| CVE-2025-11159 |
Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component |
13.05.2026 |
9.1 |
| CVE-2025-14033 |
ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure |
13.05.2026 |
5.3 |
| CVE-2026-21015 |
|
13.05.2026 |
|
| CVE-2026-21016 |
|
13.05.2026 |
|
| CVE-2026-21018 |
|
13.05.2026 |
|
| CVE-2026-21019 |
|
13.05.2026 |
|
| CVE-2026-21020 |
|
13.05.2026 |
|
| CVE-2026-21021 |
|
13.05.2026 |
|
| CVE-2026-21022 |
|
13.05.2026 |
|
| CVE-2026-21024 |
|
13.05.2026 |
|
| CVE-2026-2725 |
Improper Authorization in Gerrit allowing Code Review Bypass via "Submitted Together" |
13.05.2026 |
|
| CVE-2026-32661 |
|
13.05.2026 |
|
| CVE-2026-44612 |
|
13.05.2026 |
|
| CVE-2026-6929 |
JoomSport <= 5.7.7 - Unauthenticated SQL Injection via 'sortf' Parameter |
13.05.2026 |
7.5 |
| CVE-2026-6965 |
Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter |
13.05.2026 |
5.3 |
| CVE-2025-14755 |
Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference |
13.05.2026 |
5.3 |
| CVE-2025-9987 |
Broadstreet <= 1.53.1 - Authenticated (Subscriber+) Information Disclosure |
13.05.2026 |
5.3 |
| CVE-2025-9988 |
Broadstreet <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation |
13.05.2026 |
4.3 |
| CVE-2025-9989 |
Broadstreet <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting |
13.05.2026 |
4.4 |
| CVE-2026-6828 |
Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute |
13.05.2026 |
6.4 |
| CVE-2026-6962 |
Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
13.05.2026 |
6.4 |
| CVE-2026-7051 |
Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter |
13.05.2026 |
5.4 |
| CVE-2026-7619 |
Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter |
13.05.2026 |
6.5 |
| CVE-2026-7635 |
coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field |
13.05.2026 |
8.1 |
| CVE-2024-36315 |
|
13.05.2026 |
|
| CVE-2025-61971 |
|
13.05.2026 |
|
| CVE-2025-61972 |
|
13.05.2026 |
|
| CVE-2025-62623 |
|
13.05.2026 |
|
| CVE-2025-62624 |
|
13.05.2026 |
|
| CVE-2025-62627 |
|
13.05.2026 |
|
| CVE-2026-6888 |
SQL Injection Vulnerability |
13.05.2026 |
7.2 |
| CVE-2026-8202 |
Post-authentication CPU utilization DoS via $trim/$ltrim/$rtrim operators |
13.05.2026 |
|
| CVE-2026-8053 |
FlatBSON Duplicate Field Index Drift |
13.05.2026 |
|
| CVE-2026-8199 |
Post-auth memory exhaustion via bitwise match expressions |
13.05.2026 |
|
| CVE-2026-8200 |
Schema validation log messages may not redact user data |
13.05.2026 |
|
| CVE-2026-8201 |
Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields |
13.05.2026 |
|
| CVE-2026-8336 |
Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands |
13.05.2026 |
|
| CVE-2026-42156 |
Flowsint: Cypher query injection in node type on node creation |
12.05.2026 |
|
| CVE-2026-42157 |
Flowsint: Stored XSS on map node marker in map page |
12.05.2026 |
|
| CVE-2026-42158 |
Flowsint: Broken Access Control allows modification of investigation metadata from any user |
12.05.2026 |
|
| CVE-2026-44245 |
Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component |
12.05.2026 |
6.1 |
| CVE-2026-44347 |
Warpgate: SSO CSRF -- State Token Not Validated on Return |
12.05.2026 |
5.8 |
| CVE-2026-44352 |
Flowsint: Broken Access Control allows reading of sketch logs from any user |
12.05.2026 |
|
| CVE-2025-15463 |
Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution |
13.05.2026 |
6.5 |
| CVE-2026-1250 |
Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL Injection |
13.05.2026 |
7.5 |
| CVE-2026-41901 |
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions |
12.05.2026 |
9 |
| CVE-2026-42288 |
ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD |
12.05.2026 |
10 |
| CVE-2026-42289 |
ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation |
12.05.2026 |
8.8 |
| CVE-2026-43680 |
|
13.05.2026 |
|
| CVE-2026-43685 |
|
13.05.2026 |
|
| CVE-2026-44341 |
GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint |
12.05.2026 |
5.3 |
| CVE-2026-44547 |
ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2 |
12.05.2026 |
9.6 |
| CVE-2026-44548 |
ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php) |
12.05.2026 |
8.1 |
| CVE-2026-5371 |
MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset |
13.05.2026 |
7.1 |
| CVE-2026-8108 |
Fuji Electric Tellus Exposed Dangerous Method or Function |
13.05.2026 |
7.8 |
| CVE-2026-40863 |
PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader |
12.05.2026 |
7.5 |
| CVE-2026-40902 |
PhpSpreadsheet: CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions |
12.05.2026 |
7.5 |
| CVE-2026-42544 |
Granian: Unauthenticated DoS via WebSocket subprotocol header panic |
12.05.2026 |
7.5 |
| CVE-2026-42545 |
Granian: DoS via WSGI response header panic |
12.05.2026 |
5.9 |
| CVE-2026-42854 |
arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE |
12.05.2026 |
9.8 |
| CVE-2026-42855 |
arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resource replay attack |
12.05.2026 |
7.5 |
| CVE-2026-44307 |
Mako: Path traversal via backslash URI on Windows in TemplateLookup |
12.05.2026 |
|
| CVE-2026-41195 |
mosparo: Rule package source URL stored SSRF enables internal HTTP probing |
12.05.2026 |
5 |
| CVE-2026-42268 |
ModSecurity: Unsigned integer underflow in @verifySSN / @verifyCPF / @verifySVNR operators |
12.05.2026 |
|
