	9.3
CVE-2026-9385	Totolink A8000RU Web Management cstecgi.cgi setTracerouteCfg os command injection	24.05.2026	9.3
CVE-2018-25350	userSpice 4.3.24 Username Enumeration via existingUsernameCheck.php	26.05.2026	9.3
CVE-2018-25357	Dolibarr ERP CRM 7.0.3 Remote Code Execution via install/step1.php	26.05.2026	9.3
CVE-2026-23652	Microsoft Power Pages Remote Code Execution Vulnerability	26.05.2026	10
CVE-2026-33843	Microsoft Azure Active Directory B2C Elevation of Privilege Vulnerability	26.05.2026	9.1
CVE-2026-40411	Azure Virtual Network Gateway Remote Code Execution Vulnerability	26.05.2026	9.9
CVE-2026-40412	Azure Orbital Spatio Remote Code Execution Vulnerability	26.05.2026	10
CVE-2026-41090	Microsoft Copilot Tampering Vulnerability	26.05.2026	9.3
CVE-2026-41104	Microsoft Planetary Computer Pro Information Disclosure Vulnerability	26.05.2026	10
CVE-2026-42901	Microsoft Entra ID Elevation of Privilege Vulnerability	23.05.2026	10
CVE-2026-47280	Azure Resource Manager Elevation of Privilege Vulnerability	26.05.2026	10
CVE-2026-48700		24.05.2026	9.3
CVE-2026-32253	Sunshine: Authentication bypass via improper client certificate validation	26.05.2026	9.8
CVE-2026-33712	TypeBot: Unauthenticated SSRF via isolated-vm fetch in preview chat endpoint bypasses SSRF controls	22.05.2026	10
CVE-2026-9256	NGINX ngx_http_rewrite_module vulnerability	23.05.2026	9.2
CVE-2026-8670	Insecure session handling on metrics web server	22.05.2026	9.6
CVE-2026-9277	shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`	23.05.2026	9.2
CVE-2026-9054	Invalid IP packets cause a kernel panic	22.05.2026	9.2
CVE-2026-33000		23.05.2026	9.1
CVE-2026-34908		23.05.2026	10
CVE-2026-34909		22.05.2026	10
CVE-2026-34910		23.05.2026	10
CVE-2026-6960	BookingPress Pro <= 5.6 - Unauthenticated Arbitrary File Upload via Signature Custom Field	22.05.2026	9.8
CVE-2026-8134	Concrete CMS 9.5.0 and below is vulnerable to Authenticated RCE via Composer customTemplate Path Traversal leading to PHP File Inclusion	22.05.2026	9.4
CVE-2026-48241	Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in loader.php	21.05.2026	9.2
CVE-2026-48242	Open ISES Tickets < 3.44.2 Hardcoded MySQL Database Credentials in import_mdb.php	23.05.2026	9.2
CVE-2026-39531	WordPress WP Directory Kit plugin <= 1.5.0 - SQL Injection vulnerability	21.05.2026	9.3
CVE-2025-71210		21.05.2026	9.8
CVE-2025-71211		21.05.2026	9.8
CVE-2026-5118	Divi Form Builder <= 5.1.2 - Unauthenticated Privilege Escalation via 'role'	21.05.2026	9.8
CVE-2026-5433	Improper Sanitization in CNM Web Interface	21.05.2026	9.1
CVE-2026-44050	Heap buffer overflow in CNID daemon comm_rcv()	22.05.2026	9.9
CVE-2026-6279	Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function Injection via 'render_logics' Shortcode Attribute via Widget AJAX Handler	21.05.2026	9.8
CVE-2026-48172		24.05.2026	10
CVE-2026-9152	Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfiltration and Index Destruction	21.05.2026	10
CVE-2026-8631	HP Linux Imaging and Printing Software – Potential Escalation of Privilege and Arbitrary Code Execution	21.05.2026	9.3
CVE-2026-39405	Frappe has Path Transversal via SCORM	21.05.2026	9.4
CVE-2026-9139	Taiko AG1000-01A Rev 7.3/8 Hard-coded Credentials via login.zhtml	21.05.2026	9.3
CVE-2026-9141	Taiko AG1000-01A Rev 7.3/8 Authentication Bypass via Web Interface	21.05.2026	9.3
CVE-2026-23734	XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash	21.05.2026	9.3
CVE-2026-33137	XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}	21.05.2026	9.3
CVE-2026-45444	WordPress Gift Cards For WooCommerce Pro plugin <= 4.2.6 - Arbitrary File Upload vulnerability	26.05.2026	10
