Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42463 | UNKNOWN | — | SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) … | May 13, 2026 |
| CVE-2026-40328 | UNKNOWN | — | Rejected reason: This CVE is a duplicate of another CVE. | May 13, 2026 |
| CVE-2026-40327 | UNKNOWN | — | Rejected reason: This CVE is a duplicate of another CVE. | May 13, 2026 |
| CVE-2026-32993 | HIGH | 8.3 | Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response. | May 13, 2026 |
| CVE-2026-32992 | HIGH | 8.2 | SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials. | May 13, 2026 |
| CVE-2026-29205 | HIGH | 8.6 | Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints. | May 13, 2026 |
| CVE-2026-8328 | UNKNOWN | — | The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual … | May 13, 2026 |
| CVE-2026-45714 | CRITICAL | 9.1 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, … | May 13, 2026 |
| CVE-2026-45708 | HIGH | 7.2 | CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. … | May 13, 2026 |
| CVE-2026-45229 | HIGH | 8.8 | Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an … | May 13, 2026 |
| CVE-2026-45228 | MEDIUM | 5.4 | Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html … | May 13, 2026 |
| CVE-2026-45055 | HIGH | 8.1 | CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no … | May 13, 2026 |
| CVE-2026-45054 | MEDIUM | 4.9 | CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled … | May 13, 2026 |
| CVE-2026-45053 | CRITICAL | 9.1 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) … | May 13, 2026 |
| CVE-2026-44418 | UNKNOWN | — | EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly … | May 13, 2026 |
| CVE-2026-44381 | UNKNOWN | — | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters … | May 13, 2026 |
| CVE-2026-44380 | UNKNOWN | — | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed … | May 13, 2026 |
| CVE-2026-44379 | UNKNOWN | — | MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid … | May 13, 2026 |
| CVE-2026-44377 | CRITICAL | 9.1 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates … | May 13, 2026 |
| CVE-2026-44376 | MEDIUM | 6.1 | CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic … | May 13, 2026 |
| CVE-2026-44373 | MEDIUM | 5.3 | Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in … | May 13, 2026 |
| CVE-2026-44372 | UNKNOWN | — | Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect … | May 13, 2026 |
| CVE-2026-44368 | UNKNOWN | — | PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose … | May 13, 2026 |
| CVE-2026-42602 | HIGH | 8.1 | azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure … | May 13, 2026 |
| CVE-2026-42561 | HIGH | 7.5 | Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing … | May 13, 2026 |