Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10066
Total
679
Critical
2903
High
3164
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-32848 | MEDIUM | 4.7 | NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition … | May 18, 2026 |
| CVE-2026-29965 | MEDIUM | 6.1 | HSC MailInspector 5.3.3-7 is vulnerable to Cross Site Scripting (XSS) in the /police/WarningUrlPage.php endpoint due to improper neutralization of user-supplied input that uses alternate or … | May 18, 2026 |
| CVE-2026-29964 | MEDIUM | 6.1 | HSC MailInspector v5.3.3-7 contains a Cross-Site Scripting (XSS) vulnerability in the /tap/tap.php endpoint due to improper neutralization of user-controlled input using alternate or obfuscated JavaScript … | May 18, 2026 |
| CVE-2026-29963 | UNKNOWN | — | HSC MailInspector 5.3.3-7 has a Path Traversal vulnerability due to improper validation of user-supplied input in the /tap/dw.php endpoint. The text parameter is used to … | May 18, 2026 |
| CVE-2026-29962 | UNKNOWN | — | HSC MailInspector v5.3.3-7 contains a Local File Inclusion (LFI) vulnerability caused by improper control of user-supplied file paths. The endpoint /vendor/phpunit/phpunit.php processes user-controlled parameters that … | May 18, 2026 |
| CVE-2023-24215 | UNKNOWN | — | Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. | May 18, 2026 |
| CVE-2026-8843 | MEDIUM | 6.5 | Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will … | May 18, 2026 |
| CVE-2026-45829 | UNKNOWN | — | A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the … | May 18, 2026 |
| CVE-2026-41085 | HIGH | 8.8 | Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain … | May 18, 2026 |
| CVE-2026-38719 | MEDIUM | 6.2 | OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A crafted ENIP/CPF message can supply … | May 18, 2026 |
| CVE-2026-36438 | MEDIUM | 5.3 | An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd | May 18, 2026 |
| CVE-2026-20685 | MEDIUM | 6.5 | An attacker in a privileged network position may be able to leak sensitive information. A path handling issue was addressed with improved validation. This issue … | May 18, 2026 |
| CVE-2025-57282 | HIGH | 8.8 | ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection. | May 18, 2026 |
| CVE-2025-56352 | HIGH | 7.5 | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length Client ID while … | May 18, 2026 |
| CVE-2026-41949 | MEDIUM | 5.9 | Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 … | May 18, 2026 |
| CVE-2026-41948 | HIGH | 7.7 | Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API … | May 18, 2026 |
| CVE-2026-41947 | HIGH | 7.4 | Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless … | May 18, 2026 |
| CVE-2026-39079 | HIGH | 7.5 | An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBaseApi.php components | May 18, 2026 |
| CVE-2026-26462 | UNKNOWN | — | Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, … | May 18, 2026 |
| CVE-2026-42009 | HIGH | 7.5 | A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator … | May 18, 2026 |
| CVE-2026-8803 | LOW | 3.7 | A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of … | May 18, 2026 |
| CVE-2026-7304 | CRITICAL | 9.8 | SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be … | May 18, 2026 |
| CVE-2026-7302 | CRITICAL | 9.1 | SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write … | May 18, 2026 |
| CVE-2026-7301 | CRITICAL | 9.8 | SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when … | May 18, 2026 |
| CVE-2026-0983 | UNKNOWN | — | Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process … | May 18, 2026 |