Recent
Published 2026-05-13 by jpcert
Hitachi Vantara Pentaho Data Integration & Analytics - Dependency on Vulnerable Third-Party Component
Published 2026-05-13 by HITVAN
Improper Authorization in Gerrit allowing Code Review Bypass via "Submitted Together"
Published 2026-05-13 by Google
Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
Published 2026-05-13 by Wordfence
ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Published 2026-05-13 by Wordfence
JoomSport <= 5.7.7 - Unauthenticated SQL Injection via 'sortf' Parameter
Published 2026-05-13 by Wordfence
Published 2026-05-13 by jpcert
Published 2026-05-13 by SamsungMobile
Published 2026-05-13 by SamsungMobile
Published 2026-05-13 by SamsungMobile
Published 2026-05-13 by SamsungMobile
Published 2026-05-13 by SamsungMobile
Published 2026-05-13 by SamsungMobile
Published 2026-05-13 by SamsungMobile
Published 2026-05-13 by SamsungMobile
Broadstreet <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting
Published 2026-05-13 by Wordfence
Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter
Published 2026-05-13 by Wordfence
Fluent Forms <= 6.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'permission_message' Shortcode Attribute
Published 2026-05-13 by Wordfence
Broadstreet <= 1.53.1 - Authenticated (Subscriber+) Information Disclosure
Published 2026-05-13 by Wordfence
Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published 2026-05-13 by Wordfence
Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter
Published 2026-05-13 by Wordfence
coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field
Published 2026-05-13 by Wordfence
Broadstreet <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation
Published 2026-05-13 by Wordfence
Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference
Published 2026-05-13 by Wordfence
SQL Injection Vulnerability
Published 2026-05-13 by CSA
Published 2026-05-13 by AMD
Published 2026-05-13 by AMD
Published 2026-05-13 by AMD
Published 2026-05-13 by AMD
Published 2026-05-13 by AMD
Published 2026-05-13 by AMD
Post-authentication CPU utilization DoS via $trim/$ltrim/$rtrim operators
Published 2026-05-13 by mongodb
Post-authentication use-after-free error in $_internalJsEmit and mapreduce commands
Published 2026-05-13 by mongodb
Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields
Published 2026-05-13 by mongodb
Schema validation log messages may not redact user data
Published 2026-05-13 by mongodb
Post-auth memory exhaustion via bitwise match expressions
Published 2026-05-13 by mongodb
FlatBSON Duplicate Field Index Drift
Published 2026-05-12 by mongodb
Flowsint: Broken Access Control allows modification of investigation metadata from any user
Published 2026-05-12 by GitHub_M
Flowsint: Cypher query injection in node type on node creation
Published 2026-05-12 by GitHub_M
Flowsint: Stored XSS on map node marker in map page
Published 2026-05-12 by GitHub_M
Flowsint: Broken Access Control allows reading of sketch logs from any user
Published 2026-05-12 by GitHub_M
Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component
Published 2026-05-12 by GitHub_M
Warpgate: SSO CSRF -- State Token Not Validated on Return
Published 2026-05-12 by GitHub_M
GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint
Published 2026-05-12 by GitHub_M
Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions
Published 2026-05-12 by GitHub_M
ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php, NoteDelete.php)
Published 2026-05-12 by GitHub_M
ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and account lockout in ChurchCRM 7.2.2
Published 2026-05-12 by GitHub_M
Fuji Electric Tellus Exposed Dangerous Method or Function
Published 2026-05-12 by icscert
ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD
Published 2026-05-12 by GitHub_M
Published 2026-05-12 by apple
Published 2026-05-12 by apple
Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution
Published 2026-05-12 by Wordfence
Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL Injection
Published 2026-05-12 by Wordfence
MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset
Published 2026-05-12 by Wordfence
ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation
Published 2026-05-12 by GitHub_M
PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader
Published 2026-05-12 by GitHub_M
PhpSpreadsheet: CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions
Published 2026-05-12 by GitHub_M
arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to remote crash potential RCE
Published 2026-05-12 by GitHub_M
arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resource replay attack
Published 2026-05-12 by GitHub_M
Mako: Path traversal via backslash URI on Windows in TemplateLookup
Published 2026-05-12 by GitHub_M
Granian: DoS via WSGI response header panic
Published 2026-05-12 by GitHub_M
Granian: Unauthenticated DoS via WebSocket subprotocol header panic
Published 2026-05-12 by GitHub_M
Grav: Low-privileged API users can create super-admin accounts via blueprint-upload
Published 2026-05-12 by GitHub_M
ModSecurity: Unsigned integer underflow in @verifySSN / @verifyCPF / @verifySVNR operators
Published 2026-05-12 by GitHub_M
Hugo: Node tool execution allows file system access outside the project directory
Published 2026-05-12 by GitHub_M
Linux ksmbd Remote Memory Corruption via ACL Inheritance
Published 2026-05-12 by VulnCheck
Snappier: Infinite loop in SnappyStream decompression on malformed framed input
Published 2026-05-12 by GitHub_M
Statamic: Email enumeration via forgot password endpoint
Published 2026-05-12 by GitHub_M
Lemur: LDAP TLS certificate verification globally disabled enables credential interception
Published 2026-05-12 by GitHub_M
Lemur: LDAP Filter Injection enables post-authentication privilege escalation
Published 2026-05-12 by GitHub_M
mosparo: Rule package source URL stored SSRF enables internal HTTP probing
Published 2026-05-12 by GitHub_M
Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Exhaustion via Accept-Language Header
Published 2026-05-12 by GitHub_M
Heym < 0.0.21 Sandbox Escape via Python Introspection
Published 2026-05-12 by VulnCheck
Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory Exhaustion via Accept-Language Header
Published 2026-05-12 by GitHub_M
Heym < 0.0.21 Authorization Bypass in Workflow Execution
Published 2026-05-12 by VulnCheck
efw4.X: readonly Flag Not Enforced Server-Side
Published 2026-05-12 by GitHub_M
Heym < 0.0.21 Path Traversal File Upload via upload_file()
Published 2026-05-12 by VulnCheck
efw4.X: Stored XSS via previewServlet
Published 2026-05-12 by GitHub_M
efw4.X: RCE via zipslip
Published 2026-05-12 by GitHub_M
Authenticated Command Injection Vulnerabilities in Command Line Interface (CLI) Service Accessed by PAPI Protocol of AOS-8 and AOS-10 Operating Systems
Published 2026-05-12 by hpe
efw4.X: Path Traversal via Unchecked dst Parameter leads to Remote Code Execution
Published 2026-05-12 by GitHub_M
Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Published 2026-05-12 by icscert
Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Published 2026-05-12 by icscert
django-s3file: Relative path traversal
Published 2026-05-12 by GitHub_M
Scramble: Remote code execution via evaluation of user-controlled input in validation rules
Published 2026-05-12 by GitHub_M
Deskflow: TLS multiplexer DoS on failed `SSL_accept`
Published 2026-05-12 by GitHub_M
Nginx UI: Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access to Internal Services
Published 2026-05-12 by GitHub_M
Subnet Solutions PowerSYSTEM Center Incorrect Authorization
Published 2026-05-12 by icscert
wger: cross-tenant password reset and plaintext disclosure via gym=None bypass
Published 2026-05-12 by GitHub_M
Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization
Published 2026-05-12 by VulnCheck
nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/nnUNet`
Published 2026-05-12 by GitHub_M
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
Published 2026-05-12 by GitHub_M
Wiki.js: Privilege Escalation via Missing Group Validation in users.update
Published 2026-05-12 by GitHub_M
dssrf: every IPv6 category bypasses is_url_safe
Published 2026-05-12 by GitHub_M
Out-of-bounds read in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share
Published 2026-05-12 by icscert
Out-of-bounds read in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share
Published 2026-05-12 by icscert
Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior
Published 2026-05-12 by GitHub_M
Out-of-bounds write in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share
