Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10192
Total
692
Critical
2939
High
3205
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-62309 | LOW | 2.6 | HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in … | May 14, 2026 |
| CVE-2025-62308 | MEDIUM | 5.1 | HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or … | May 14, 2026 |
| CVE-2025-62305 | MEDIUM | 5.1 | HCL AION is affected by a vulnerability where certain operations may trigger out-of-band interactions, potentially resulting in unintended disclosure of sensitive information. Such behaviour may … | May 14, 2026 |
| CVE-2026-44504 | UNKNOWN | — | Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. … | May 14, 2026 |
| CVE-2026-44503 | UNKNOWN | — | The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redirects to a different host … | May 14, 2026 |
| CVE-2026-44501 | MEDIUM | 4.3 | DataHub is an open-source metadata platform. Prior to 1.5.0.3, The DataHub frontend (datahub-frontend-react) deserializes attacker-controlled Java objects from the REDIRECT_URL HTTP cookie during the OIDC … | May 14, 2026 |
| CVE-2026-42597 | MEDIUM | 5.9 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the /forms/chromium/convert/url and /forms/chromium/screenshot/url routes accept url=file:///tmp/... from anonymous callers. The default Chromium … | May 14, 2026 |
| CVE-2026-42596 | CRITICAL | 9.4 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. … | May 14, 2026 |
| CVE-2026-42595 | HIGH | 8.6 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based SSRF. The … | May 14, 2026 |
| CVE-2026-42594 | HIGH | 7.5 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's … | May 14, 2026 |
| CVE-2026-42593 | MEDIUM | 5.3 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf … | May 14, 2026 |
| CVE-2026-42592 | MEDIUM | 5.3 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and … | May 14, 2026 |
| CVE-2026-42591 | HIGH | 8.2 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint (/forms/libreoffice/convert) passes uploaded documents directly to LibreOffice without inspecting … | May 14, 2026 |
| CVE-2026-42590 | HIGH | 8.2 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix … | May 14, 2026 |
| CVE-2026-42589 | CRITICAL | 9.8 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys … | May 14, 2026 |
| CVE-2026-42283 | HIGH | 7.7 | DevSpace is a client-only developer tool for cloud-native development with Kubernetes. Prior to 6.3.21, DevSpace's UI server WebSocket accepts connections from all origins by default, … | May 14, 2026 |
| CVE-2026-42281 | UNKNOWN | — | MagicMirror² is an open source modular smart mirror platform. Prior to 2.36.0, an unauthenticated Server-Side Request Forgery (SSRF) vulnerability in the /cors endpoint allows any … | May 14, 2026 |
| CVE-2026-42159 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Flowsint allows a user to create investigations, … | May 14, 2026 |
| CVE-2026-40893 | HIGH | 8.2 | Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg only checks if the tag is exactly FileName, so System:FileName slips right … | May 14, 2026 |
| CVE-2026-44484 | UNKNOWN | — | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introduced functionality consistent with a credential harvesting … | May 14, 2026 |
| CVE-2026-44482 | CRITICAL | 9.6 | soundcloud-rpc is a SoundCloud Client with Discord Rich Presence, Dark Mode, Last.fm and AdBlock support. Prior to 0.1.8, a track title containing an HTML payload … | May 14, 2026 |
| CVE-2026-44375 | HIGH | 7.5 | Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can … | May 14, 2026 |
| CVE-2026-44374 | MEDIUM | 4.3 | Backstage is an open framework for building developer portals. Prior to 0.6.11, the unprocessed entities read endpoints in @backstage/plugin-catalog-backend-module-unprocessed do not enforce permission authorization checks. … | May 14, 2026 |
| CVE-2026-44371 | UNKNOWN | — | Open OnDemand is an open-source high-performance computing portal. Prior to 4.0.11, 4.1.5, and 4.2.2, specially crafted filenames can execute javascript in the file browser This … | May 14, 2026 |
| CVE-2026-44308 | UNKNOWN | — | Spring Cloud AWS simplifies using AWS managed services in a Spring and Spring Boot applications. From 3.0.0 to 4.0.1, pplications using Spring Cloud AWS SNS … | May 14, 2026 |