| CVE-2026-42844 |
Grav: Low-privileged API users can create super-admin accounts via blueprint-upload |
12.05.2026 |
|
| CVE-2026-44241 |
Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header |
12.05.2026 |
7.5 |
| CVE-2026-44242 |
Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory Exhaustion via Accept-Language Header |
12.05.2026 |
3.7 |
| CVE-2026-44301 |
Hugo: Node tool execution allows file system access outside the project directory |
12.05.2026 |
|
| CVE-2026-44302 |
Snappier: Infinite loop in SnappyStream decompression on malformed framed input |
12.05.2026 |
7.5 |
| CVE-2026-44304 |
Lemur: LDAP Filter Injection enables post-authentication privilege escalation |
12.05.2026 |
8.1 |
| CVE-2026-44305 |
Lemur: LDAP TLS certificate verification globally disabled enables credential interception |
12.05.2026 |
6.8 |
| CVE-2026-44306 |
Statamic: Email enumeration via forgot password endpoint |
12.05.2026 |
5.3 |
| CVE-2026-45226 |
Heym < 0.0.21 Authorization Bypass in Workflow Execution |
12.05.2026 |
|
| CVE-2026-45227 |
Heym < 0.0.21 Sandbox Escape via Python Introspection |
12.05.2026 |
|
| CVE-2026-8449 |
Linux ksmbd Remote Memory Corruption via ACL Inheritance |
12.05.2026 |
8.8 |
| CVE-2026-26289 |
Subnet Solutions PowerSYSTEM Center Incorrect Authorization |
13.05.2026 |
|
| CVE-2026-33570 |
Subnet Solutions PowerSYSTEM Center Incorrect Authorization |
13.05.2026 |
|
| CVE-2026-35555 |
Subnet Solutions PowerSYSTEM Center Incorrect Authorization |
13.05.2026 |
|
| CVE-2026-42196 |
django-s3file: Relative path traversal |
12.05.2026 |
|
| CVE-2026-43948 |
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass |
12.05.2026 |
9.9 |
| CVE-2026-44015 |
Nginx UI: Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access to Internal Services |
12.05.2026 |
8.5 |
| CVE-2026-44257 |
efw4.X: RCE via zipslip |
12.05.2026 |
|
| CVE-2026-44258 |
efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution |
12.05.2026 |
|
| CVE-2026-44259 |
efw4.X: Stored XSS via previewServlet |
12.05.2026 |
4.6 |
| CVE-2026-44260 |
efw4.X: readonly Flag Not Enforced Server-Side |
12.05.2026 |
8.1 |
| CVE-2026-44262 |
Scramble: Remote code execution via evaluation of user-controlled input in validation rules |
12.05.2026 |
9.4 |
| CVE-2026-44296 |
Deskflow: TLS multiplexer DoS on failed `SSL_accept` |
12.05.2026 |
7.5 |
| CVE-2026-44871 |
Authenticated Command Injection Vulnerabilities in Command Line Interface (CLI) Service Accessed by PAPI Protocol of AOS-8 and AOS-10 Operating Systems |
12.05.2026 |
7.2 |
| CVE-2026-45225 |
Heym < 0.0.21 Path Traversal File Upload via upload_file() |
12.05.2026 |
|
| CVE-2025-65086 |
Out-of-bounds write in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share |
12.05.2026 |
|
| CVE-2025-65087 |
Out-of-bounds read in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share |
12.05.2026 |
|
| CVE-2025-65088 |
Out-of-bounds read in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share |
12.05.2026 |
|
| CVE-2026-35504 |
Subnet Solutions PowerSYSTEM Center CRLF injection |
12.05.2026 |
|
| CVE-2026-44010 |
Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure |
12.05.2026 |
|
| CVE-2026-44011 |
Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior |
12.05.2026 |
|
| CVE-2026-44012 |
Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure |
12.05.2026 |
|
| CVE-2026-44224 |
Wiki.js: Privilege Escalation via Missing Group Validation in users.update |
12.05.2026 |
|
| CVE-2026-44232 |
dssrf: every IPv6 category bypasses is_url_safe |
12.05.2026 |
|
| CVE-2026-44240 |
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering |
12.05.2026 |
7.5 |
| CVE-2026-44246 |
nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/nnUNet` |
12.05.2026 |
7.2 |
| CVE-2026-44403 |
Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization |
12.05.2026 |
7.2 |
| CVE-2026-34645 |
Adobe Commerce | Incorrect Authorization (CWE-863) |
12.05.2026 |
7.5 |
| CVE-2026-34646 |
Adobe Commerce | Incorrect Authorization (CWE-863) |
12.05.2026 |
7.5 |
| CVE-2026-34647 |
Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918) |
12.05.2026 |
7.4 |
| CVE-2026-34648 |
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400) |
13.05.2026 |
7.5 |
| CVE-2026-34649 |
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400) |
13.05.2026 |
7.5 |
| CVE-2026-34650 |
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400) |
13.05.2026 |
7.5 |
| CVE-2026-34651 |
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400) |
13.05.2026 |
7.5 |
| CVE-2026-34652 |
Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395) |
13.05.2026 |
7.5 |
| CVE-2026-34653 |
Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
12.05.2026 |
8.7 |
| CVE-2026-34654 |
Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395) |
13.05.2026 |
5.3 |
| CVE-2026-34655 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) |
12.05.2026 |
4.8 |
| CVE-2026-34656 |
Adobe Commerce | Improper Authorization (CWE-285) |
13.05.2026 |
4.3 |
| CVE-2026-34658 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) |
13.05.2026 |
4.8 |
| CVE-2026-34665 |
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400) |
12.05.2026 |
7.5 |
| CVE-2026-34666 |
CAI Content Credentials | Improper Input Validation (CWE-20) |
12.05.2026 |
