Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.8 MEDIUM
CVE-2026-33741 — EspoCRM: Stored XSS via SVG attachment loading same-origin JavaScript

EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below allow authenticated users to upload SVG attachments through normal attachment-capable fields and later…

espocrm | Remote | Cross-Site Scripting
May 19, 2026 May 20, 2026
May 19, 2026
May 20, 2026
9.9 CRITICAL
CVE-2026-33642 — Kitty has a Heap Buffer Over-Read/Write via Integer Overflow in compose_rectangles Bounds…

Kitty is a cross-platform GPU based terminal. In versions 0.46.2 and below, the handle_compose_command() function in kitty/graphics.c performs bounds validation on composition offsets using unsigned …

kitty | Remote | Memory Corruption
May 19, 2026 May 22, 2026
May 19, 2026
May 22, 2026
6.5 MEDIUM
CVE-2026-33637 — Faraday: Protocol-relative URI objects still bypass host scoping (possible incomplete fix…

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Versions 2.0.0 through 2.14.1 still allow protocol-relative host override when the request tar…

faraday | Remote | Server-Side Request Forgery
May 19, 2026 May 21, 2026
May 19, 2026
May 21, 2026
6.5 MEDIUM
CVE-2026-32738 — libheif has a Heap OOB Read/SEGV Crash via Zero samples_per_chunk

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 792-byte HEIF sequence file with samples_per_chunk=0 in the stsc box causes an unsigned integer und…

libheif | Remote | Denial of Service
May 19, 2026 May 20, 2026
May 19, 2026
May 20, 2026
9.8 CRITICAL
CVE-2026-8605 — Use of Hard-coded Credentials in ScadaBR

In ScadaBR version 1.2.0, a Use of Hard-Coded Credentials vulnerability could allow an attacker to access the SCADA system as admin.

scadabr | Remote | Authentication
May 19, 2026 May 21, 2026
May 19, 2026
May 21, 2026
8.8 HIGH
CVE-2026-8604 — Cross-Site request forgery (CSRF) in ScadaBR

In ScadaBR version 1.2.0, a CSRF vulnerability could allow an attacker to trigger any authenticated action through a victim's session by luring any logged-in user to a malicious webpage.

scadabr | Remote | Cross-Site Request Forgery
May 19, 2026 May 21, 2026
May 19, 2026
May 21, 2026
9.8 CRITICAL
CVE-2026-8603 — Improper neutralization of special elements used in an OS command ('OS command injection'…

In ScadaBR version 1.2.0, an OS Command Injection vulnerability could allow an attacker to execute commands as root on the SCADA system.

scadabr | Remote | Injection
May 19, 2026 May 21, 2026
May 19, 2026
May 21, 2026
9.1 CRITICAL
CVE-2026-8602 — Missing authentication for critical function in ScadaBR

In ScadaBR version 1.2.0, a Missing Authentication for Critical Function vulnerability could allow an unauthenticated attacker to send a HTTP GET requests to the SCADA system and inject arbitrary sen…

scadabr | Remote | Authentication
May 19, 2026 May 21, 2026
May 19, 2026
May 21, 2026
8.7 HIGH
CVE-2026-6009 — Jaspersoft Library Deserialisation Vulnerability

Java Deserialisation Vulnerability in Jaspersoft Reports Library leads to Remote Code Execution (RCE), potentially allowing code execution on the affected system

Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
9.6 CRITICAL
CVE-2026-47107 — Windmill < 1.703.2 Incorrect Default Permissions in nsjail Configuration

Windmill prior to 1.703.2 contains an incorrect default permissions vulnerability in nsjail sandbox configuration files where /etc is bind-mounted without read-write restrictions, allowing authentica…

windmill | Remote | Misconfiguration
May 19, 2026 May 20, 2026
May 19, 2026
May 20, 2026
8.8 HIGH
CVE-2026-33633 — Kitty has a Heap Buffer Overflow in its Graphics Protocol Handler

Kitty is a cross-platform GPU based terminal. Versions 0.46.2 and below contain a heap buffer overflow in load_image_data() that allows any process which can write to the terminal's stdin to crash ki…

kitty | Remote | Memory Corruption
May 19, 2026 May 22, 2026
May 19, 2026
May 22, 2026
5.9 MEDIUM
CVE-2026-32134 — NanoMQ: NULL Pointer Dereference Crash in tcptran_pipe_peer During Session Restore

NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In versions 0.24.10 and below, when NanoMQ handles high-concurrency reconnect traffic using a reconnect-collision payload, the br…

nanomq | Remote | Denial of Service
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
Showing 20 of 7592 Results