No Result
View All Result
No Result
View All Result
No Result
View All Result

Live CVE Feed

Share on FacebookShare on Twitter

Live CVE Feed

Curated from global sources like ENISA EUVD and CVE Details

  • CVE-2026-8242 - Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy

    CVE ID :CVE-2026-8242 Published : May 10, 2026, 8:15 a.m. | 34 minutes ago Description :A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-8241 - Industrial Application Software IAS Canias ERP RMI iasGetServerInfoEvent improper authorization

    CVE ID :CVE-2026-8241 Published : May 10, 2026, 7:45 a.m. | 1 hour, 4 minutes ago Description :A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-8234 - EFM ipTIME A8004T WifiBasicSet formWifiBasicSet stack-based overflow

    CVE ID :CVE-2026-8234 Published : May 10, 2026, 7:16 a.m. | 1 hour, 33 minutes ago Description :A security vulnerability has been detected in EFM ipTIME A8004T 14.18.2. This vulnerability affects the function formWifiBasicSet of the file /goform/WifiBasicSet. The manipulation of the argument security_5g leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Severity: 9.0 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-8235 - 8421bit MiniClaw System kernel.ts resolveSkillScriptPath os command injection

    CVE ID :CVE-2026-8235 Published : May 10, 2026, 7:16 a.m. | 1 hour, 33 minutes ago Description :A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue. Severity: 5.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-45186 - Apache libexpat XML Denial of Service

    CVE ID :CVE-2026-45186 Published : May 10, 2026, 7:16 a.m. | 1 hour, 33 minutes ago Description :In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input. Severity: 2.9 | LOW Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-7263 - DoS attack via DOMNode::C14N()

    CVE ID :CVE-2026-7263 Published : May 10, 2026, 6:16 a.m. | 2 hours, 33 minutes ago Description :In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application. Severity: 6.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-8231 - CodeAstro Online Catering Ordering System deleteorder.php sql injection

    CVE ID :CVE-2026-8231 Published : May 10, 2026, 6:16 a.m. | 2 hours, 33 minutes ago Description :A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-8232 - Dotouch XproUPF UPF Process libvlib.so vlib_worker_loop denial of service

    CVE ID :CVE-2026-8232 Published : May 10, 2026, 6:16 a.m. | 2 hours, 33 minutes ago Description :A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. The vendor was contacted early about this disclosure. Severity: 5.1 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-8233 - Dotouch XproUPF access control

    CVE ID :CVE-2026-8233 Published : May 10, 2026, 6:16 a.m. | 2 hours, 33 minutes ago Description :A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure. Severity: 4.6 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-6104 - Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding

    CVE ID :CVE-2026-6104 Published : May 10, 2026, 6:16 a.m. | 2 hours, 33 minutes ago Description :In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings. Severity: 6.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • New cPanel and WHM Flaws Enable Code Execution, DoS Attacks
    on May 10, 2026 at 5:25 am

    New cPanel and WHM Flaws Enable Code Execution, DoS Attacks cPanel has disclosed three critical security vulnerabilities tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203 affecting its widely deployed cPanel & WHM web hosting control panel and WP S ... Read more Published Date: May 10, 2026 (2 hours, 35 minutes ago) Vulnerabilities has been mentioned in this article. CVE-2026-29203 CVE-2026-29202 CVE-2026-29201 CVE-2026-41940

  • cPanel, WHM Release Fixes for Three New Vulnerabilities , Patch Now
    on May 9, 2026 at 7:16 am

    cPanel, WHM Release Fixes for Three New Vulnerabilities , Patch Now Ravie LakshmananMay 09, 2026Vulnerability / Web Hosting cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege ... Read more Published Date: May 09, 2026 (1 day ago) Vulnerabilities has been mentioned in this article. CVE-2026-29203 CVE-2026-29202 CVE-2026-29201 CVE-2026-41940 CVE-2026-33626 CVE-2026-32202 CVE-2026-3854

  • Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information
    on May 9, 2026 at 2:34 am

    Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Microsoft has disclosed and fully remediated three critical information disclosure vulnerabilities affecting Microsoft 365 Copilot and Copilot Chat in Microsoft Edge, all released on May 7, 2026, requ ... Read more Published Date: May 09, 2026 (1 day, 5 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-33111 CVE-2026-26164 CVE-2026-26129

  • Exploited in the Wild: “Dirty Frag” Linux Vulnerability Grants Instant Root Access
    on May 9, 2026 at 1:45 am

    Exploited in the Wild: “Dirty Frag” Linux Vulnerability Grants Instant Root Access The Linux ecosystem is facing a severe new security challenge that demands immediate attention from everyone, whether you are a junior system administrator managing a handful of servers or a CISO over ... Read more Published Date: May 09, 2026 (1 day, 6 hours ago) Vulnerabilities has been mentioned in this article.