6.2 |
| CVE-2026-34667 |
CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191) |
12.05.2026 |
6.2 |
| CVE-2026-34668 |
CAI Content Credentials | Improper Input Validation (CWE-20) |
12.05.2026 |
6.2 |
| CVE-2026-34669 |
CAI Content Credentials | Improper Input Validation (CWE-20) |
12.05.2026 |
6.2 |
| CVE-2026-34670 |
CAI Content Credentials | Improper Input Validation (CWE-20) |
12.05.2026 |
6.2 |
| CVE-2026-34671 |
CAI Content Credentials | Integer Overflow or Wraparound (CWE-190) |
12.05.2026 |
6.2 |
| CVE-2026-34672 |
CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191) |
12.05.2026 |
6.2 |
| CVE-2026-34673 |
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400) |
12.05.2026 |
6.2 |
| CVE-2026-34677 |
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400) |
12.05.2026 |
6.2 |
| CVE-2026-34678 |
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400) |
12.05.2026 |
6.2 |
| CVE-2026-34679 |
CAI Content Credentials | Improper Input Validation (CWE-20) |
12.05.2026 |
6.2 |
| CVE-2026-34680 |
CAI Content Credentials | Integer Overflow or Wraparound (CWE-190) |
12.05.2026 |
6.2 |
| CVE-2026-34685 |
Adobe Commerce | Improper Input Validation (CWE-20) |
13.05.2026 |
3.4 |
| CVE-2026-34686 |
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79) |
12.05.2026 |
8.7 |
| CVE-2026-34688 |
CAI Content Credentials | Improper Input Validation (CWE-20) |
12.05.2026 |
6.2 |
| CVE-2026-34690 |
After Effects | Stack-based Buffer Overflow (CWE-121) |
12.05.2026 |
7.8 |
| CVE-2026-42338 |
ip-address: XSS in Address6 HTML-emitting methods |
12.05.2026 |
|
| CVE-2026-42889 |
Relay Server WebSocket authentication bypass when token is omitted |
12.05.2026 |
9.1 |
| CVE-2026-44217 |
sse-channel: SSE Injection via unsanitized event fields |
12.05.2026 |
|
| CVE-2026-44218 |
ciguard: Container image runs as root (no USER directive) |
12.05.2026 |
3 |
| CVE-2026-44219 |
ciguard: SCA HTTP client reads response body without size cap |
12.05.2026 |
3.7 |
| CVE-2026-44220 |
ciguard: discover_pipeline_files follows symlinks out of scan root |
12.05.2026 |
3.2 |
| CVE-2026-44221 |
ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases |
12.05.2026 |
9 |
| CVE-2026-44222 |
vLLM: Remote DoS via Special-Token Placeholders |
12.05.2026 |
6.5 |
| CVE-2026-44223 |
vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters |
12.05.2026 |
6.5 |
| CVE-2026-44225 |
Pulpy: Incomplete filesystem sandbox in pulpy.fs bridge allows packaged web apps to read arbitrary user files |
12.05.2026 |
9.3 |
| CVE-2026-45185 |
|
13.05.2026 |
9.8 |
| CVE-2026-23824 |
Unauthenticated Denial-of-Service via Crafted Messages in a Network Protocol Handling Component |
12.05.2026 |
7.5 |
| CVE-2026-23825 |
Unauthenticated Denial-of-Service via Crafted Messages in a Network Protocol Handling Component |
12.05.2026 |
7.5 |
| CVE-2026-23826 |
Unauthenticated Denial of Service in AOS-8 Network Management Service |
12.05.2026 |
7.5 |
| CVE-2026-23827 |
Unauthenticated Remote Code Execution via Heap Buffer Overflow in Network Management Service |
12.05.2026 |
7.5 |
| CVE-2026-42191 |
OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter |
12.05.2026 |
6.5 |
| CVE-2026-42355 |
NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion |
12.05.2026 |
3.3 |
| CVE-2026-42442 |
NanaZip: Null-pointer dereference in NanaZip UFS parser when root inode is a symlink |
12.05.2026 |
3.3 |
| CVE-2026-42443 |
NanaZip: Integer divide-by-zero in NanaZip UFS inode offset calculation |
12.05.2026 |
3.3 |
| CVE-2026-42444 |
NanaZip: Unbounded resource consumption in NanaZip littlefs parser via attacker-controlled BlockCount |
12.05.2026 |
3.3 |
| CVE-2026-42445 |
NanaZip: Uncontrolled recursion in NanaZip UFS directory traversal causes stack exhaustion |
12.05.2026 |
3.3 |
| CVE-2026-42446 |
NanaZip: Stack out-of-bounds read in NanaZip ZealFS bitmap parser |
12.05.2026 |
4.4 |
| CVE-2026-44215 |
NanaZip: Heap out-of-bounds write in NanaZip UFS directory parser |
12.05.2026 |
4.4 |
| CVE-2026-44852 |
Authenticated Remote Code Execution via Arbitrary File Overwrite in the AOS-8 and AOS-10 Web-Based Management Interface |
12.05.2026 |
7.2 |
| CVE-2026-44853 |
Authenticated Remote Code Execution via Arbitrary File Write in AOS-8 and AOS-10 Web-Based Management Interface |
12.05.2026 |
7.2 |
| CVE-2026-44854 |
Authenticated Remote Code Execution via Arbitrary File Write in AOS-8 and AOS-10 Web-Based Management Interface |
12.05.2026 |
7.2 |
| CVE-2026-44855 |
Authenticated Stack-Based Buffer Overflow in PAPI Services |
12.05.2026 |
7.2 |
| CVE-2026-44856 |
Authenticated Stack-Based Buffer Overflow in PAPI Services |
12.05.2026 |
7.2 |
| CVE-2026-44857 |
Authenticated Stack-Based Buffer Overflow in PAPI Services |
12.05.2026 |
7.2 |
| CVE-2026-44858 |
Authenticated Stack-Based Buffer Overflow in PAPI Services |
12.05.2026 |
7.2 |
| CVE-2026-44859 |
Authenticated Stack-Based Buffer Overflow in PAPI Services |
12.05.2026 |
7.2 |
| CVE-2026-44860 |
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems |
12.05.2026 |
7.2 |
| CVE-2026-44861 |
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems |
12.05.2026 |
7.2 |
| CVE-2026-44862 |
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems |
12.05.2026 |
7.2 |
| CVE-2026-44863 |