CVE-2026-9082	Drupal core - Highly critical - SQL injection - SA-CORE-2026-004	23.05.2026	9.8
CVE-2026-9102	Path Traversal in Altium Enterprise Server ComparisonService Allows Arbitrary File Write	20.05.2026	9.4
CVE-2026-9129	Path Traversal in Altium Enterprise Server Viewer StorageController Allows Arbitrary File Read	20.05.2026	9.4
CVE-2026-20223	Cisco Secure Workload Unauthorized API Access Vulnerability	21.05.2026	10
CVE-2026-8598	Unauthenticated Export Service in ZKTeco CCTV Cameras	20.05.2026	9.1
CVE-2026-8467	Unauthenticated remote code execution via HEEx template injection in phoenix_storybook playground	22.05.2026	9.5
CVE-2026-22314		20.05.2026	9
CVE-2026-33278	Possible arbitrary code execution during DNSSEC validation	20.05.2026	9.1
CVE-2026-9059	NextGEN Gallery - SQL Injection	20.05.2026	9.3
CVE-2026-9065	Surecart - SQL Injection	20.05.2026	9.3
CVE-2026-24207		20.05.2026	9.8
CVE-2026-7637	Boost <= 2.0.3 - Unauthenticated PHP Object Injection via STYXKEY-BOOST_USER_LOCATION Cookie	20.05.2026	9.8
CVE-2026-6555	ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files'	20.05.2026	9.8
CVE-2026-7284	Easy Elements for Elementor <= 1.4.4 - Unauthenticated Privilege Escalation via easyel_handle_register	20.05.2026	9.8
CVE-2026-34234	CtrlPanel: Unauthenticated RCE using installer script	20.05.2026	10
CVE-2026-33642	Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds Check	19.05.2026	9.9

Latest Updates

CVE	Title	Updated	Score
CVE-2026-25112		26.05.2026	7.8
CVE-2026-38587		26.05.2026
CVE-2026-40564	Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator	26.05.2026
CVE-2026-43934	e107: Broken Access Control in e107 comment edit allows cross-user comment modification	26.05.2026	6.5
CVE-2026-43935	e107: Host Header Injection in e107 password reset enables phishing	26.05.2026	8.1
CVE-2026-43936	e107: Server-Side Request Forgery (SSRF) in the remote file fetcher	26.05.2026	4.3
CVE-2026-46620	e107: CSRF in comment.php moderation endpoints via token-optional validation in session_handler::check()	26.05.2026	6.5
CVE-2026-48683		26.05.2026
CVE-2026-48684		26.05.2026
CVE-2026-48685		26.05.2026
CVE-2026-48686		26.05.2026
CVE-2026-48687		26.05.2026
CVE-2026-48688		26.05.2026
CVE-2026-48692		26.05.2026
CVE-2026-40033	FreeRDP - Heap-buffer-overflow in gdi_CacheToSurface via rectangle validation bypass	26.05.2026
CVE-2026-40034	gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule	26.05.2026
CVE-2026-41401	libyang - Heap Use-After-Free Write in XML Metadata Parsing	26.05.2026
CVE-2026-41917	OpenKM 6.3.12 Local File Inclusion via Admin Scripting	26.05.2026
CVE-2026-42347		26.05.2026
CVE-2026-42425	OpenKM 6.3.12 Unrestricted SQL Execution via DatabaseQuery	26.05.2026
CVE-2026-42785	OpenKM 6.3.12 Remote Code Execution via Administrative Scripting	26.05.2026
CVE-2026-43919		26.05.2026
CVE-2026-45082	Karakeep has a SSRF Protection Bypass via Redirect Handling	26.05.2026	7.6
CVE-2026-45247	Mirasvit Cache Warmer for Magento < 1.11.12 PHP Object Injection	26.05.2026
CVE-2026-46368	luci-app-https-dns-proxy Authenticated Command Injection via setInitAction	26.05.2026
CVE-2026-4480	Samba: samba: remote code execution in printing subsystem via unescaped job description	26.05.2026
CVE-2026-9550	Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform upfile path traversal	26.05.2026
CVE-2026-9551	Das Parking Management System 停车场管理系统 API Endpoint ExportParkingRecords xp_cmdshell sql injection	26.05.2026
CVE-2026-9552	Das Parking Management System 停车场管理系统 Search API Endpoint sql injection	26.05.2026
