| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42032 | Cri | 0.52 | 9.1 | 0.00 | May 13, 2026 | CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system… | ||
| CVE-2026-42031 | Cri | 0.58 | 9.8 | 0.02 | May 13, 2026 | CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information This… | ||
| CVE-2026-0257 | Cri | 0.76 | 9.1 | 0.87 | KEV | May 13, 2026 | Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues. | |
| CVE-2026-45411 | Cri | 0.57 | 9.8 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call… | ||
| CVE-2026-44009 | Cri | 0.57 | 9.8 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2. | ||
| CVE-2026-44008 | Cri | 0.57 | 9.8 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to… | ||
| CVE-2026-44007 | Cri | 0.52 | 9.1 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs… | ||
| CVE-2026-44006 | Cri | 0.65 | 10.0 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0. | ||
| CVE-2026-44005 | Cri | 0.65 | 10.0 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets… | ||
| CVE-2026-43999 | Cri | 0.64 | 9.9 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host… | ||
| CVE-2026-43997 | Cri | 0.65 | 10.0 | 0.01 | May 13, 2026 | vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain… | ||
| CVE-2026-42557 | Cri | 0.55 | 9.6 | 0.00 | May 13, 2026 | jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker… | ||
| CVE-2026-41225 | — | Cri | 0.59 | 9.1 | 0.00 | May 13, 2026 | A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not… | |
| CVE-2020-37168 | Cri | 0.64 | 9.8 | 0.00 | May 13, 2026 | Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the… | ||
| CVE-2026-42062 | — | Cri | 0.64 | 9.8 | 0.02 | May 13, 2026 | ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required. | |
| CVE-2026-40621 | Cri | 0.64 | 9.8 | 0.00 | May 13, 2026 | ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication. | ||
| CVE-2026-41050 | Cri | 0.57 | 9.9 | 0.00 | May 13, 2026 | Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`. | ||
| CVE-2026-32661 | Cri | 0.64 | 9.8 | 0.00 | May 13, 2026 | Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a specially crafted request to the product's web service, arbitrary code may be executed when the product is configured to… | ||
| CVE-2025-11159 | Cri | 0.59 | 9.1 | 0.00 | May 13, 2026 | Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator. | ||
| CVE-2026-44547 | Cri | 0.55 | 9.6 | 0.00 | May 12, 2026 | ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every… | ||
| CVE-2026-42288 | Cri | 0.65 | 10.0 | 0.01 | May 12, 2026 | ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is… | ||
| CVE-2026-41901 | Cri | 0.59 | 9.0 | 0.00 | May 12, 2026 | Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially… | ||
| CVE-2026-44262 | Cri | 0.58 | 9.4 | 0.06 | May 12, 2026 | Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to… | ||
| CVE-2026-44258 | Cri | 0.60 | — | 0.00 | May 12, 2026 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files… | ||
| CVE-2026-44257 | Cri | 0.60 | — | 0.00 | May 12, 2026 | efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and… | ||
| CVE-2026-43948 | Cri | 0.64 | 9.9 | 0.00 | May 12, 2026 | wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the… | ||
| CVE-2026-42854 | Cri | 0.57 | 9.8 | 0.01 | May 12, 2026 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an… | ||
| CVE-2026-42196 | Cri | 0.57 | — | 0.01 | May 12, 2026 | django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load… | ||
| CVE-2026-45185 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2026 | Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection.… | ||
| CVE-2026-44225 | Cri | 0.60 | 9.3 | 0.00 | May 12, 2026 | Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access,… | ||
| CVE-2026-44221 | — | Cri | 0.52 | 9.0 | 0.00 | May 12, 2026 | ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a… | |
| CVE-2026-42889 | Cri | 0.52 | 9.1 | 0.00 | May 12, 2026 | Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated… | ||
| CVE-2026-34660 | Cri | 0.60 | 9.3 | 0.00 | May 12, 2026 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web… | ||
| CVE-2026-34659 | Cri | 0.63 | 9.6 | 0.01 | May 12, 2026 | Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code.… | ||
| CVE-2026-44343 | Cri | 0.57 | 9.8 | 0.00 | May 12, 2026 | WGDashboard is a dashboard for WireGuard VPN. Prior to 4.3.2, there are critical vulnerabilities affecting WGDashboard that, if exploited, could allow unauthorized parties to access the host file system without authentication. This vulnerability is fixed in 4.3.2. | ||
| CVE-2026-44277 | Cri | 0.64 | 9.8 | 0.01 | May 12, 2026 | A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests. | ||
| CVE-2026-44196 | Cri | 0.52 | 9.1 | 0.00 | May 12, 2026 | Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely.… | ||
| CVE-2026-44183 | — | Cri | 0.64 | 9.8 | 0.00 | May 12, 2026 | Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the… | |