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems |
12.05.2026 |
7.2 |
| CVE-2026-44864 |
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems |
12.05.2026 |
7.2 |
| CVE-2026-44865 |
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10 |
12.05.2026 |
7.2 |
| CVE-2026-44866 |
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10 |
12.05.2026 |
7.2 |
| CVE-2026-44867 |
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10 |
12.05.2026 |
7.2 |
| CVE-2026-44868 |
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10 |
12.05.2026 |
7.2 |
| CVE-2026-44869 |
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10 |
12.05.2026 |
7.2 |
| CVE-2026-44870 |
Authenticated Command Injection Vulnerabilities in Command Line Interface (CLI) Service Accessed by PAPI Protocol of AOS-8 and AOS-10 Operating Systems |
12.05.2026 |
7.2 |
| CVE-2026-44872 |
Authenticated Arbitrary File Upload via Command Injection in AOS-8 AND AOS-10 Web-Based Management Interface |
12.05.2026 |
7.2 |
| CVE-2026-44873 |
Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System |
12.05.2026 |
5.4 |
| CVE-2026-44874 |
Authenticated Arbitrary File Download via AOS-10 Web-Based Management Interface |
12.05.2026 |
4.9 |
| CVE-2026-6959 |
Nomad vulnerable to arbitrary file read/write on client host through symlink attack |
12.05.2026 |
6 |
| CVE-2026-7474 |
Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution |
13.05.2026 |
8.8 |
| CVE-2026-8052 |
Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack |
12.05.2026 |
6 |
| CVE-2026-23819 |
Error in SSID Processing allows Stored XSS in Web Management Interface |
12.05.2026 |
8.8 |
| CVE-2026-23820 |
Inconsistent input filtering allows Authenticated Command Injection in AOS-8 Instant and AOS-10 CLI |
13.05.2026 |
7.2 |
| CVE-2026-23821 |
Inconsistent input filtering allows Authenticated Command Injection in AOS-10 CLI |
13.05.2026 |
7.2 |
| CVE-2026-23822 |
Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service |
12.05.2026 |
5.3 |
| CVE-2026-23823 |
Authenticated Command Injection leads to RCE in AOS-10 CLI Command |
13.05.2026 |
7.2 |
| CVE-2026-34659 |
Adobe Connect | Deserialization of Untrusted Data (CWE-502) |
13.05.2026 |
9.6 |
| CVE-2026-34660 |
Adobe Connect | Incorrect Authorization (CWE-863) |
13.05.2026 |
9.3 |
| CVE-2026-34664 |
Substance3D - Designer | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
12.05.2026 |
6.3 |
| CVE-2026-34681 |
Substance3D - Designer | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34682 |
Substance3D - Designer | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34683 |
Substance3D - Designer | Out-of-bounds Write (CWE-787) |
13.05.2026 |
5.5 |
| CVE-2026-34684 |
Substance3D - Designer | Out-of-bounds Write (CWE-787) |
13.05.2026 |
5.5 |
| CVE-2026-8429 |
SPIP < 4.4.14 Remote Code Execution via Private Space |
12.05.2026 |
8.8 |
| CVE-2026-8430 |
SPIP < 4.4.14 Remote Code Execution via nginx |
12.05.2026 |
8.1 |
| CVE-2026-8431 |
Ops Manager RCE via webhook body |
12.05.2026 |
|
| CVE-2025-43524 |
|
12.05.2026 |
|
| CVE-2025-46311 |
|
12.05.2026 |
|
| CVE-2026-20714 |
|
13.05.2026 |
|
| CVE-2026-20767 |
|
13.05.2026 |
|
| CVE-2026-29204 |
|
12.05.2026 |
9.1 |
| CVE-2026-31243 |
|
12.05.2026 |
|
| CVE-2026-31244 |
|
12.05.2026 |
|
| CVE-2026-31245 |
|
12.05.2026 |
|
| CVE-2026-34661 |
Illustrator | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34662 |
Illustrator | NULL Pointer Dereference (CWE-476) |
12.05.2026 |
5.5 |
| CVE-2026-34663 |
Illustrator | Out-of-bounds Read (CWE-125) |
12.05.2026 |
5.5 |
| CVE-2026-34675 |
Substance3D - Painter | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34676 |
Substance3D - Painter | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34687 |
Illustrator | Heap-based Buffer Overflow (CWE-122) |
13.05.2026 |
7.8 |
| CVE-2026-42048 |
Langflow: Path Traversal in Langflow Knowledge Bases API |
12.05.2026 |
9.6 |
| CVE-2026-42175 |
requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598 |
12.05.2026 |
6.5 |
| CVE-2026-42300 |
DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header |
12.05.2026 |
|
| CVE-2026-42303 |
Fides: Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection |
12.05.2026 |
|
| CVE-2026-42348 |
OpAMP client reads unbounded HTTP response bodies |
12.05.2026 |
5.9 |
| CVE-2026-42541 |
Kubewarden: RBAC Reconnaissance via unchecked can_i host capability call |
12.05.2026 |
4.3 |
| CVE-2026-43892 |
AntSword: Incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection |
12.05.2026 |
8.8 |
| CVE-2026-43929 |
ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs |
12.05.2026 |
8.2 |
| CVE-2026-44183 |
Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled |
12.05.2026 |
9.8 |
| CVE-2026-44184 |
Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads |
12.05.2026 |
8 |
| CVE-2026-44196 |
Pingvin Share X: TOTP Authentication Bypass via Password-only Login |
12.05.2026 |
9.1 |
| CVE-2026-44204 |
Shelf: SQL Injection via sortBy Parameter |
12.05.2026 |
6.5 |
| CVE-2026-5146 |
|
12.05.2026 |
|
| CVE-2025-53680 |
|
13.05.2026 |
6.1 |
| CVE-2025-53681 |
|
13.05.2026 |
6.3 |
| CVE-2025-53844 |
|
13.05.2026 |
8.3 |
| CVE-2025-53870 |
|
13.05.2026 |
6.5 |
| CVE-2025-67604 |
|
12.05.2026 |
5.2 |
| CVE-2026-21530 |
Windows Rich Text Edit Elevation of Privilege Vulnerability |