Published 2026-05-12 by icscert
Subnet Solutions PowerSYSTEM Center CRLF injection
Published 2026-05-12 by icscert
Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows Information Disclosure
Published 2026-05-12 by GitHub_M
Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
Published 2026-05-12 by GitHub_M
CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)
Published 2026-05-12 by adobe
CAI Content Credentials | Integer Overflow or Wraparound (CWE-190)
Published 2026-05-12 by adobe
CAI Content Credentials | Improper Input Validation (CWE-20)
Published 2026-05-12 by adobe
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
CAI Content Credentials | Improper Input Validation (CWE-20)
Published 2026-05-12 by adobe
CAI Content Credentials | Integer Overflow or Wraparound (CWE-190)
Published 2026-05-12 by adobe
CAI Content Credentials | Improper Input Validation (CWE-20)
Published 2026-05-12 by adobe
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)
Published 2026-05-12 by adobe
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
CAI Content Credentials | Improper Input Validation (CWE-20)
Published 2026-05-12 by adobe
CAI Content Credentials | Improper Input Validation (CWE-20)
Published 2026-05-12 by adobe
CAI Content Credentials | Improper Input Validation (CWE-20)
Published 2026-05-12 by adobe
CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
Pulpy: Incomplete filesystem sandbox in pulpy.fs bridge allows packaged web apps to read arbitrary user files
Published 2026-05-12 by GitHub_M
vLLM: extract_hidden_states speculative decoding crashes server on any request with penalty parameters
Published 2026-05-12 by GitHub_M
vLLM: Remote DoS via Special-Token Placeholders
Published 2026-05-12 by GitHub_M
ArcadeDB: Cross-database authorization bypass and unsecured newly-created databases
Published 2026-05-12 by GitHub_M
sse-channel: SSE Injection via unsanitized event fields
Published 2026-05-12 by GitHub_M
Adobe Commerce | Improper Authorization (CWE-285)
Published 2026-05-12 by adobe
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Published 2026-05-12 by adobe
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Published 2026-05-12 by adobe
Adobe Commerce | Server-Side Request Forgery (SSRF) (CWE-918)
Published 2026-05-12 by adobe
Adobe Commerce | Improper Input Validation (CWE-20)
Published 2026-05-12 by adobe
Adobe Commerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Published 2026-05-12 by adobe
Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395)
Published 2026-05-12 by adobe
Adobe Commerce | Incorrect Authorization (CWE-863)
Published 2026-05-12 by adobe
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)
Published 2026-05-12 by adobe
Adobe Commerce | Dependency on Vulnerable Third-Party Component (CWE-1395)
Published 2026-05-12 by adobe
Adobe Commerce | Uncontrolled Resource Consumption (CWE-400)
Published 2026-05-12 by adobe
Adobe Commerce | Incorrect Authorization (CWE-863)
Published 2026-05-12 by adobe
ip-address: XSS in Address6 HTML-emitting methods
Published 2026-05-12 by GitHub_M
ciguard: SCA HTTP client reads response body without size cap
Published 2026-05-12 by GitHub_M
ciguard: Container image runs as root (no USER directive)
Published 2026-05-12 by GitHub_M
ciguard: discover_pipeline_files follows symlinks out of scan root
Published 2026-05-12 by GitHub_M
Relay Server WebSocket authentication bypass when token is omitted
Published 2026-05-12 by GitHub_M
After Effects | Stack-based Buffer Overflow (CWE-121)
Published 2026-05-12 by adobe
NanaZip: Heap out-of-bounds write in NanaZip UFS directory parser
Published 2026-05-12 by GitHub_M
NanaZip: Uncontrolled recursion in NanaZip UFS directory traversal causes stack exhaustion
Published 2026-05-12 by GitHub_M
NanaZip: Unbounded resource consumption in NanaZip littlefs parser via attacker-controlled BlockCount
Published 2026-05-12 by GitHub_M
NanaZip: Integer divide-by-zero in NanaZip UFS inode offset calculation
Published 2026-05-12 by GitHub_M
NanaZip: Null-pointer dereference in NanaZip UFS parser when root inode is a symlink
Published 2026-05-12 by GitHub_M
NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion
Published 2026-05-12 by GitHub_M
Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System
