Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-9208 — Tanium addressed an unauthorized code execution vulnerability in Connect.

Tanium addressed an unauthorized code execution vulnerability in Connect.

Remote
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.8 HIGH
CVE-2026-45152 — uniget: Command Injection in tool.Check Leading to Arbitrary Code Execution

uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files u…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.8 CRITICAL
CVE-2026-45083 — Goobi viewer: Unauthenticated Solr Streaming Expression Proxy

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted …

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.9 MEDIUM
CVE-2026-44720 — OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leadin…

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access…

Remote | Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.8 MEDIUM
CVE-2026-44247 — Volcano: Webhook server vulnerable to OOM due to unbounded HTTP request body size

Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluste…

| Denial of Service
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-46538 — Microsoft UFO accepts cross-device TASK_END messages by session_id only, allowing peer ta…

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's constellation client tracks pending task responses by session_id onl…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-46416 — Microsoft UFO shared WebSocket handler state causes cross-client response hijacking

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO creates one shared UFOWebSocketHandler instance and reuses it for mult…

| Information Disclosure
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-46414 — Microsoft UFO WebSocket role spoofing allows authenticated peer task hijacking

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fie…

| Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-46402 — Microsoft UFO uses untrusted task_name in log paths, allowing authenticated path traversa…

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing se…

| Path Traversal
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-46544 — Microsoft UFO reuses client-supplied WebSocket session IDs and replays stale task results…

Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO accepts client-supplied session_id values in WebSocket task messages a…

| Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.4 CRITICAL
CVE-2026-9739 — Google Chrome SSE DNS Rebinding

Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented `allowed-origins` and `allowed-hosts` flags to align with MCP security guidelines. Howev…

Remote | Misconfiguration
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-45322 — OS Command Injection in Microsoft UFO Shell Action Replay via Stored Session JSON

Microsoft UFO open-source framework for intelligent automation across devices and platforms. Microsoft UFO tagged releases up to and including v3.0.0 contain an OS command injection vulnerability in …

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.3 MEDIUM
CVE-2026-47270 — pam_usb: strtok() race condition in multi-threaded PAM hosts can corrupt deny_remote resu…

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, GDM, GNOME Shell). Display manage…

| Race Condition
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.4 HIGH
CVE-2026-47269 — pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections a…

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request o…

Remote | Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.2 HIGH
CVE-2026-45137 — Anchor: Program<'info, System> is not properly validated

Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiri…

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.6 HIGH
CVE-2026-45136 — claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/qu…

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directl…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.8 HIGH
CVE-2026-44713 — pam_usb: Command injection via $TMUX environment variable leads to RCE as root

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the so…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.2 HIGH
CVE-2026-44712 — pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is…

| Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.9 HIGH
CVE-2026-44711 — pam_usb: Symlink attacks on pad directory and pad files enable authentication bypass and …

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption…

| Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
4.6 MEDIUM
CVE-2026-44710 — pam_usb: NULL pointer dereference from UDisks device fields causes PAM crash and login de…

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and u…

| Memory Corruption
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
Showing 20 of 6604 Results