Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.0 MEDIUM
CVE-2026-41195 — mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker…

Remote | Server-Side Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-40902 — PhpSpreadsheet: CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method…

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-40863 — PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:I…

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.0 HIGH
CVE-2026-35555 — Subnet Solutions PowerSYSTEM Center Incorrect Authorization

PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.

| Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.9 MEDIUM
CVE-2026-33570 — Subnet Solutions PowerSYSTEM Center Incorrect Authorization

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.

| Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.4 HIGH
CVE-2026-26289 — Subnet Solutions PowerSYSTEM Center Incorrect Authorization

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions …

| Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.6 HIGH
CVE-2026-44403 — Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code throug…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.2 HIGH
CVE-2026-44246 — nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/…

nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable…

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-44240 — basic-ftp allows a malicious FTP server to cause client-side denial of service via unboun…

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP s…

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.7 HIGH
CVE-2026-44232 — dssrf: every IPv6 category bypasses is_url_safe

DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0.

Remote | Server-Side Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.6 HIGH
CVE-2026-44224 — Wiki.js: Privilege Escalation via Missing Group Validation in users.update

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation o…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.1 HIGH
CVE-2026-44012 — Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows…

Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.6 HIGH
CVE-2026-44011 — Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user …

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.1 HIGH
CVE-2026-44010 — Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Discl…

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filteri…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.5 MEDIUM
CVE-2026-35504 — Subnet Solutions PowerSYSTEM Center CRLF injection

PowerSYSTEM Center email notification service is affected by a CRLF injection vulnerability when using SMTPS communication.

| Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.4 HIGH
CVE-2025-65088 — Out-of-bounds read in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information o…

| Memory Corruption
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.4 HIGH
CVE-2025-65087 — Out-of-bounds read in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share

An Out-of-Bounds Read vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to disclose information o…

| Memory Corruption
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.4 HIGH
CVE-2025-65086 — Out-of-bounds write in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, Cobalt Share

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.216 and prior that could allow an attacker to execute arbitrary cod…

| Memory Corruption
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.0 MEDIUM
CVE-2026-8052 — Nomad's exec2 task driver vulnerable to arbitrary file read/write on client host through …

HashiCorp Nomad’s exec2 task driver prior to 0.1.2 is vulnerable to arbitrary file read and write on the client host as the Nomad process user through a symlink attack. This vulnerability (CVE-2026-8…

| Path Traversal
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.8 HIGH
CVE-2026-7474 — Nomad vulnerable to path traversal in dynamic host volume which may lead to code execution

HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.…

Remote | Path Traversal
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
Showing 20 of 6287 Results