CVE-2025-11482	Allocation of Resources Without Limits or Throttling in the OPC-UA Server	26.05.2026	7.5
CVE-2026-48131	VPND IKE Fragment Reassembly - Heap Out-of-Bounds Write via Sequence Number Zero	26.05.2026	8.1
CVE-2026-48132	VPN service may restart unexpectedly when processing IKE traffic over NAT-T 4500/UDP	26.05.2026	8.1
CVE-2026-48133	Identity Awareness Captive Portal - Unauthenticated Local File Inclusion	26.05.2026	7.5
CVE-2026-48134	SQL injection issue in UserCheck Portal when DLP Software Blade is active	26.05.2026	5.6
CVE-2026-48135	HTTP service can incorrectly process malformed HTTP requests	26.05.2026	5.3
CVE-2026-48136	Authenticated Administrator Role-Based Access Control Bypass in Compliance	26.05.2026	4.1
CVE-2026-7310		26.05.2026
CVE-2026-7374	Kubevirt: kubevirt virt-handler: privilege escalation and node compromise via symlink following vulnerability	26.05.2026
CVE-2026-8174	Cross-site Request Forgery	26.05.2026	5.7
CVE-2026-8479		26.05.2026
CVE-2026-9540	vllm-project vllm OpenAI-compatible Serving Path denial of service	26.05.2026
CVE-2026-9541	Squirrel Cnut File sqobject.cpp ReadObject heap-based overflow	26.05.2026
CVE-2026-9542	CodeAstro Leave Management System add_staff.php sql injection	26.05.2026
CVE-2026-9543	Totolink N300RH Web Management cstecgi.cgi setPasswordCfg os command injection	26.05.2026
CVE-2026-9544	Shenzhen Sixun Software Sixun Shanghui Group Business Management System PayConfig sql injection	26.05.2026
CVE-2026-44410	Function Abusement Vulnerability in ZTE ZXUniPOS NDS-LTE	26.05.2026	3.8
CVE-2026-24590	WordPress Paid Videochat Turnkey Site plugin <= 7.3.23 - Broken Access Control vulnerability	26.05.2026	5.3
CVE-2026-24638	WordPress RepairBuddy plugin <= 4.1121 - Broken Access Control vulnerability	26.05.2026	4.3
CVE-2026-25104		26.05.2026	7.8
CVE-2026-25713		26.05.2026	7.8
CVE-2026-27427	WordPress Geo Mashup plugin <= 1.13.18 - Cross Site Scripting (XSS) vulnerability	26.05.2026	6.5
CVE-2026-39642	WordPress Nyla theme <= 1.7 - Arbitrary Shortcode Execution vulnerability	26.05.2026	5.3
CVE-2026-39661	WordPress SW Core plugin <= 1.7.18 - Local File Inclusion vulnerability	26.05.2026	7.5
CVE-2026-39655	WordPress Mayosis Core plugin <= 5.4.7 - Broken Access Control vulnerability	26.05.2026	5.3
CVE-2026-44468	Incorrect Default Permissions in CODESYS Development System	26.05.2026
CVE-2026-44469	Incorrect Default Permissions in CODESYS Development System	26.05.2026
CVE-2026-8046	Incorrect Authorization in CODESYS Control	26.05.2026
CVE-2026-8047	Out-of-bounds Write in CODESYS Control	26.05.2026
CVE-2026-3314	Missing Password Masking in Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer and Hitachi Ops Center Analyzer viewpoint	26.05.2026	4.6
CVE-2026-9495		26.05.2026	7.3
CVE-2026-9496		26.05.2026	7.5
CVE-2026-9532	Totolink CA750-PoE Setting cstecgi.cgi setUploadUserData os command injection	26.05.2026
CVE-2026-9533	Totolink CA750-PoE Setting cstecgi.cgi recvUpgradeNewFw os command injection	26.05.2026
CVE-2026-9534	Totolink CA750-PoE Setting cstecgi.cgi setWiFiWpsConfig os command injection	26.05.2026
CVE-2026-9526	itsourcecode Electronic Judging System edit_team.php sql injection	26.05.2026
CVE-2026-9527	itsourcecode Electronic Judging System judges.php cross site scripting	26.05.2026
CVE-2026-9528	itsourcecode Electronic Judging System delete_judge.php sql injection	26.05.2026
CVE-2026-9529	GNU LibreDWG Dwggrep Utility dwggrep.c match_BLOCK_HEADER null pointer dereference	26.05.2026
CVE-2026-9530	GNU LibreDWG Dwgbmp Utility decode.c read_2004_compressed_section out-of-bounds	26.05.2026
