Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10338
Total
705
Critical
2973
High
3268
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-44547 | CRITICAL | 9.6 | ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently … | May 12, 2026 |
| CVE-2026-44352 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch … | May 12, 2026 |
| CVE-2026-44347 | MEDIUM | 5.8 | Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, … | May 12, 2026 |
| CVE-2026-44341 | MEDIUM | 5.3 | GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details … | May 12, 2026 |
| CVE-2026-44245 | MEDIUM | 6.1 | Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting … | May 12, 2026 |
| CVE-2026-43685 | HIGH | 7.2 | A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input … | May 12, 2026 |
| CVE-2026-43680 | HIGH | 7.2 | A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule … | May 12, 2026 |
| CVE-2026-42289 | HIGH | 8.8 | ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF … | May 12, 2026 |
| CVE-2026-42288 | CRITICAL | 10.0 | ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup … | May 12, 2026 |
| CVE-2026-42158 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation … | May 12, 2026 |
| CVE-2026-42157 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map … | May 12, 2026 |
| CVE-2026-42156 | UNKNOWN | — | Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node … | May 12, 2026 |
| CVE-2026-41901 | CRITICAL | 9.0 | Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms … | May 12, 2026 |
| CVE-2026-1250 | HIGH | 7.5 | The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions … | May 12, 2026 |
| CVE-2025-15463 | MEDIUM | 6.5 | The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is … | May 12, 2026 |
| CVE-2026-8449 | UNKNOWN | — | Rejected reason: This CVE ID has been rejected or withdrawn. | May 12, 2026 |
| CVE-2026-45227 | HIGH | 8.8 | Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using … | May 12, 2026 |
| CVE-2026-45226 | HIGH | 7.1 | Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without … | May 12, 2026 |
| CVE-2026-45225 | HIGH | 7.6 | Heym before 0.0.21 contains a path traversal vulnerability in the file upload endpoint that allows authenticated users to write attacker-controlled files to arbitrary locations by … | May 12, 2026 |
| CVE-2026-44871 | HIGH | 7.2 | Command injection vulnerabilities exist in the command line interface (CLI) service accessed by the PAPI protocol of AOS-8 and AOS-10 Operating Systems. Successful exploitation of … | May 12, 2026 |
| CVE-2026-44307 | UNKNOWN | — | Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal … | May 12, 2026 |
| CVE-2026-44306 | MEDIUM | 5.3 | Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.21 and 6.15.0, responses from the forgot password forms hinted at whether … | May 12, 2026 |
| CVE-2026-44305 | MEDIUM | 6.8 | Lemur manages TLS certificate creation. Prior to 1.9.0, when LDAP TLS is enabled (LDAP_USE_TLS = True), Lemur's LDAP authentication module unconditionally disables TLS certificate verification … | May 12, 2026 |
| CVE-2026-44304 | HIGH | 8.1 | Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpolation. … | May 12, 2026 |
| CVE-2026-44302 | HIGH | 7.5 | Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed … | May 12, 2026 |