Published 2026-05-12 by hpe
NanaZip: Stack out-of-bounds read in NanaZip ZealFS bitmap parser
Published 2026-05-12 by GitHub_M
Authenticated Arbitrary File Download via AOS-10 Web-Based Management Interface
Published 2026-05-12 by hpe
Authenticated Arbitrary File Upload via Command Injection in AOS-8 AND AOS-10 Web-Based Management Interface
Published 2026-05-12 by hpe
Authenticated Command Injection Vulnerabilities in Command Line Interface (CLI) Service Accessed by PAPI Protocol of AOS-8 and AOS-10 Operating Systems
Published 2026-05-12 by hpe
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
Published 2026-05-12 by hpe
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
Published 2026-05-12 by hpe
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
Published 2026-05-12 by hpe
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
Published 2026-05-12 by hpe
OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local blob injection for OTLP Exporter
Published 2026-05-12 by GitHub_M
Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
Published 2026-05-12 by hpe
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
Published 2026-05-12 by hpe
Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution
Published 2026-05-12 by HashiCorp
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
Published 2026-05-12 by hpe
Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through symlink attack
Published 2026-05-12 by HashiCorp
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
Published 2026-05-12 by hpe
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
Published 2026-05-12 by hpe
Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
Published 2026-05-12 by hpe
Authenticated Stack-Based Buffer Overflow in PAPI Services
Published 2026-05-12 by hpe
Authenticated Stack-Based Buffer Overflow in PAPI Services
Published 2026-05-12 by hpe
Authenticated Stack-Based Buffer Overflow in PAPI Services
Published 2026-05-12 by hpe
Authenticated Stack-Based Buffer Overflow in PAPI Services
Published 2026-05-12 by hpe
Authenticated Stack-Based Buffer Overflow in PAPI Services
Published 2026-05-12 by hpe
Nomad vulnerable to arbitrary file read/write on client host through symlink attack
Published 2026-05-12 by HashiCorp
Authenticated Remote Code Execution via Arbitrary File Write in AOS-8 and AOS-10 Web-Based Management Interface
Published 2026-05-12 by hpe
Authenticated Remote Code Execution via Arbitrary File Write in AOS-8 and AOS-10 Web-Based Management Interface
Published 2026-05-12 by hpe
Authenticated Remote Code Execution via Arbitrary File Overwrite in the AOS-8 and AOS-10 Web-Based Management Interface
Published 2026-05-12 by hpe
Unauthenticated Remote Code Execution via Heap Buffer Overflow in Network Management Service
Published 2026-05-12 by hpe
Unauthenticated Denial of Service in AOS-8 Network Management Service
Published 2026-05-12 by hpe
Unauthenticated Denial-of-Service via Crafted Messages in a Network Protocol Handling Component
Published 2026-05-12 by hpe
Unauthenticated Denial-of-Service via Crafted Messages in a Network Protocol Handling Component
Published 2026-05-12 by hpe
SPIP < 4.4.14 Remote Code Execution via nginx
Published 2026-05-12 by VulnCheck
Authenticated Command Injection leads to RCE in AOS-10 CLI Command
Published 2026-05-12 by hpe
Ops Manager RCE via webhook body
Published 2026-05-12 by mongodb
Unauthenticated XML External Entity Injection in AOS-8 Instant allows Denial of Service
Published 2026-05-12 by hpe
Inconsistent input filtering allows Authenticated Command Injection in AOS-10 CLI
Published 2026-05-12 by hpe
Adobe Connect | Deserialization of Untrusted Data (CWE-502)
Published 2026-05-12 by adobe
Adobe Connect | Incorrect Authorization (CWE-863)
Published 2026-05-12 by adobe
Inconsistent input filtering allows Authenticated Command Injection in AOS-8 Instant and AOS-10 CLI
Published 2026-05-12 by hpe
SPIP < 4.4.14 Remote Code Execution via Private Space
Published 2026-05-12 by VulnCheck
Error in SSID Processing allows Stored XSS in Web Management Interface
Published 2026-05-12 by hpe
Substance3D - Designer | Out-of-bounds Write (CWE-787)
Published 2026-05-12 by adobe
Substance3D - Designer | Out-of-bounds Write (CWE-787)
Published 2026-05-12 by adobe
Load more ↓