13.05.2026 |
6.7 |
| CVE-2026-25088 |
|
12.05.2026 |
5.1 |
| CVE-2026-25690 |
|
12.05.2026 |
4 |
| CVE-2026-26083 |
|
13.05.2026 |
9.1 |
| CVE-2026-31229 |
|
12.05.2026 |
|
| CVE-2026-31230 |
|
12.05.2026 |
|
| CVE-2026-31231 |
|
12.05.2026 |
|
| CVE-2026-31232 |
|
12.05.2026 |
|
| CVE-2026-31233 |
|
12.05.2026 |
|
| CVE-2026-31234 |
|
12.05.2026 |
|
| CVE-2026-31235 |
|
12.05.2026 |
|
| CVE-2026-31236 |
|
12.05.2026 |
|
| CVE-2026-31237 |
|
12.05.2026 |
|
| CVE-2026-31238 |
|
12.05.2026 |
|
| CVE-2026-31239 |
|
12.05.2026 |
|
| CVE-2026-31240 |
|
12.05.2026 |
|
| CVE-2026-31241 |
|
12.05.2026 |
|
| CVE-2026-31242 |
|
12.05.2026 |
|
| CVE-2026-32161 |
Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability |
13.05.2026 |
7.5 |
| CVE-2026-32170 |
Windows Rich Text Edit Elevation of Privilege Vulnerability |
13.05.2026 |
6.7 |
| CVE-2026-32175 |
.NET Core Tampering Vulnerability |
12.05.2026 |
4.3 |
| CVE-2026-32177 |
.NET Elevation of Privilege Vulnerability |
13.05.2026 |
7.3 |
| CVE-2026-32185 |
Microsoft Teams Spoofing Vulnerability |
13.05.2026 |
5.5 |
| CVE-2026-32204 |
Azure Monitor Agent Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-32209 |
Windows Filtering Platform (WFP) Security Feature Bypass Vulnerability |
12.05.2026 |
4.4 |
| CVE-2026-33110 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-33112 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-33117 |
Azure SDK for Java Security Feature Bypass Vulnerability |
13.05.2026 |
9.1 |
| CVE-2026-33821 |
Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability |
13.05.2026 |
7.7 |
| CVE-2026-33833 |
Azure Machine Learning Notebook Spoofing Vulnerability |
12.05.2026 |
8.2 |
| CVE-2026-33834 |
Windows Event Logging Service Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-33835 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-33837 |
Windows TCP/IP Local Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-33838 |
Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-33839 |
Win32k Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-33840 |
Win32k Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-33841 |
Windows Kernel Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34329 |
Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-34330 |
Win32k Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34331 |
Win32k Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-34332 |
Windows Kernel-Mode Driver Remote Code Execution Vulnerability |
13.05.2026 |
8 |
| CVE-2026-34333 |
Windows Win32k Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34334 |
Windows TCP/IP Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34336 |
Windows DWM Core Library Information Disclosure Vulnerability |
12.05.2026 |
7.8 |
| CVE-2026-34337 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34338 |
Windows Telephony Service Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34339 |
Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability |
12.05.2026 |
5.5 |
| CVE-2026-34340 |
Windows Projected File System Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-34341 |
Windows Link-Layer Discovery Protocol (LLDP) Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-34342 |
Windows Print Spooler Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-34343 |
Windows Application Identity (AppID) Subsystem Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34344 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34345 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-34347 |
Windows Win32k Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-34350 |
Windows Storport Miniport Driver Denial of Service Vulnerability |
12.05.2026 |
6.5 |
| CVE-2026-34351 |
Windows TCP/IP Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-34636 |
Premiere Pro | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34637 |
Premiere Pro | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34638 |
Premiere Pro | Use After Free (CWE-416) |
13.05.2026 |
7.8 |
| CVE-2026-34639 |
Media Encoder | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34640 |
Media Encoder | Integer Overflow or Wraparound (CWE-190) |
13.05.2026 |
7.8 |
| CVE-2026-34642 |
After Effects | Heap-based Buffer Overflow (CWE-122) |
13.05.2026 |
7.8 |
| CVE-2026-34643 |
After Effects | Out-of-bounds Write (CWE-787) |
13.05.2026 |
7.8 |
| CVE-2026-34644 |
After Effects | Integer Overflow or Wraparound (CWE-190) |
13.05.2026 |
7.8 |
| CVE-2026-35415 |
Windows Storage Spaces Controller Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-35416 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-35417 |
Windows Win32k Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-35418 |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-35419 |
Windows DWM Core Library Information Disclosure Vulnerability |
12.05.2026 |
5.5 |
| CVE-2026-35420 |
Windows Kernel Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-35421 |
Windows GDI Remote Code Execution Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-35422 |
Windows TCP/IP Driver Security Feature Bypass Vulnerability |
12.05.2026 |
6.5 |
| CVE-2026-35423 |
Windows 11 Telnet Client Information Disclosure Vulnerability |
12.05.2026 |
5.4 |
| CVE-2026-35424 |
Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability |
12.05.2026 |
7.5 |
| CVE-2026-35429 |
Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
12.05.2026 |
4.3 |
| CVE-2026-35433 |
.NET Elevation of Privilege Vulnerability |
13.05.2026 |
7.3 |
| CVE-2026-35436 |
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-35438 |
Windows Admin Center Elevation of Privilege Vulnerability |
13.05.2026 |
8.3 |
| CVE-2026-35439 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-35440 |
Microsoft Word Information Disclosure Vulnerability |
12.05.2026 |
5.5 |
| CVE-2026-40357 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-40358 |
Microsoft Office Remote Code Execution Vulnerability |
13.05.2026 |
8.4 |
| CVE-2026-40359 |
Microsoft Excel Remote Code Execution Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40360 |
Microsoft Excel Information Disclosure Vulnerability |
12.05.2026 |
7.8 |
| CVE-2026-40361 |
Microsoft Word Remote Code Execution Vulnerability |
13.05.2026 |
8.4 |
| CVE-2026-40362 |
Microsoft Excel Remote Code Execution Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40363 |
Microsoft Office Remote Code Execution Vulnerability |
13.05.2026 |
8.4 |
| CVE-2026-40364 |
Microsoft Word Remote Code Execution Vulnerability |
13.05.2026 |
8.4 |
| CVE-2026-40365 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-40366 |
Microsoft Word Remote Code Execution Vulnerability |
13.05.2026 |
8.4 |
| CVE-2026-40367 |
Microsoft Word Remote Code Execution Vulnerability |
13.05.2026 |
8.4 |
| CVE-2026-40368 |
Microsoft SharePoint Server Remote Code Execution Vulnerability |
13.05.2026 |
8 |
| CVE-2026-40369 |
Windows Kernel Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40370 |
SQL Server Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-40374 |
Microsoft Power Automate Desktop Information Disclosure Vulnerability |
12.05.2026 |
6.5 |
| CVE-2026-40377 |
Microsoft Cryptographic Services Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40379 |
Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability |
12.05.2026 |
9.3 |
| CVE-2026-40380 |
Windows Volume Manager Extension Driver Remote Code Execution Vulnerability |
12.05.2026 |
6.2 |
| CVE-2026-40381 |
Azure Connected Machine Agent Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40382 |
Windows Telephony Service Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40397 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40398 |
Windows Remote Desktop Services Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40399 |
Windows TCP/IP Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40401 |
Windows TCP/IP Denial of Service Vulnerability |
12.05.2026 |
7.1 |
| CVE-2026-40402 |
Windows Hyper-V Elevation of Privilege Vulnerability |
13.05.2026 |
9.3 |
| CVE-2026-40403 |
Windows Graphics Component Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-40405 |
Windows TCP/IP Denial of Service Vulnerability |
12.05.2026 |
7.5 |
| CVE-2026-40406 |
Windows TCP/IP Information Disclosure Vulnerability |
12.05.2026 |
7.5 |
| CVE-2026-40407 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40408 |
Windows WAN ARP Driver Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40410 |
Windows SMB Client Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-40413 |
Windows TCP/IP Denial of Service Vulnerability |
12.05.2026 |
7.4 |
| CVE-2026-40414 |
Windows TCP/IP Denial of Service Vulnerability |
12.05.2026 |
7.4 |
| CVE-2026-40415 |
Windows TCP/IP Remote Code Execution Vulnerability |
13.05.2026 |
8.1 |
| CVE-2026-40416 |
Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
12.05.2026 |
4.3 |
| CVE-2026-40417 |
Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40418 |
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40419 |
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-40420 |
Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-40421 |
Microsoft Word Information Disclosure Vulnerability |
12.05.2026 |
4.3 |
| CVE-2026-41086 |
Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-41088 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-41089 |
Windows Netlogon Remote Code Execution Vulnerability |
13.05.2026 |
9.8 |
| CVE-2026-41094 |
Microsoft Data Formulator Remote Code Execution Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-41095 |
Data Deduplication Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-41096 |
Windows DNS Client Remote Code Execution Vulnerability |
13.05.2026 |
9.8 |
| CVE-2026-41097 |
Secure Boot Security Feature Bypass Vulnerability |
13.05.2026 |
6.7 |
| CVE-2026-41100 |
Microsoft 365 Copilot for Android Spoofing Vulnerability |
12.05.2026 |
4.4 |
| CVE-2026-41101 |
Microsoft Word for Android Spoofing Vulnerability |
13.05.2026 |
7.1 |
| CVE-2026-41102 |
Microsoft PowerPoint for Android Spoofing Vulnerability |
13.05.2026 |
7.1 |
| CVE-2026-41103 |
Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability |
13.05.2026 |
9.1 |
| CVE-2026-41107 |
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability |
12.05.2026 |
7.4 |
| CVE-2026-41109 |
GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-41513 |
Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints |
12.05.2026 |
|
| CVE-2026-41610 |
Visual Studio Code Security Feature Bypass Vulnerability |
12.05.2026 |
6.3 |
| CVE-2026-41611 |
