Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-8370 | UNKNOWN | — | Execution with unnecessary privileges vulnerability in Broadcom Automic Automation Agent Unix on Linux x64, Linux Power 64 BE, Linux Power 64 LE, zLinux (zSeries), AIX, … | May 19, 2026 |
| CVE-2026-8096 | MEDIUM | 6.5 | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, … | May 19, 2026 |
| CVE-2026-8073 | HIGH | 7.5 | The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation … | May 19, 2026 |
| CVE-2026-41470 | MEDIUM | 5.9 | LIVE555 before 2026.04.22 contains an authorization bypass vulnerability in RTSP session command handling that allows attackers to replay valid Session tokens from unauthenticated connections. Attackers … | May 19, 2026 |
| CVE-2026-34154 | UNKNOWN | — | Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, a vulnerability in the discourse-subscriptions plugin allows users to gain … | May 19, 2026 |
| CVE-2026-33741 | MEDIUM | 6.8 | EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and … | May 19, 2026 |
| CVE-2026-33642 | CRITICAL | 9.9 | Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned … | May 19, 2026 |
| CVE-2026-33637 | NONE | — | Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override … | May 19, 2026 |
| CVE-2026-32738 | MEDIUM | 6.5 | libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in … | May 19, 2026 |
| CVE-2026-8605 | UNKNOWN | — | In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin. | May 19, 2026 |
| CVE-2026-8604 | UNKNOWN | — | In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user … | May 19, 2026 |
| CVE-2026-8603 | UNKNOWN | — | In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system. | May 19, 2026 |
| CVE-2026-8602 | UNKNOWN | — | In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA … | May 19, 2026 |
| CVE-2026-6009 | UNKNOWN | — | Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system | May 19, 2026 |
| CVE-2026-47107 | HIGH | 8.1 | Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authenticated users … | May 19, 2026 |
| CVE-2026-33633 | HIGH | 7.5 | Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write … | May 19, 2026 |
| CVE-2026-32134 | MEDIUM | 5.9 | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, … | May 19, 2026 |
| CVE-2025-61081 | HIGH | 7.5 | In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the … | May 19, 2026 |
| CVE-2026-5511 | UNKNOWN | — | In the web management interface of Archer AX72 (SG) v1, the network diagnostic feature improperly handles invalid user input, resulting in limited exposure of diagnostic … | May 19, 2026 |
| CVE-2026-47358 | HIGH | 7.5 | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via external URL resolution in uploaded IaC templates when running in server mode. When … | May 19, 2026 |
| CVE-2026-47357 | HIGH | 7.5 | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the remote_url parameter in the remote directory scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/remote/dir/scan) when running … | May 19, 2026 |
| CVE-2026-47356 | HIGH | 7.5 | Terrascan v1.18.3 and prior are vulnerable to Server-Side Request Forgery (SSRF) via the webhook_url parameter in the file scan endpoint (POST /v1/{iac}/{iacVersion}/{cloud}/local/file/scan) when running in … | May 19, 2026 |
| CVE-2026-36829 | CRITICAL | 9.8 | An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a … | May 19, 2026 |
| CVE-2026-36828 | HIGH | 8.8 | A command injection vulnerability exists in the /cgi-bin/tools/ajax_cmd endpoint of Panabit PAP-XM320 up to and including v7.7. The CGI component allows authenticated users to execute … | May 19, 2026 |
| CVE-2026-36827 | MEDIUM | 5.4 | A command injection vulnerability exists in Panabit PAP-XM320 up to and including V7.7. The web management interface invokes the backend helper /usr/sbin/pappiw and passes user-controlled … | May 19, 2026 |