Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.2 CRITICAL
CVE-2026-9312 — Server-Side Request Forgery vulnerability in GitHub Enterprise Server allowed access to i…

A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to send crafted requests to internal services by exploiting insu…

Remote | Server-Side Request Forgery
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-9607 — itsourcecode Courier Management System parcel_list.php sql injection

A vulnerability was found in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /parcel_list.php. Performing a manipulation of the argument s results …

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.0 HIGH
CVE-2026-8606 — Server-Side Request Forgery in GitHub Enterprise Server via Advisory Package URL Endpoint

A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the server to issue HTTP requests to internal services via the security…

Remote | Server-Side Request Forgery
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
0.0 NA
CVE-2026-9606 — itsourcecode Courier Management System manage_user.php sql injection

A vulnerability has been found in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /manage_user.php. Such manipulation of the argument ID leads to sql injection…

| Injection
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
4.3 MEDIUM
CVE-2026-9604 — JeecgBoot AiragModelController access control

A vulnerability was detected in JeecgBoot up to 3.9.1. This vulnerability affects unknown code of the component AiragModelController. The manipulation of the argument list/queryById results in improp…

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
0.0 NA
CVE-2026-8647 — Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when …

Crypt::ScryptKDF versions through 0.010 for Perl uses insecure random number source when no CSPRNG module is available. The random_bytes function fell back to using the built-in rand() function when…

| Cryptography
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
0.0 NA
CVE-2026-46740 — Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections

Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections. The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted…

| Injection
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
0.0 NA
CVE-2026-9605 — GNU libredwg Dwgbmp Utility bits.c bit_read_RC heap-based overflow

A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer ove…

| Memory Corruption
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.5 MEDIUM
CVE-2026-9603 — SourceCodester eDoc Doctor Appointment System delete-session.php authorization

A security vulnerability has been detected in SourceCodester eDoc Doctor Appointment System 1.0. This affects an unknown part of the file /admin/delete-session.php. The manipulation of the argument I…

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.5 HIGH
CVE-2026-9584 — code-projects Project Management System Login chk.php sql injection

A security vulnerability has been detected in code-projects Project Management System 1.0. Affected is an unknown function of the file chk.php of the component Login. The manipulation leads to sql in…

Remote | Injection
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.2 HIGH
CVE-2026-5260 — Gnutls: gnutls: information disclosure via heap overread in rsa key exchange

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a sho…

Remote | Memory Corruption
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.5 MEDIUM
CVE-2026-48710 — Starlette has missing Host header validation that poisons request.url.path, bypassing pat…

Starlette is a lightweight ASGI framework/toolkit. Prior to version 1.0.1, the HTTP `Host` request header was not validated before being used to reconstruct `request.url`. Because the routing algorit…

Remote | Misconfiguration
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.1 HIGH
CVE-2026-45574 — epa4all-client: TLS Certificate Validation Disabled in Production

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS c…

| Misconfiguration
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.6 HIGH
CVE-2026-45298 — Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webh…

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is re…

Remote | Server-Side Request Forgery
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.7 HIGH
CVE-2026-44985 — Dozzle: Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpoints bypasses authenti…

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepti…

Remote | Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.3 HIGH
CVE-2026-44983 — smallbitvec: Safe API Triggered Heap Buffer Overflow via Integer Overflow

smallbitvec is a growable bit-vector for Rust, optimized for size. From 1.0.1 to 2.6.0, an integer overflow in the internal capacity calculation of smallbitvec can lead to an undersized heap allocati…

| Memory Corruption
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.3 HIGH
CVE-2026-44966 — Velocity.js: Prototype Pollution in #set path assignment

Velocity.js is a JavaScript implementation of the Apache Velocity template engine. In 2.1.5 and earlier, a prototype pollution vulnerability was discovered in velocityjs. This issue occurs during the…

Remote | Injection
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.5 HIGH
CVE-2026-44905 — Vanetza: Remote Denial of Service via Uncaught OER Encoding Exception in Cryptographic Ve…

Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the cryptographic verification pipeline of Vanetza…

Remote | Denial of Service
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.1 MEDIUM
CVE-2026-44903 — Prometheus: Stored XSS via crafted histogram bucket label values in the heatmap display o…

Prometheus is an open-source monitoring system and time series database. From 2.49.0 to before 3.5.3 and 3.11.3, in the Prometheus server's legacy web UI (enabled via the command-line flag --enable-f…

prometheus | Remote | Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.1 HIGH
CVE-2026-44900 — epa4all-client: VAU Signature bypass

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.1, in SignedPublicKeysTrustValidatorImpl.isTrusted(), the ECDSA signature verification at line 45…

| Cryptography
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
Showing 20 of 6057 Results