Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10338
Total
705
Critical
2973
High
3268
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-44301 | UNKNOWN | — | Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo … | May 12, 2026 |
| CVE-2026-44296 | HIGH | 7.5 | Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS … | May 12, 2026 |
| CVE-2026-44262 | CRITICAL | 9.4 | Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request … | May 12, 2026 |
| CVE-2026-44260 | HIGH | 8.1 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the readonly flag set on the <efw:elFinder> JSP tag is intended to prevent file modifications. … | May 12, 2026 |
| CVE-2026-44259 | MEDIUM | 4.6 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any … | May 12, 2026 |
| CVE-2026-44258 | UNKNOWN | — | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does … | May 12, 2026 |
| CVE-2026-44257 | UNKNOWN | — | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An … | May 12, 2026 |
| CVE-2026-44242 | LOW | 3.7 | Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by … | May 12, 2026 |
| CVE-2026-44241 | HIGH | 7.5 | Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeFormatter … | May 12, 2026 |
| CVE-2026-44015 | HIGH | 8.5 | Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) … | May 12, 2026 |
| CVE-2026-43948 | CRITICAL | 9.9 | wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using … | May 12, 2026 |
| CVE-2026-42855 | HIGH | 7.5 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp32 … | May 12, 2026 |
| CVE-2026-42854 | CRITICAL | 9.8 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 … | May 12, 2026 |
| CVE-2026-42844 | UNKNOWN | — | Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file … | May 12, 2026 |
| CVE-2026-42545 | MEDIUM | 5.9 | Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid … | May 12, 2026 |
| CVE-2026-42544 | HIGH | 7.5 | Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket … | May 12, 2026 |
| CVE-2026-42268 | UNKNOWN | — | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an … | May 12, 2026 |
| CVE-2026-42196 | UNKNOWN | — | django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an … | May 12, 2026 |
| CVE-2026-41195 | MEDIUM | 5.0 | mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project … | May 12, 2026 |
| CVE-2026-40902 | HIGH | 7.5 | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method … | May 12, 2026 |
| CVE-2026-40863 | HIGH | 7.5 | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) … | May 12, 2026 |
| CVE-2026-35555 | MEDIUM | 6.3 | PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups. | May 12, 2026 |
| CVE-2026-33570 | MEDIUM | 5.7 | PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions. | May 12, 2026 |
| CVE-2026-26289 | HIGH | 8.2 | PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions … | May 12, 2026 |
| CVE-2026-44403 | HIGH | 7.2 | Wing FTP Server before 8.1.3 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua … | May 12, 2026 |