| CVE-2026-42898 | Cri | 0.64 | 9.9 | 0.01 | May 12, 2026 | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | ||
| CVE-2026-42833 | Cri | 0.59 | 9.1 | 0.01 | May 12, 2026 | Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network. | ||
| CVE-2026-42823 | Cri | 0.64 | 9.9 | 0.01 | May 12, 2026 | Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2026-42300 | Cri | 0.53 | — | 0.00 | May 12, 2026 | DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An… | ||
| CVE-2026-42048 | Cri | 0.55 | 9.6 | 0.04 | May 12, 2026 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly… | ||
| CVE-2026-41103 | Cri | 0.59 | 9.1 | 0.05 | May 12, 2026 | Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network. | ||
| CVE-2026-41096 | Cri | 0.64 | 9.8 | 0.02 | May 12, 2026 | Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-41089 | Cri | 0.64 | 9.8 | 0.72 | May 12, 2026 | Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. | ||
| CVE-2026-40402 | Cri | 0.60 | 9.3 | 0.00 | May 12, 2026 | Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally. | ||
| CVE-2026-40379 | Cri | 0.60 | 9.3 | 0.01 | May 12, 2026 | Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2026-33117 | Cri | 0.52 | 9.1 | 0.00 | May 12, 2026 | The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted… | ||
| CVE-2026-31242 | — | Cri | 0.59 | 9.1 | 0.00 | May 12, 2026 | The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE… |
- risk 0.52cvss 9.1epss 0.00
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to bypass authorization in order to gain access to private resources and PostgreSQL system…
- risk 0.58cvss 9.8epss 0.02
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, a vulnerability in datastore_search_sql allowed attackers to inject SQL in order to gain access to private resources and PostgreSQL system information This…
- risk 0.76cvss 9.1epss 0.87
Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not impacted by these issues.
- risk 0.57cvss 9.8epss 0.01
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.3, it is possible to catch a host exception using the yield* expression inside an async generator. When the generator is closed using the return function, the value is awaited on and exceptions thrown in the then call…
- risk 0.57cvss 9.8epss 0.01
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, This vulnerability is fixed in 3.11.2.
- risk 0.57cvss 9.8epss 0.01
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.2, the new method neutralizeArraySpeciesBatch works with objects from the other side but can call into this side via getter on the array prototype exposing objects of the wrong side into the sandbox. This can be used to…
- risk 0.52cvss 9.1epss 0.01
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.1, when a NodeVM is created with nesting: true, sandbox code can unconditionally require('vm2') regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs…
- risk 0.65cvss 10.0epss 0.01
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, It is possible to reach BaseHandler.getPrototypeOf, which can be used to get arbitrary prototypes. This vulnerability is fixed in 3.11.0.
- risk 0.65cvss 10.0epss 0.01
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying host objects with otherReflectSet() and otherReflectDefineProperty(), which lets…
- risk 0.64cvss 9.9epss 0.01
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed (including via the '*' wildcard). The module builtin exposes Node's Module._load(), which loads any module by name directly in the host…
- risk 0.65cvss 10.0epss 0.01
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, it is possible to obtain the host Object. There are various ways to use the host Object, to escape the sandbox, one example would be using HostObject.getOwnPropertySymbols to obtain…
- risk 0.55cvss 9.6epss 0.00
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to 4.5.7, JupyterLab's HTML sanitizer allowlists data-commandlinker-command and data-commandlinker-args on button elements, while CommandLinker…
- risk 0.59cvss 9.1epss 0.00
A vulnerability exists in iControl REST where a highly privileged, authenticated attacker with at least the Manager role can create configuration objects that allow running arbitrary commands. Note: Software versions which have reached End of Technical Support (EoTS) are not…
- risk 0.64cvss 9.8epss 0.00
Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the…
- risk 0.64cvss 9.8epss 0.02
ELECOM wireless LAN access point devices contain an OS command injection in processing of username parameter. If processing a crafted request, an arbitrary OS command may be executed. No authentication is required.
- risk 0.64cvss 9.8epss 0.00
ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication.
- risk 0.57cvss 9.9epss 0.00
Fleet's Helm deployer did not fully apply ServiceAccount impersonation in two code paths, allowing a tenant with git push access to a Fleet-monitored repository to read secrets from any namespace on every downstream cluster targeted by their `GitRepo`.
