Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-41586 — ObjectInputStream.readObject() without ObjectInputFilter in fabric-sdk-java allows Java d…

Hyperledger Fabric is an enterprise-grade permissioned distributed ledger framework for developing solutions and applications. From versions 1.0.0 to 2.2.26, Channel.java implements readObject() and …

| Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
0.0 NA
CVE-2026-41143 — YesWiki vulnerable to authenticated SQL Injection via id_fiche in EntryManager::formatDat…

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data['id_fiche'…

| Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
0.0 NA
CVE-2026-41139 — Unsafe array index getter in mathjs

Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has…

| Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
0.0 NA
CVE-2026-7252 — WP-Optimize <= 4.5.2 - Authenticated (Author+) Arbitrary File Deletion via 'original-file…

The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validat…

| Path Traversal
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
0.0 NA
CVE-2026-6692 — Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via …

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function. This is due to insufficient fil…

| Misconfiguration
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
0.0 NA
CVE-2026-4348 — BetterDocs Pro <= 3.7.0 - Unauthenticated SQL Injection via Encyclopedia 'limit' Parameter

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions in all versions up to, and including, 3.7.0. This is du…

| Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
0.0 NA
CVE-2026-41413 — Istio Vulnerable to SSRF via RequestAuthentication jwksUri

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal se…

| Server-Side Request Forgery
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
6.5 MEDIUM
CVE-2026-6214 — Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Schedul…

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/cla…

Remote | Authorization
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
3.7 LOW
CVE-2026-44603 — Tor Tor Out-of-Bounds Read Vulnerability

Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.

Remote | Memory Corruption
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
3.7 LOW
CVE-2026-44602 — Tor DNS NULL Pointer Dereference

Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.

Remote | Memory Corruption
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
3.7 LOW
CVE-2026-44601 — Tor Circuit Double Close Crash Vulnerability

Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.

Remote | Denial of Service
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
6.3 MEDIUM
CVE-2026-42217 — OpenEXR: Shift exponent overflow in `readVariableLengthInteger()` (`ImfIDManifest.cpp`)

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3…

Remote | Memory Corruption
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.8 HIGH
CVE-2026-42216 — OpenEXR: Out-of-bounds read in `IDManifest::init()` during prefix expansion

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From versions 3.0.0 to before 3.2.9, 3.3.0 to before 3…

Remote | Memory Corruption
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
6.8 MEDIUM
CVE-2026-42194 — Incomplete fix for CVE-2026-32812: SSRF in admidio

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetch_metadata.php validates the resolved IP address but passes the original hostname-…

Remote | Server-Side Request Forgery
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.3 MEDIUM
CVE-2026-41891 — CI4MS: Deactivated User Session Bypass (active=0)

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.26.0 to before version 0.31.8.0, the auth …

Remote | Authorization
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
6.9 MEDIUM
CVE-2026-41890 — CI4MS: Arbitrary Database Table Drop via Theme deleteProcess

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. From version 0.31.1.0 to before version 0.31.8.0, the del…

Remote | Authorization
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.7 HIGH
CVE-2026-41675 — xmldom: XML node injection through unvalidated processing instruction serialization

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior,…

Remote | XML External Entity
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.7 HIGH
CVE-2026-41674 — xmldom: XML injection through unvalidated DocumentType serialization

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior,…

Remote | XML External Entity
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.7 HIGH
CVE-2026-41673 — xmldom: Denial of service via uncontrolled recursion in XML serialization

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior,…

Remote | Denial of Service
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.7 HIGH
CVE-2026-41672 — xmldom: XML node injection through unvalidated comment serialization

xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In @xmldom/xmldom prior to versions 0.9.10 and 0.8.13 and xmldom version 0.6.0 and prior,…

Remote | XML External Entity
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
Showing 20 of 5965 Results