Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42304 | HIGH | 7.5 | Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) … | May 13, 2026 |
| CVE-2026-39428 | MEDIUM | 4.8 | CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can … | May 13, 2026 |
| CVE-2026-39358 | HIGH | 7.2 | CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_admin, and … | May 13, 2026 |
| CVE-2026-21821 | HIGH | 8.3 | The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no … | May 13, 2026 |
| CVE-2025-27853 | HIGH | 7.3 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only … | May 13, 2026 |
| CVE-2025-27852 | MEDIUM | 5.0 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an … | May 13, 2026 |
| CVE-2025-27851 | CRITICAL | 9.3 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the … | May 13, 2026 |
| CVE-2025-27850 | HIGH | 7.5 | The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks … | May 13, 2026 |
| CVE-2026-44364 | UNKNOWN | — | MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in … | May 13, 2026 |
| CVE-2026-44363 | UNKNOWN | — | MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed … | May 13, 2026 |
| CVE-2026-44351 | CRITICAL | 9.1 | fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to … | May 13, 2026 |
| CVE-2026-42552 | HIGH | 7.5 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace … | May 13, 2026 |
| CVE-2026-42551 | HIGH | 7.5 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb (including … | May 13, 2026 |
| CVE-2026-42550 | HIGH | 8.8 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the keys … | May 13, 2026 |
| CVE-2026-42549 | MEDIUM | 4.4 | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied … | May 13, 2026 |
| CVE-2026-42548 | UNKNOWN | — | Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating that … | May 13, 2026 |
| CVE-2026-33381 | MEDIUM | 5.9 | When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds … | May 13, 2026 |
| CVE-2026-33380 | MEDIUM | 6.3 | A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle … | May 13, 2026 |
| CVE-2026-33378 | MEDIUM | 6.5 | Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to … | May 13, 2026 |
| CVE-2026-33377 | HIGH | 7.1 | An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the … | May 13, 2026 |
| CVE-2026-33376 | HIGH | 7.4 | When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate … | May 13, 2026 |
| CVE-2026-28383 | MEDIUM | 6.5 | A request to the Grafana plugin resources endpoint can cause unbounded memory allocation by reading the entire request body into memory. An authenticated user can … | May 13, 2026 |
| CVE-2026-28380 | MEDIUM | 6.5 | Any Editor could delete any snapshot, even if they have no access to read or write them. | May 13, 2026 |
| CVE-2026-28379 | MEDIUM | 6.5 | A race condition in Grafana Live allows authenticated users with Viewer role to trigger a server crash by sending concurrent requests that cause a fatal … | May 13, 2026 |
| CVE-2026-28376 | MEDIUM | 6.5 | The Grafana Live push endpoint can be exploited to cause unbounded memory allocation by sending a large or streaming request body, potentially leading to out-of-memory … | May 13, 2026 |