Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10066
Total
679
Critical
2903
High
3164
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-8851 | HIGH | 8.1 | SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database … | May 18, 2026 |
| CVE-2026-8838 | CRITICAL | 9.8 | Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute … | May 18, 2026 |
| CVE-2026-4137 | HIGH | 7.0 | In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_create_model_downloading_tmp_dir()` function in `mlflow/pyfunc/__init__.py` creates … | May 18, 2026 |
| CVE-2026-27130 | CRITICAL | 9.9 | Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues … | May 18, 2026 |
| CVE-2026-26978 | UNKNOWN | — | FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially … | May 18, 2026 |
| CVE-2026-25244 | CRITICAL | 9.8 | WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection … | May 18, 2026 |
| CVE-2026-22810 | HIGH | 8.2 | Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability … | May 18, 2026 |
| CVE-2026-47092 | HIGH | 7.8 | Claude HUD through 0.0.12, patched in commit 234d9aa, contains a command injection vulnerability that allows local attackers to execute arbitrary commands by manipulating the COMSPEC … | May 18, 2026 |
| CVE-2026-47091 | LOW | 3.3 | Claude HUD through 0.0.12, patched in commit 234d9aa, contains a path traversal vulnerability that allows attackers to read arbitrary files by supplying an unvalidated transcript_path … | May 18, 2026 |
| CVE-2026-47090 | MEDIUM | 4.6 | Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl values without stripping control characters … | May 18, 2026 |
| CVE-2026-45246 | MEDIUM | 5.5 | Summarize prior to 0.15.1 contains an insecure file permission vulnerability in the refresh-free configuration rewrite path that allows local users to read sensitive credentials by … | May 18, 2026 |
| CVE-2026-45245 | HIGH | 7.4 | Summarize prior to 0.15.1 contains a vulnerability in the hover summary feature that allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links, causing … | May 18, 2026 |
| CVE-2026-45244 | MEDIUM | 5.4 | Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation … | May 18, 2026 |
| CVE-2026-21789 | MEDIUM | 4.6 | HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. | May 18, 2026 |
| CVE-2025-65954 | MEDIUM | 4.7 | SimpleSAMLphp-casserver is a CAS 1.0 and 2.0 compliant CAS server in the form of a SimpleSAMLphp module. In versions below 6.3.1 and 7.0.0, the logout … | May 18, 2026 |
| CVE-2026-8836 | CRITICAL | 9.8 | A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmp_parse_inbound_frame of the file src/apps/snmp/snmp_msg.c of the component snmpv3 USM Handler. Performing … | May 18, 2026 |
| CVE-2026-45243 | MEDIUM | 6.1 | Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation … | May 18, 2026 |
| CVE-2026-45242 | HIGH | 7.1 | Summarize prior to 0.15.1 contains a path traversal vulnerability in the /v1/summarize daemon endpoint that allows authenticated callers to write files to arbitrary directories by … | May 18, 2026 |
| CVE-2026-45231 | MEDIUM | 6.1 | DumbAssets through 1.0.11 contains a stored cross-site scripting vulnerability in asset fields including name, description, modelNumber, serialNumber, and tags that are stored without server-side sanitization … | May 18, 2026 |
| CVE-2026-45495 | HIGH | 8.8 | Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | May 18, 2026 |
| CVE-2026-45494 | MEDIUM | 5.4 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | May 18, 2026 |
| CVE-2026-45492 | MEDIUM | 5.4 | Improper input validation in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network. | May 18, 2026 |
| CVE-2026-45230 | CRITICAL | 9.1 | DumbAssets through 1.0.11 contains a path traversal vulnerability in the POST /api/delete-file endpoint and filesToDelete array parameters that allows unauthenticated attackers to delete arbitrary files … | May 18, 2026 |
| CVE-2026-42822 | CRITICAL | 10.0 | Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges over a network. | May 18, 2026 |
| CVE-2026-32849 | MEDIUM | 5.5 | NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as … | May 18, 2026 |