Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10238
Total
701
Critical
2952
High
3222
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2025-27853 | HIGH | 7.3 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only … | May 13, 2026 |
| CVE-2025-27852 | MEDIUM | 5.0 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an … | May 13, 2026 |
| CVE-2025-27851 | CRITICAL | 9.3 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the … | May 13, 2026 |
| CVE-2025-27850 | HIGH | 7.5 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks … | May 13, 2026 |
| CVE-2026-44364 | UNKNOWN | — | MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in … | May 13, 2026 |
| CVE-2026-44363 | UNKNOWN | — | MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed … | May 13, 2026 |
| CVE-2026-44351 | CRITICAL | 9.1 | fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to … | May 13, 2026 |
| CVE-2026-42552 | HIGH | 7.5 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace … | May 13, 2026 |
| CVE-2026-42551 | HIGH | 7.5 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including … | May 13, 2026 |
| CVE-2026-42550 | HIGH | 8.8 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys … | May 13, 2026 |
| CVE-2026-42549 | MEDIUM | 4.4 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied … | May 13, 2026 |
| CVE-2026-42548 | UNKNOWN | — | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that … | May 13, 2026 |
| CVE-2026-33381 | MEDIUM | 5.9 | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds … | May 13, 2026 |
| CVE-2026-33380 | MEDIUM | 6.3 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle … | May 13, 2026 |
| CVE-2026-33378 | MEDIUM | 6.5 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to … | May 13, 2026 |
| CVE-2026-33377 | HIGH | 7.1 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the … | May 13, 2026 |
| CVE-2026-33376 | HIGH | 7.4 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate … | May 13, 2026 |
| CVE-2026-28383 | MEDIUM | 6.5 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can … | May 13, 2026 |
| CVE-2026-28380 | MEDIUM | 6.5 | Any Editor could delete any snapshot, even if they have no access to read or write them. | May 13, 2026 |
| CVE-2026-28379 | MEDIUM | 6.5 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal … | May 13, 2026 |
| CVE-2026-28376 | MEDIUM | 6.5 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory … | May 13, 2026 |
| CVE-2026-28374 | MEDIUM | 4.3 | Editors could delete any annotation, even those they do not have read access to. The editor user cannot create or read the annotations. | May 13, 2026 |
| CVE-2026-0243 | UNKNOWN | — | A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma … | May 13, 2026 |
| CVE-2026-8496 | MEDIUM | 6.1 | A cross-site scripting (XSS) vulnerability exists in Alinto SOGo, version 5.12.7. A maliciously crafted ICS calendar invitation files allows arbitrary JavaScript execution within the authenticated … | May 13, 2026 |
| CVE-2026-8466 | UNKNOWN | — | Allocation of Resources Without Limits or Throttling vulnerability in ninenines cowboy allows denial of service via unbounded buffer accumulation in multipart header parsing. cowboy_req:read_part/3 in … | May 13, 2026 |