CVE-2026-9531	Totolink CA750-PoE Setting cstecgi.cgi setUpgradeUboot os command injection	26.05.2026
CVE-2026-9523	Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform getCalcmeterDetailDayListTree sql injection	26.05.2026
CVE-2026-9524	xianrendzw EasyReport REST Endpoint execute sql injection	26.05.2026
CVE-2026-9525	itsourcecode Electronic Judging System edit_judge.php sql injection	26.05.2026
CVE-2026-4795		26.05.2026	6.5
CVE-2026-9520	blitz-js blitz Sign-in LoginForm.tsx cross site scripting	26.05.2026
CVE-2026-9521	fraillt bitsery std_smart_ptr.h loadFromSharedState improper validation of specified type of input	26.05.2026
CVE-2025-71310		26.05.2026
CVE-2026-42496	Archive::Tar versions before 3.08 for Perl extract symlinks with attacker controlled targets outside the extraction directory	26.05.2026
CVE-2026-42497	Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory	26.05.2026
CVE-2026-9518	hemant6488 CodeIgniter-StudentManagementSystem Students Controller view_students.php addStudent cross site scripting	26.05.2026
CVE-2026-9519	stonith404 pingvin-share Sign-in Auto-Redirect signIn.tsx getServerSideProps cross site scripting	26.05.2026
CVE-2026-9538	Archive::Tar versions before 3.10 for Perl allow memory exhaustion via attacker controlled entry size field in tar header	26.05.2026
CVE-2026-8376	Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds	26.05.2026
CVE-2026-9517	hemant6488 CodeIgniter-StudentManagementSystem Student Management addStudentView access control	26.05.2026
CVE-2026-9515	Totolink CA750-PoE Setting cstecgi.cgi setUnloadUserData os command injection	26.05.2026
CVE-2026-32389	WordPress NanoCare theme < 1.2.2 - Broken Access Control vulnerability	26.05.2026	5.4
CVE-2026-42763	WordPress SePay Gateway plugin <= 1.1.20 - Sensitive Data Exposure vulnerability	26.05.2026	6.5
CVE-2026-42773	WordPress eMagicOne Store Manager plugin <= 1.3.2 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-42774	WordPress JetEngine plugin <= 3.8.8.1 - SQL Injection vulnerability	26.05.2026	9.3
CVE-2026-42776	WordPress Sunshine Photo Cart plugin <= 3.6.7 - Broken Access Control vulnerability	26.05.2026	6.3
CVE-2026-9514	Totolink CA750-PoE Setting cstecgi.cgi setNetworkDiag os command injection	26.05.2026
CVE-2026-24937	WordPress Broadcast Live Video plugin < 7.1.3 - Remote Code Execution (RCE) vulnerability	26.05.2026	7.2
CVE-2026-39436	WordPress CformsII plugin <= 15.1.3 - Cross Site Request Forgery (CSRF) vulnerability	26.05.2026	7.1
CVE-2026-45209	WordPress MyCryptoCheckout plugin <= 2.161 - Broken Access Control vulnerability	26.05.2026	7.5
CVE-2026-45216	WordPress Smart Manager plugin <= 8.85.0 - Privilege Escalation vulnerability	26.05.2026	8.8
CVE-2026-45217	WordPress Stripe Payment Gateway for WooCommerce plugin <= 5.0.7 - Broken Authentication vulnerability	26.05.2026	6.5
CVE-2026-45435	WordPress WP Activity Log plugin <= 5.6.3 - Cross Site Scripting (XSS) vulnerability	26.05.2026	6.5
CVE-2026-45438	WordPress Smart Coupons for WooCommerce plugin < 2.3.0 - Broken Access Control vulnerability	26.05.2026	7.5
CVE-2026-48837	WordPress Unlimited Elements For Elementor plugin <= 2.0.8 - SQL Injection vulnerability	26.05.2026	8.5
CVE-2026-9512	Totolink CA750-PoE Setting cstecgi.cgi setPasswordCfg os command injection	26.05.2026
CVE-2026-9513	Totolink CA750-PoE Setting cstecgi.cgi NTPSyncWithHost os command injection	25.05.2026
CVE-2026-24527	WordPress Autoship Cloud for WooCommerce Subscription Products plugin <= 2.14.0 - Broken Access Control vulnerability	26.05.2026	4.3
CVE-2026-24554	WordPress WPSubscription plugin <= 1.9.1 - Cross Site Request Forgery (CSRF) vulnerability	26.05.2026	4.3
