Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-46446 — SOGo PostgreSQL/MariaDB SQL Injection

SOGo before 5.12.7, when PostgreSQL or MariaDB is used, and cleartext passwords are stored, allows SQL injection. This is related to c_password = '%@' in changePasswordForLogin.

Remote | Injection
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
7.1 HIGH
CVE-2026-46445 — SOGo PostgreSQL SQL Injection Vulnerability

SOGo before 5.12.7, when PostgreSQL is used, allows SQL injection.

Remote | Injection
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-5486 — Unlimited Elements For Elementor <= 2.0.7 - Authenticated (Contributor+) SQL Injection vi…

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to SQL Injection via the 'data[filter_search]' parameter in the get_cat_addons AJAX action in versions up to and including 2.0.…

| Injection
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
7.5 HIGH
CVE-2026-46419 — Yubico Webauthn-Server Core Java Webauthn Impersonation Vulnerability

Yubico webauthn-server-core (aka java-webauthn-server) 2.8.0 before 2.8.2 incorrectly checks a function's return value in the second factor flow, leading to impersonation.

Remote | Authentication
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
4.3 MEDIUM
CVE-2026-44919 — OpenStack Ironic Infinite Loop File Protocol Checksum Vulnerability

In OpenStack Ironic through 35.x before a3f6d73, during image handling, an infinite loop in checksum calculations can occur via the file:///dev/zero URL.

Remote | Denial of Service
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
6.3 MEDIUM
CVE-2026-41281 — KDDI CORPORATION Android App "あんしんフィルター for au" Cleartext Transmission of Sensitive Infor…

Android App "あんしんフィルター for au" provided by KDDI CORPORATION contains Cleartext Transmission of Sensitive Information (CWE-319) vulnerability. A man-in-the-middle attacker may access and modify commun…

| Information Disclosure
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-8500 — Web::Passwd versions through 0.03 for Perl is vulnerable to RCE

Web::Passwd versions through 0.03 for Perl is vulnerable to RCE. Web::Passwd is a small CGI application for managing htpasswd files using the htpasswd command. The user parameter is not validated o…

| Injection
May 13, 2026 May 14, 2026
May 13, 2026
May 14, 2026
7.1 HIGH
CVE-2026-32991 — Apache Team Privilege Escalation Vulnerability

Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.1 HIGH
CVE-2026-29206 — Apache sqloptimizer SQL Injection Vulnerability

Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-45158 — OPNsense: Command Injection via Attacker-Controlled DHCP Config

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell scrip…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-44478 — hoppscotch: Unauthenticated Onboarding Config Disclosure via Empty Recovery Token

hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingComplete…

Remote | Information Disclosure
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.8 HIGH
CVE-2026-44471 — gitoxide: Symlink prefix-reuse allows worktree escape during checkout

gitoxide is an implementation of git written in Rust. Prior to 0.21.1, a malicious tree can be constructed that will, when checked out with gitoxide, permit writing an attacker-controlled symlink int…

| Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.9 MEDIUM
CVE-2026-44448 — ERPNext: Unauthorised Document modification due to missing validation

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyo…

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.8 HIGH
CVE-2026-44447 — ERPNext: Possibility of SQL Injection due to missing validation

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.8 HIGH
CVE-2026-44446 — ERPNext: Possibility of SQL Injection due to missing validation

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would all…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44445 — ERPNext: XML External Entity (XEE) Reference Vulnerability in the EDI Module

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enab…

Remote | XML External Entity
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.9 CRITICAL
CVE-2026-44442 — ERPNext: Unauthorised Document modification due to missing validation

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.1, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyond their permi…

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.0 MEDIUM
CVE-2026-44441 — ERPNext: Possible SSRF by any authenticated user

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making…

Remote | Server-Side Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.5 MEDIUM
CVE-2026-44440 — ERPNext: Path Traversal Leading to Sensitive File Exposure

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.101.1 and 16.10.0, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability on …

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.6 MEDIUM
CVE-2026-44439 — LookyLoo - PlaywrightCapture permits access to local files and internal network resources…

PlaywrightCapture is a simple replacement for splash using playwright. Prior to 1.39.6, PlaywrightCapture did not sufficiently restrict navigations and resource requests initiated by rendered pages. …

Remote | Server-Side Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
Showing 20 of 6383 Results