  • Microsoft dicht kritieke Copilot-lekken die datadiefstal mogelijk maken
    on May 8, 2026 at 1:54 pm

    Microsoft dicht kritieke Copilot-lekken die datadiefstal mogelijk maken Microsoft heeft meerdere kritieke kwetsbaarheden in chatbot Copilot verholpen waardoor aanvallers informatie hadden kunnen stelen. "Information disclosure" beveiligingslekken worden over het algemeen ... Read more Published Date: May 08, 2026 (1 day, 18 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-33111 CVE-2026-26164 CVE-2026-26129

  • The Good, the Bad and the Ugly in Cybersecurity – Week 19
    on May 8, 2026 at 1:00 pm

    The Good, the Bad and the Ugly in Cybersecurity – Week 19 The Good | Courts Sentence Karakurt Ransomware Negotiator & Two DPRK IT Worker Scheme Facilitators Federal authorities have successfully secured a nearly nine-year prison sentence for Deniss Zolotarjo ... Read more Published Date: May 08, 2026 (1 day, 19 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-0300

  • The Good, the Bad and the Ugly in Cybersecurity – Week 19
    on May 8, 2026 at 1:00 pm

    The Good, the Bad and the Ugly in Cybersecurity – Week 19 The Good | Courts Sentence Karakurt Ransomware Negotiator & Two DPRK IT Worker Scheme Facilitators Federal authorities have successfully secured a nearly nine-year prison sentence for Deniss Zolotarjo ... Read more Published Date: May 08, 2026 (1 day, 19 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-0300

  • Critical Sandboxie Escape Flaws Grant Total SYSTEM Takeover
    on May 8, 2026 at 12:42 pm

    Critical Sandboxie Escape Flaws Grant Total SYSTEM Takeover For years, security professionals and everyday tech users alike have relied on Sandboxie as a bulletproof glass enclosure, a secure operating environment where untrusted applications can be detonated w ... Read more Published Date: May 08, 2026 (1 day, 19 hours ago) Vulnerabilities has been mentioned in this article.

  • New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft
    on May 8, 2026 at 10:31 am

    New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet, hunting for exposed services and stripping away credentials at scale. The ... Read more Published Date: May 08, 2026 (1 day, 21 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-1357 CVE-2025-55182 CVE-2025-9501 CVE-2025-48703 CVE-2025-29927

  • NCSC houdt rekening met grootschalig misbruik van nieuwe Ivanti-lekken
    on May 8, 2026 at 9:53 am

    NCSC houdt rekening met grootschalig misbruik van nieuwe Ivanti-lekken Het Nationaal Cyber Security Centrum (NCSC) houdt rekening met grootschalig misbruik van nieuwe Ivanti-kwetsbaarheden. Het Amerikaanse cyberagentschap CISA heeft overheidsinstanties opgedragen om de b ... Read more Published Date: May 08, 2026 (1 day, 22 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-6973

  • Dirty Frag Linux Vulnerability Exposes Major Distributions to Root Access Attacks
    on May 8, 2026 at 8:26 am

    Dirty Frag Linux Vulnerability Exposes Major Distributions to Root Access Attacks A newly disclosed local privilege escalation (LPE) vulnerability known as Dirty Frag is raising serious concerns across the Linux ecosystem after researchers revealed that the flaw can grant root acce ... Read more Published Date: May 08, 2026 (1 day, 23 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-0300 CVE-2026-31431 CVE-2022-27666

  • Mozilla Patches 423 Firefox 0-Day Vulnerabilities with Claude Mythos and Other AI Models
    on May 8, 2026 at 8:08 am

    Mozilla Patches 423 Firefox 0-Day Vulnerabilities with Claude Mythos and Other AI Models Mozilla has fixed a total of 423 Firefox security bugs in April 2026 alone, a figure nearly 20 times higher than its monthly average of about 21 bugs throughout 2025, driven by a innovative agenti ... Read more Published Date: May 08, 2026 (1 day, 23 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-6758 CVE-2026-6757 CVE-2026-6746

  • Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets
    on May 8, 2026 at 7:35 am

    Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets Spring Cloud Config provides crucial server-side and client-side support for externalized configuration in distributed systems. Recently, the Spring development team disclosed four security vulnerabil ... Read more Published Date: May 08, 2026 (2 days ago) Vulnerabilities has been mentioned in this article. CVE-2026-41004 CVE-2026-41002 CVE-2026-40982 CVE-2026-40981 CVE-2026-27174

  • Is Your React App Vulnerable to the CVE-2026-23870 DoS Attack?
    on May 8, 2026 at 7:30 am

    Is Your React App Vulnerable to the CVE-2026-23870 DoS Attack? A high-severity Denial of Service (DoS) vulnerability has been uncovered in React Server Components, prompting an urgent call for developers to audit and update their dependencies. Tracked as CVE-2026 ... Read more Published Date: May 08, 2026 (2 days ago) Vulnerabilities has been mentioned in this article.

  • Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
    on May 8, 2026 at 5:12 am

    Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag, it has been described as a successor to Copy Fail (CVE-2026-31 ... Read more Published Date: May 08, 2026 (2 days, 2 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-31431 CVE-2026-33626 CVE-2026-32202 CVE-2026-3854 CVE-2022-27666

  • Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released
    on May 8, 2026 at 4:06 am

    Dirty Frag Linux Vulnerability Let Attackers Gain Root Privileges – PoC Released Dirty Frag is a newly disclosed, CVE-pending Linux kernel local privilege escalation (LPE) vulnerability that chains two separate page-cache write flaws, the xfrm-ESP Page-Cache Write and the RxRPC Pa ... Read more Published Date: May 08, 2026 (2 days, 3 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-31431

  • Multiple Critical Vulnerabilities Patched in Next.js and React Server Components
    on May 8, 2026 at 3:01 am

    Multiple Critical Vulnerabilities Patched in Next.js and React Server Components Vercel has released an extensive set of security advisories for Next.js, addressing more than a dozen vulnerabilities, including denial-of-service, middleware bypass, server-side request forgery, and ... Read more Published Date: May 08, 2026 (2 days, 4 hours ago) Vulnerabilities has been mentioned in this article.

  • Critical 9.9 CVSS Rancher Fleet Flaw Grants Full Cluster-Admin Access
    on May 8, 2026 at 1:29 am

    Critical 9.9 CVSS Rancher Fleet Flaw Grants Full Cluster-Admin Access The SUSE Rancher Security team has issued a high-priority advisory regarding a pair of vulnerabilities in Fleet, the GitOps engine designed to manage Kubernetes clusters at massive scale. Tracked as C ... Read more Published Date: May 08, 2026 (2 days, 6 hours ago) Vulnerabilities has been mentioned in this article.

  • Zabbix Flaws Allow Monitored Hosts to Hijack Admin Dashboards
    on May 8, 2026 at 1:10 am

    Zabbix Flaws Allow Monitored Hosts to Hijack Admin Dashboards Zabbix, the ubiquitous open-source monitoring solution used by enterprises to track the health of vast IT infrastructures, has released a series of security patches to address three significant vulner ... Read more Published Date: May 08, 2026 (2 days, 6 hours ago) Vulnerabilities has been mentioned in this article.

  • Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
    on May 7, 2026 at 5:55 pm

    Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), ... Read more Published Date: May 07, 2026 (2 days, 14 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-7821 CVE-2026-6973 CVE-2026-5788 CVE-2026-5787 CVE-2026-5786 CVE-2026-33626 CVE-2026-32202 CVE-2026-3854 CVE-2026-1340 CVE-2026-1281

  • PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
    on May 7, 2026 at 5:45 pm

    PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environ ... Read more Published Date: May 07, 2026 (2 days, 14 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-33626 CVE-2026-32202 CVE-2026-3854 CVE-2026-1357 CVE-2025-55182 CVE-2025-9501 CVE-2025-48703 CVE-2025-29927

  • New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks
    on May 7, 2026 at 4:29 pm

    New Ivanti EPMM 0-Day Vulnerability Actively Exploited in Attacks Ivanti has issued a critical security advisory for its Endpoint Manager Mobile (EPMM) product, disclosing multiple actively exploited vulnerabilities, including CVE-2026-6973, and urging all on-premis ... Read more Published Date: May 07, 2026 (2 days, 15 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-6973 CVE-2025-4428 CVE-2025-4427 CVE-2023-35082 CVE-2023-35078

  • CISA Warns of Palo Alto PAN-OS Vulnerability Exploited to Gain Root Access
    on May 7, 2026 at 3:59 pm

    CISA Warns of Palo Alto PAN-OS Vulnerability Exploited to Gain Root Access CISA has issued an urgent warning regarding a critical vulnerability in Palo Alto Networks PAN-OS. Tracked as CVE-2026-0300, this severe security flaw was recently added to CISA’s Known Exploited Vuln ... Read more Published Date: May 07, 2026 (2 days, 16 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-0300

  • New Cisco Network Vulnerability Let Remote Attacker Cause DoS Attack
    on May 7, 2026 at 3:44 pm