- risk 0.64cvss 9.8epss 0.00
Stack-based buffer overflow vulnerability exists in GUARDIANWALL MailSuite and GUARDIANWALL Mail Security Cloud (SaaS version). If a remote attacker sends a specially crafted request to the product's web service, arbitrary code may be executed when the product is configured to…
- risk 0.59cvss 9.1epss 0.00
Hitachi Vantara Pentaho Data Integration & Analytics of all versions contain a JDBC driver for H2 databases which is vulnerable to external script execution when a new connection is created by a data source administrator.
- risk 0.55cvss 9.6epss 0.00
ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every…
- risk 0.65cvss 10.0epss 0.01
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is…
- risk 0.59cvss 9.0epss 0.00
Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially…
- risk 0.58cvss 9.4epss 0.06
Scramble generates API documentation for Laravel project. From 0.13.2 to before 0.13.22, when documentation endpoints are publicly accessible and validation rules reference user-controlled input, request supplied data may be evaluated during documentation generation, leading to…
- risk 0.60cvss —epss 0.00
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (destination) parameter used by elfinder_paste. An attacker can copy or move files…
- risk 0.60cvss —epss 0.00
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry name such as ../../../pwned.jsp escapes the intended extraction directory and…
- risk 0.64cvss 9.9epss 0.00
wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object comparison (!=) that evaluates None != None as False, silently bypassing the…
- risk 0.57cvss 9.8epss 0.01
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a Variable Length Array (VLA) on the stack whose size is derived from an…
- risk 0.57cvss —epss 0.01
django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified request to escape pre-signed upload locations and have the Django application load…
- risk 0.64cvss 9.8epss 0.01
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection.…
- risk 0.60cvss 9.3epss 0.00
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the host filesystem. A validateFsPath() function is supposed to sandbox this access,…
- risk 0.52cvss 9.0epss 0.00
ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate schema on any other database on the same server. Two distinct defects contributed: (1) ServerSecurityUser.getDatabaseUser() returned a…
- risk 0.52cvss 9.1epss 0.00
Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated…
- risk 0.60cvss 9.3epss 0.00
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web…
- risk 0.63cvss 9.6epss 0.01
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code.…
- risk 0.57cvss 9.8epss 0.00
WGDashboard is a dashboard for WireGuard VPN. Prior to 4.3.2, there are critical vulnerabilities affecting WGDashboard that, if exploited, could allow unauthorized parties to access the host file system without authentication. This vulnerability is fixed in 4.3.2.
- risk 0.64cvss 9.8epss 0.01
A improper access control vulnerability in Fortinet FortiAuthenticator 8.0.2, FortiAuthenticator 8.0.0, FortiAuthenticator 6.6.0 through 6.6.8, FortiAuthenticator 6.5.0 through 6.5.6 may allow attacker to execute unauthorized code or commands via crafted requests.
- risk 0.52cvss 9.1epss 0.00
Pingvin Share X is a secure and easy self-hosted file sharing platform. From 1.14.1 to 1.16.2, a critical authentication bypass vulnerability allows an attacker who has obtained a valid username and password to skip the second-factor authentication (TOTP) requirement entirely.…
- risk 0.64cvss 9.8epss 0.00
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the…
- risk 0.64cvss 9.9epss 0.01
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
- risk 0.59cvss 9.1epss 0.01
Improper control of generation of code ('code injection') in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code over a network.
- risk 0.64cvss 9.9epss 0.01
Improper access control in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.
- risk 0.53cvss —epss 0.00
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An…
- risk 0.55cvss 9.6epss 0.04
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly…
- risk 0.59cvss 9.1epss 0.05
Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.
- risk 0.64cvss 9.8epss 0.02
Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network.
- risk 0.64cvss 9.8epss 0.72
Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network.
- risk 0.60cvss 9.3epss 0.00
Use after free in Windows Hyper-V allows an unauthorized attacker to elevate privileges locally.
- risk 0.60cvss 9.3epss 0.01
Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.
- risk 0.52cvss 9.1epss 0.00
The Java Key Vault Keys library in the Azure SDK for Java contains an issue in the local cryptographic verification path where authentication tag comparison was implemented incorrectly. In affected applications that use the vulnerable local cryptography path, specially crafted…
- risk 0.59cvss 9.1epss 0.00
The mem0 v1.0.0 server lacks authentication and authorization controls for its memory reset functionality accessible via the DELETE /memories endpoint. An unauthenticated attacker can send a DELETE request that triggers a reset operation, leading to the execution of a DROP TABLE…