Visual Studio Code Remote Code Execution Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-41612 |
Visual Studio Code Information Disclosure Vulnerability |
12.05.2026 |
5.5 |
| CVE-2026-41613 |
Visual Studio Code Elevation of Privilege Vulnerability |
13.05.2026 |
8.8 |
| CVE-2026-41614 |
M365 Copilot for Desktop Spoofing Vulnerability |
12.05.2026 |
6.2 |
| CVE-2026-41895 |
changedetection.io: XXE vulnerability in the changedetection.io project |
12.05.2026 |
|
| CVE-2026-42045 |
LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE) |
12.05.2026 |
6.2 |
| CVE-2026-42141 |
Xibo: Authenticated Server-Side Request Forgery (SSRF) in Library Upload via URL functionality |
12.05.2026 |
7.7 |
| CVE-2026-42177 |
linux-entra-sso: PRT SSO cookie can leak to attacker-controlled hosts when broad host permissions are granted |
12.05.2026 |
5.3 |
| CVE-2026-42823 |
Azure Logic Apps Elevation of Privilege Vulnerability |
13.05.2026 |
9.9 |
| CVE-2026-42825 |
Windows Telephony Service Elevation of Privilege Vulnerability |
13.05.2026 |
7 |
| CVE-2026-42830 |
Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability |
13.05.2026 |
6.5 |
| CVE-2026-42831 |
Microsoft Office Remote Code Execution Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-42832 |
Microsoft Office Spoofing Vulnerability |
12.05.2026 |
7.7 |
| CVE-2026-42833 |
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
12.05.2026 |
9.1 |
| CVE-2026-42838 |
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability |
12.05.2026 |
5.4 |
| CVE-2026-42891 |
Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
12.05.2026 |
6.5 |
| CVE-2026-42893 |
Microsoft Outlook for iOS Tampering Vulnerability |
12.05.2026 |
7.4 |
| CVE-2026-42896 |
Windows DWM Core Library Elevation of Privilege Vulnerability |
13.05.2026 |
7.8 |
| CVE-2026-42898 |
Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability |
13.05.2026 |
9.9 |
| CVE-2026-42899 |
ASP.NET Core Denial of Service Vulnerability |
12.05.2026 |
7.5 |
| CVE-2026-43891 |
changedetection.io: Arbitrary Local File Read via crafted backup restore |
12.05.2026 |
7.5 |
| CVE-2026-44166 |
Pocketbase: Account pre-hijacking via OAuth2 unverfied->verified autolinking upgrade |
12.05.2026 |
|
| CVE-2026-44167 |
phpseclib: CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID() |
12.05.2026 |
7.5 |
| CVE-2026-44277 |
|
12.05.2026 |
9.1 |
| CVE-2026-44278 |
|
12.05.2026 |
2.1 |
| CVE-2026-44279 |
|
12.05.2026 |
5 |
| CVE-2026-44343 |
WGDashboard: Critical Vulnerability in 4.3.2 |
12.05.2026 |
|
| CVE-2025-27723 |
|
12.05.2026 |
|
| CVE-2025-35969 |
|
12.05.2026 |
|
| CVE-2025-35979 |
|
12.05.2026 |
|
| CVE-2025-35990 |
|
13.05.2026 |
|
| CVE-2025-35991 |
|
12.05.2026 |
|
| CVE-2025-36510 |
|
12.05.2026 |
|
| CVE-2025-36515 |
|
12.05.2026 |
|
| CVE-2025-65719 |
|
12.05.2026 |
|
| CVE-2026-20717 |
|
12.05.2026 |
|
| CVE-2026-20718 |
|
13.05.2026 |
|
| CVE-2026-20738 |
|
13.05.2026 |
|
| CVE-2026-20751 |
|
12.05.2026 |
|
| CVE-2026-20753 |
|
13.05.2026 |
|
| CVE-2026-20754 |
|
12.05.2026 |
|
| CVE-2026-20771 |
|
12.05.2026 |
|
| CVE-2026-20772 |
|
13.05.2026 |
|
| CVE-2026-20782 |
|
12.05.2026 |
|
| CVE-2026-20793 |
|
12.05.2026 |
|
| CVE-2026-20794 |
|
13.05.2026 |
|
| CVE-2026-20879 |
|
12.05.2026 |
|
| CVE-2026-20881 |
|
12.05.2026 |
|
| CVE-2026-20887 |
|
12.05.2026 |
|
| CVE-2026-20905 |
|
12.05.2026 |
|
| CVE-2026-20914 |
|
12.05.2026 |
|
| CVE-2026-25431 |
WordPress Hustle plugin <= 7.8.10.1 - Broken Access Control vulnerability |
13.05.2026 |
5.3 |
| CVE-2026-40300 |
Zulip: Message edit history visible in "moves only" policy through /api/v1/messages/{id}/history |
12.05.2026 |
|
| CVE-2026-43989 |
JunoClaw: upload_wasm accepted arbitrary filesystem paths without validation |
12.05.2026 |
8.5 |
| CVE-2026-43990 |
JunoClaw: plugin-shell shell-metacharacter injection via shell wrapper |
12.05.2026 |
8.4 |
| CVE-2026-43991 |
JunoClaw: plugin-shell shell-injection bypass via substring blocklist |
12.05.2026 |
8.4 |
| CVE-2026-43992 |
JunoClaw: MCP write tools exposed raw BIP-39 mnemonic as a tool-call parameter |
12.05.2026 |
9.8 |
| CVE-2026-43993 |
JunoClaw: SSRF in WAVS computeDataVerify allows cloud-metadata and internal-service access |
12.05.2026 |
8.2 |
| CVE-2026-5089 |
YAML::Syck versions before 1.38 for Perl has an out-of-bounds read |
12.05.2026 |
|
| CVE-2026-8278 |
|
12.05.2026 |
|
| CVE-2026-8407 |
|
12.05.2026 |
|
| CVE-2023-27753 |
|
12.05.2026 |
|
| CVE-2023-30059 |
|
12.05.2026 |
|
| CVE-2026-30805 |
Insecure Default Initialization in API Authentication leads to Authentication Bypass |
12.05.2026 |
|
| CVE-2026-30807 |
Cross-Site Request Forgery on Extension Pages |
12.05.2026 |
|
| CVE-2026-30808 |
Session Fixation in Authentication leads to Session Hijacking |
12.05.2026 |
|
| CVE-2026-30810 |
Server-Side Request Forgery in API Checker leads to Privilege Escalation |
12.05.2026 |
|
| CVE-2026-31214 |
|
12.05.2026 |
|
| CVE-2026-31215 |
|
12.05.2026 |
|
| CVE-2026-31216 |
|
12.05.2026 |
|
| CVE-2026-31217 |
|
12.05.2026 |
|
| CVE-2026-31218 |
|
12.05.2026 |
|
| CVE-2026-31219 |
|
12.05.2026 |
|
| CVE-2026-31220 |
|
12.05.2026 |
|
| CVE-2026-31221 |
|
12.05.2026 |
|
| CVE-2026-31222 |
|
12.05.2026 |
|
| CVE-2026-31223 |
|
12.05.2026 |
|
| CVE-2026-31224 |
|
12.05.2026 |
|
| CVE-2026-31225 |