CVE-2026-27346	WordPress B2BKing plugin < 5.2.10 - Broken Access Control vulnerability	26.05.2026	4.9
CVE-2026-27357	WordPress WP Search Analytics plugin < 1.5.0 - Broken Access Control vulnerability	26.05.2026	5.3
CVE-2026-27398	WordPress RSVP and Event Management plugin <= 2.7.16 - Broken Access Control vulnerability	26.05.2026	5.3
CVE-2026-9511	Totolink CA750-PoE Setting cstecgi.cgi setWebWlanIdx os command injection	25.05.2026
CVE-2025-62745	WordPress Team Showcase plugin <= 1.22.28 - Cross Site Scripting (XSS) vulnerability	26.05.2026	6.5
CVE-2026-24582	WordPress FlexTable plugin <= 3.24.0 - Broken Access Control vulnerability	26.05.2026	4.3
CVE-2026-24586	WordPress Newses theme <= 2.0.0.77 - Broken Access Control vulnerability	26.05.2026	5.4
CVE-2026-24592	WordPress Auto Affiliate Links plugin <= 6.8.8.3 - Broken Access Control vulnerability	26.05.2026	5.3
CVE-2026-9504	GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds	26.05.2026
CVE-2026-24545	WordPress QR Redirector plugin <= 2.0.3 - Broken Access Control vulnerability	26.05.2026	4.3
CVE-2026-24574	WordPress Export WP Page to Static HTML/CSS plugin <= 6.0.0 - Cross Site Request Forgery (CSRF) vulnerability	26.05.2026	6.5
CVE-2026-24597	WordPress Organization chart plugin <= 1.7.5 - Cross Site Request Forgery (CSRF) vulnerability	26.05.2026	4.3
CVE-2026-9502	GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow	26.05.2026
CVE-2026-9503	GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference	26.05.2026
CVE-2026-43827	Apache Shiro: Session fixation: new session is not created after login by default	26.05.2026
CVE-2026-43828	Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default	26.05.2026
CVE-2026-44598	Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)	26.05.2026
CVE-2026-48589	Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow	26.05.2026
CVE-2026-48850		26.05.2026	3.7
CVE-2026-48851		26.05.2026	3.1
CVE-2026-48852		26.05.2026	3.7
CVE-2026-9500	GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow	26.05.2026
CVE-2026-9501	GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion	25.05.2026
CVE-2026-48849		26.05.2026	4.4
CVE-2026-9497	changmingxie tcc-transaction Fastjson AutoType REST API Fastjson.parseObject deserialization	26.05.2026
CVE-2026-9498	Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in a template engine	25.05.2026
CVE-2026-24546	WordPress GamiPress plugin <= 7.6.3 - Broken Access Control vulnerability	26.05.2026	5.3
CVE-2026-48842		26.05.2026	8.1
CVE-2026-48843		26.05.2026	7.2
CVE-2026-48844		26.05.2026	7.5
CVE-2026-48845		26.05.2026	6.5
CVE-2026-48846		26.05.2026	6.5
CVE-2026-48847		26.05.2026	3.7
CVE-2026-48848		26.05.2026	7.2
CVE-2026-9484	SourceCodester Student Grades Management System classroom.php removeStudentFromClassroom improper authorization	25.05.2026
CVE-2026-9485	SourceCodester Student Grades Management System students.php cross site scripting	26.05.2026
CVE-2026-9486	SourceCodester Student Grades Management System cross-site request forgery	26.05.2026
CVE-2026-9482	Edimax EW-7438RPn formSDHCP stack-based overflow	25.05.2026
CVE-2026-9483	SourceCodester Student Grades Management System grades.php improper authorization	26.05.2026
CVE-2026-9480	Edimax EW-7438RPn formrefresh stack-based overflow	26.05.2026
CVE-2026-9481	Edimax EW-7438RPn formStats stack-based overflow	26.05.2026
CVE-2026-9478	Totolink A8000RU Web Management cstecgi.cgi setParentalRules os command injection	25.05.2026
CVE-2026-9479	Edimax EW-7438RPn formLogout stack-based overflow	26.05.2026