Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10307
Total
705
Critical
2965
High
3260
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-43680 | HIGH | 7.2 | A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule … | May 12, 2026 |
| CVE-2026-42289 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF … | May 12, 2026 |
| CVE-2026-42288 | CRITICAL | 10.0 | ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup … | May 12, 2026 |
| CVE-2026-42158 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation … | May 12, 2026 |
| CVE-2026-42157 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map … | May 12, 2026 |
| CVE-2026-42156 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node … | May 12, 2026 |
| CVE-2026-41901 | CRITICAL | 9.0 | Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms … | May 12, 2026 |
| CVE-2026-1250 | HIGH | 7.5 | The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions … | May 12, 2026 |
| CVE-2025-15463 | MEDIUM | 6.5 | The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is … | May 12, 2026 |
| CVE-2026-8449 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn. | May 12, 2026 |
| CVE-2026-45227 | HIGH | 8.8 | Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using … | May 12, 2026 |
| CVE-2026-45226 | HIGH | 7.1 | Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without … | May 12, 2026 |
| CVE-2026-45225 | HIGH | 7.6 | Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by … | May 12, 2026 |
| CVE-2026-44871 | HIGH | 7.2 | Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of … | May 12, 2026 |
| CVE-2026-44307 | UNKNOWN | — | Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal … | May 12, 2026 |
| CVE-2026-44306 | MEDIUM | 5.3 | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether … | May 12, 2026 |
| CVE-2026-44305 | MEDIUM | 6.8 | Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification … | May 12, 2026 |
| CVE-2026-44304 | HIGH | 8.1 | Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. … | May 12, 2026 |
| CVE-2026-44302 | HIGH | 7.5 | Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed … | May 12, 2026 |
| CVE-2026-44301 | UNKNOWN | — | Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo … | May 12, 2026 |
| CVE-2026-44296 | HIGH | 7.5 | Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS … | May 12, 2026 |
| CVE-2026-44262 | CRITICAL | 9.4 | Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request … | May 12, 2026 |
| CVE-2026-44260 | HIGH | 8.1 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. … | May 12, 2026 |
| CVE-2026-44259 | MEDIUM | 4.6 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any … | May 12, 2026 |
| CVE-2026-44258 | UNKNOWN | — | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does … | May 12, 2026 |