    New Cisco Network Vulnerability Let Remote Attacker Cause DoS Attack Cisco has issued a critical security advisory regarding a high-severity vulnerability impacting its Crosswork Network Controller (CNC) and Network Services Orchestrator (NSO). Tracked formally as CVE- ... Read more Published Date: May 07, 2026 (2 days, 16 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-20188 CVE-2026-27174

  • Ivanti meldt actief misbruik van kwetsbaarheid in Endpoint Manager Mobile
    on May 7, 2026 at 3:36 pm

    Ivanti meldt actief misbruik van kwetsbaarheid in Endpoint Manager Mobile Aanvallers maken actief misbruik van een kwetsbaarheid in Ivanti Endpoint Manager Mobile (EPMM), zo waarschuwt Ivanti vandaag. Er zijn beveiligingsupdates beschikbaar om het probleem te verhelpen, maa ... Read more Published Date: May 07, 2026 (2 days, 16 hours ago) Vulnerabilities has been mentioned in this article. CVE-2026-6973 CVE-2026-1340 CVE-2026-1281

severity high

  • CVE-2026-8234 - EFM ipTIME A8004T WifiBasicSet formWifiBasicSet stack-based overflow

    CVE ID :CVE-2026-8234 Published : May 10, 2026, 7:16 a.m. | 1 hour, 33 minutes ago Description :A security vulnerability has been detected in EFM ipTIME A8004T 14.18.2. This vulnerability affects the function formWifiBasicSet of the file /goform/WifiBasicSet. The manipulation of the argument security_5g leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Severity: 9.0 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-6722 - Use-After-Free in SOAP using Apache map

    CVE ID :CVE-2026-6722 Published : May 10, 2026, 5:16 a.m. | 3 hours, 33 minutes ago Description :In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference counts. When an apache:Map node contains duplicate keys, processing the second entry overwrites the first in the temporary result map, freeing the original PHP object while its stale pointer remains in the map. A subsequent href reference to the freed node can copy the dangling pointer into the result. As PHP string allocations can reclaim the freed memory region, an attacker with control over the SOAP request body can exploit this use-after-free to achieve remote code execution. Severity: 9.5 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-42605 - AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload

    CVE ID :CVE-2026-42605 Published : May 9, 2026, 8:16 p.m. | 12 hours, 33 minutes ago Description :AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-42606 - AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass

    CVE ID :CVE-2026-42606 Published : May 9, 2026, 8:16 p.m. | 12 hours, 33 minutes ago Description :AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6. Severity: 8.1 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-42569 - phpvms: /importer authorization bypass causing full database wipe

    CVE ID :CVE-2026-42569 Published : May 9, 2026, 8:16 p.m. | 12 hours, 33 minutes ago Description :phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6. Severity: 9.4 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-42571 - Privilege Escalation Attack affecting Pelican Web UI

    CVE ID :CVE-2026-42571 Published : May 9, 2026, 8:16 p.m. | 12 hours, 33 minutes ago Description :Pelican is a platform for creating data federations. From versions 7.21.0 to before 7.21.5, 7.22.0 to before 7.22.3, 7.23.0 to before 7.23.3, and 7.24.0 to before 7.24.2, there is a a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI). This attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. This issue has been patched in versions 7.21.5, 7.22.3, 7.23.3, and 7.24.2. Severity: 9.0 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-42601 - ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView

    CVE ID :CVE-2026-42601 Published : May 9, 2026, 8:16 p.m. | 12 hours, 33 minutes ago Description :ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint (AddView in core/views.py) accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins run, allowing injection of arbitrary tool arguments to achieve RCE. At time of publication, there are no publicly available patches. Severity: 9.3 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-42562 - Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control)

    CVE ID :CVE-2026-42562 Published : May 9, 2026, 8:16 p.m. | 12 hours, 33 minutes ago Description :Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1. Severity: 8.3 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-41893 - Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)

    CVE ID :CVE-2026-41893 Published : May 9, 2026, 8:16 p.m. | 12 hours, 33 minutes ago Description :Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path , sending {login: {username, password}} messages over an established WebSocket connection , calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0. Severity: 8.7 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

  • CVE-2026-42311 - Pillow: OOB Write with Invalid PSD Tile Extents (Integer Overflow)

    CVE ID :CVE-2026-42311 Published : May 9, 2026, 6:16 a.m. | 1 day, 2 hours ago Description :Pillow is a Python imaging library. From version 10.3.0 to before version 12.2.0, processing a malicious PSD file could lead to memory corruption, potentially resulting in a crash or arbitrary code execution. This issue has been patched in version 12.2.0. Severity: 8.6 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

    NEWS Events

    No Result
    View All Result

    © 2025 Sumtrix – Your source for the latest in Cybersecurity, AI, and Tech News.

    Our website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.