Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-4607 — ProfileGrid <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Setti…

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properl…

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-39806 — HTTP/1 chunked decoder infinite loop on requests with trailer fields in bandit

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in mtrudel bandit allows unauthenticated remote denial of service via worker process exhaustion. 'Elixir.Bandit.HTTP1.Socket':do_…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-39803 — HTTP/1 chunked body reader ignores length cap in bandit

Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion. The chunked clause of 'Elixir.Bandit.HTTP1…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2026-37430 — Qihang WMS Arbitrary Code Execution Vulnerability

An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.

| Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2026-37429 — Qihang WMS SQL Injection

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysUserMapper.xml file. This vulnerability allows attackers to access sensitive dat…

| Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2026-37428 — Qihang WMS SQL Injection Vulnerability

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive dat…

| Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.6 HIGH
CVE-2026-6282 — Lenovo Personal Cloud Storage Path Traversal Vulnerability

A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to ot…

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.8 HIGH
CVE-2026-6281 — Lenovo Personal Cloud Storage Command Injection Vulnerability

A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.3 MEDIUM
CVE-2026-42926 — NGINX ngx_http_proxy_v2_module vulnerability

When NGINX Open Source is configured to proxy HTTP/2 traffic by setting proxy_http_version to 2, and also uses proxy_set_body, an attacker may be able to inject frame headers and payload bytes to the…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.9 MEDIUM
CVE-2026-40460 — NGINX ngx_quic_module vulnerability

When NGINX Plus or NGINX Open Source are configured to use the HTTP/3 QUIC module, an attacker may be able to spoof their source IP address allowing for bypass of authorization or bypass of rate limi…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.3 HIGH
CVE-2026-42946 — NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability

A vulnerability exists in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that may result in excessive memory allocation or an over-read of data. When scgi_pass or uwsgi_pass is configured…

Remote | Memory Corruption
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.3 MEDIUM
CVE-2026-42934 — NGINX ngx_http_charset_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_charset_module module. When charset, source_charset, and charset_map and proxy_pass with disabled buffering ("off") directives ar…

Remote
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.2 CRITICAL
CVE-2026-42945 — NGINX ngx_http_rewrite_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an…

Remote | Memory Corruption
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.3 MEDIUM
CVE-2026-40701 — NGINX ngx_http_ssl_module vulnerability

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssl_module module when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on" or…

Remote | Memory Corruption
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-40423 — BIG-IP SIP profile vulnerability

When a SIP profile is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which have reached End of Technica…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-42930 — Appliance mode iControl REST vulnerability

When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system.  Note: Software versions which have …

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.9 MEDIUM
CVE-2026-24464 — Appliance mode iControl REST vulnerability

When running in Appliance mode, a directory traversal vulnerability exists in an undisclosed iControl REST endpoint that may allow an authenticated attacker with administrator role privileges to cros…

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-39458 — BIG-IP DNS Cache vulnerability

When a BIG-IP DNS profile enabled with DNS cache is configured on a virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate.  Note: Software versions which…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.1 HIGH
CVE-2026-41959 — iControl and tmsh REST vulnerability

Incorrect permission assignment vulnerabilities exist in BIG-IP and BIG-IQ TMOS Shell (tmsh) network diagnostics commands and in BIG-IP iControl REST. These vulnerabilities may allow an authenticated…

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-42406 — BIG-IP and BIG-IQ privilege escalation vulnerability

A vulnerability exists in BIG-IP and BIG-IQ systems where a highly privileged, authenticated attacker with at least the Certificate Manager role can modify configuration objects that allow running ar…

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
Showing 20 of 6338 Results