|
12.05.2026 |
|
| CVE-2026-31226 |
|
12.05.2026 |
|
| CVE-2026-31228 |
|
12.05.2026 |
|
| CVE-2026-34187 |
SQL Injection in Graph Container Parameter |
12.05.2026 |
|
| CVE-2026-41284 |
Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling |
12.05.2026 |
|
| CVE-2026-41293 |
Apache Tomcat: HTTP/2 request headers not validated |
12.05.2026 |
|
| CVE-2026-42498 |
Apache Tomcat: WebSocket authentication header exposure |
12.05.2026 |
|
| CVE-2026-43512 |
Apache Tomcat: Digest authenticator will authenticate any unknown user |
12.05.2026 |
|
| CVE-2026-43513 |
Apache Tomcat: LockOutRealm treats user names as case-sensitive |
12.05.2026 |
|
| CVE-2026-43514 |
Apache Tomcat: AJP secret compared in non-constant time |
12.05.2026 |
|
| CVE-2026-43515 |
Apache Tomcat: Security constraints not correctly applied |
12.05.2026 |
|
| CVE-2025-70842 |
|
12.05.2026 |
|
| CVE-2026-32687 |
SQL injection via channel name in Postgrex.Notifications.listen/3 and unlisten/3 |
13.05.2026 |
|
| CVE-2026-42260 |
Open-WebSearch: SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname` |
12.05.2026 |
8.2 |
| CVE-2026-43937 |
YAF.NET: Pre-Handler Authorization Bypass on Admin Pages Enabling Blind SQL Execution via `/Admin/RunSql` |
12.05.2026 |
8.8 |
| CVE-2026-43938 |
YAF.NET: Unauthenticated Stored Second-Order XSS in Admin Event Log via Reflected `User-Agent` Header |
12.05.2026 |
8.1 |
| CVE-2026-43939 |
YAF.NET: Stored XSS in Forum Thread Posts/Replies Allowing Arbitrary JavaScript Execution for All Thread Viewers |
12.05.2026 |
7.3 |
| CVE-2026-43983 |
Pocket ID: OIDC refresh token flow bypasses authorization revocation, account disabling, and group restrictions |
12.05.2026 |
|
| CVE-2026-5061 |
Consul-template vulnerable to sandbox path bypass in file helper via a symlink attack |
12.05.2026 |
4.7 |
| CVE-2026-6866 |
Initialization of a Resource with an Insecure Default vulnerability on EcoStruxure™ Panel Server |
12.05.2026 |
|
| CVE-2026-7431 |
|
12.05.2026 |
4.4 |
| CVE-2026-7432 |
|
13.05.2026 |
7.8 |
| CVE-2026-8043 |
|
12.05.2026 |
9.6 |
| CVE-2026-8051 |
|
13.05.2026 |
7.2 |
| CVE-2026-8109 |
|
12.05.2026 |
6.5 |
| CVE-2026-8110 |
|
13.05.2026 |
7.8 |
| CVE-2026-8111 |
|
13.05.2026 |
8.8 |
| CVE-2026-8368 |
LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects |
12.05.2026 |
|
| CVE-2026-8401 |
Sandbox escape in the Profile Backup component |
12.05.2026 |
|
| CVE-2026-27851 |
|
12.05.2026 |
7.4 |
| CVE-2026-33603 |
|
12.05.2026 |
6.8 |
| CVE-2026-35071 |
|
12.05.2026 |
8.2 |
| CVE-2026-40016 |
|
12.05.2026 |
5.3 |
| CVE-2026-40020 |
|
12.05.2026 |
3.1 |
| CVE-2026-40638 |
|
12.05.2026 |
6.7 |
| CVE-2026-42006 |
|
12.05.2026 |
4.3 |
| CVE-2026-43916 |
pam_authnft: Heap buffer overflow in NETLINK_SOCK_DIAG reply walker |
12.05.2026 |
|
| CVE-2026-43930 |
Parse Server: MFA SMS one-time password accepted twice under concurrent login |
12.05.2026 |
|
| CVE-2026-45091 |
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode) |
12.05.2026 |
9.1 |
| CVE-2025-12659 |
Heap-based buffer overflow in Siemens Simcenter Femap |
12.05.2026 |
|
| CVE-2026-6865 |
Improper Limitation of a Pathname to a Restricted Directory Vulnerability on Multiple Products |
12.05.2026 |
|
| CVE-2026-8388 |
Incorrect boundary conditions in the JavaScript Engine: JIT component |
12.05.2026 |
|
| CVE-2026-8389 |
JIT miscompilation in the JavaScript Engine: JIT component |
12.05.2026 |
|
| CVE-2026-8390 |
Use-after-free in the JavaScript: WebAssembly component |
12.05.2026 |
|
| CVE-2026-8391 |
Other issue in the JavaScript Engine component |
12.05.2026 |
|
| CVE-2026-4827 |
Insufficient Entropy vulnerability on Multiple Products |
12.05.2026 |
|
| CVE-2026-2465 |
Improper Authorization in E-Kalite's Turboard FOR-S |
12.05.2026 |
8.8 |
| CVE-2026-32684 |
|
12.05.2026 |
2.9 |
| CVE-2026-41712 |
ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage |
12.05.2026 |
7.5 |
| CVE-2026-41713 |
Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor |
12.05.2026 |
8.2 |
| CVE-2026-42741 |
WordPress Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend plugin <= 3.3.2 - SQL Injection vulnerability |
12.05.2026 |
8.5 |
| CVE-2026-42742 |
WordPress Views for WPForms plugin <= 3.4.6 - SQL Injection vulnerability |
12.05.2026 |
8.5 |
| CVE-2026-45210 |
WordPress Broadstreet Ads plugin <= 1.52.2 - Broken Access Control vulnerability |
12.05.2026 |
5.4 |
| CVE-2026-45211 |
WordPress APIExperts Square for WooCommerce plugin <= 4.7.1 - SQL Injection vulnerability |
13.05.2026 |
8.5 |
| CVE-2026-45212 |
WordPress Asset CleanUp: Page Speed Booster plugin <= 1.4.0.3 - Broken Access Control vulnerability |
12.05.2026 |
5.3 |
| CVE-2026-45213 |
WordPress BEAR plugin <= 1.1.7.1 - SQL Injection vulnerability |
12.05.2026 |
7.6 |
| CVE-2026-45214 |
WordPress Xpro Elementor Addons plugin <= 1.5.1 - SQL Injection vulnerability |
12.05.2026 |
8.5 |
| CVE-2026-45215 |
WordPress WP EasyPay plugin <= 4.3.0 - Sensitive Data Exposure vulnerability |
12.05.2026 |
5.3 |
| CVE-2026-45218 |
WordPress WP Travel plugin <= 11.4.0 - SQL Injection vulnerability |
12.05.2026 |
7.7 |
| CVE-2026-6001 |
IDOR in Abis Technology's BAPSİS |
12.05.2026 |
8.8 |
| CVE-2026-8072 |
Insecure generation of SAT access credentials in Ingecon EMS Board |
12.05.2026 |
|