Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-6354 | UNKNOWN | — | Rejected reason: Voluntarily withdrawn | May 19, 2026 |
| CVE-2026-47323 | UNKNOWN | — | Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in … | May 19, 2026 |
| CVE-2026-43633 | CRITICAL | 10.0 | HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that … | May 19, 2026 |
| CVE-2026-42100 | UNKNOWN | — | Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted … | May 19, 2026 |
| CVE-2026-42099 | UNKNOWN | — | Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid … | May 19, 2026 |
| CVE-2026-42098 | UNKNOWN | — | Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise … | May 19, 2026 |
| CVE-2026-42097 | UNKNOWN | — | Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in … | May 19, 2026 |
| CVE-2026-42096 | UNKNOWN | — | Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user … | May 19, 2026 |
| CVE-2026-23558 | HIGH | 7.8 | The adjustments made for XSA-379 as well as those subsequently becoming XSA-387 still left a race window, when a HVM or PVH guest does a … | May 19, 2026 |
| CVE-2026-23557 | MEDIUM | 6.5 | Any guest can cause xenstored to crash by issuing a XS_RESET_WATCHES command within a transaction due to an assert() triggering. In case xenstored was built … | May 19, 2026 |
| CVE-2025-40904 | MEDIUM | 6.5 | A Stored HTML Injection vulnerability was discovered in the Smart Polling functionality due to improper validation of an input parameter. An authenticated user with limited … | May 19, 2026 |
| CVE-2025-40903 | MEDIUM | 5.9 | A Stored HTML Injection vulnerability was discovered in the Schedule Restore Archive functionality due to improper validation of an input parameter. An authenticated user with … | May 19, 2026 |
| CVE-2025-40902 | MEDIUM | 5.9 | A Stored HTML Injection vulnerability was discovered in the Users functionality due to improper validation of an input parameter. An authenticated user with administrative privileges … | May 19, 2026 |
| CVE-2025-40901 | MEDIUM | 5.9 | A Stored HTML Injection vulnerability was discovered in the Credentials Manager functionality due to improper validation of an input parameter. An authenticated user with administrative … | May 19, 2026 |
| CVE-2025-40900 | MEDIUM | 4.6 | An Angular template injection vulnerability was discovered in the Reports functionality due to improper validation of an input parameter. An authenticated user with report privileges … | May 19, 2026 |
| CVE-2025-14575 | UNKNOWN | — | An Uncontrolled Search Path Element vulnerability in the OpenSSL TLS backend of Qt Network (qtbase) in Qt Qt Framework (Unix) allows a local attacker to … | May 19, 2026 |
| CVE-2026-8912 | HIGH | 7.5 | The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due … | May 19, 2026 |
| CVE-2026-4883 | CRITICAL | 9.8 | The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions … | May 19, 2026 |
| CVE-2026-7860 | UNKNOWN | — | A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build … | May 19, 2026 |
| CVE-2026-7571 | HIGH | 7.1 | A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable … | May 19, 2026 |
| CVE-2026-7507 | HIGH | 7.5 | A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a … | May 19, 2026 |
| CVE-2026-7504 | HIGH | 8.1 | A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users … | May 19, 2026 |
| CVE-2026-7307 | HIGH | 7.5 | A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. … | May 19, 2026 |
| CVE-2026-4630 | MEDIUM | 6.8 | A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. … | May 19, 2026 |
| CVE-2026-45442 | MEDIUM | 4.3 | Missing Authorization vulnerability in Brainstorm Force Presto Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Presto Player: from n/a through 4.1.3. | May 19, 2026 |