Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2025-56352 — TinyMQTT Broker Protocol Violation Leaving File Descriptors Open

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length C…

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.2 HIGH
CVE-2026-41949 — Dify v1.14.1 Authorization Bypass via File Preview Endpoint

Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document acr…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.2 CRITICAL
CVE-2026-41948 — Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficie…

Remote | Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.1 CRITICAL
CVE-2026-41947 — Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints

Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant own…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.5 HIGH
CVE-2026-39079 — PrestaShop UPS Shipping Information Disclosure

An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBas…

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-26462 — Adobe Offline Hospital Management System Remote Code Execution Vulnerability

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation…

| Misconfiguration
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.5 HIGH
CVE-2026-42009 — Gnutls: gnutls: denial of service via dtls packet reordering vulnerability

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS pa…

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.3 MEDIUM
CVE-2026-8803 — opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash

A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation cau…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.8 CRITICAL
CVE-2026-7304 — CVE-2026-7304

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.1 CRITICAL
CVE-2026-7302 — CVE-2026-7302

SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by …

Remote | Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.8 CRITICAL
CVE-2026-7301 — CVE-2026-7301

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the intern…

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.1 HIGH
CVE-2026-0983 — Denial of service vulnerability in M-Files Server

Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
5.3 MEDIUM
CVE-2026-8802 — opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argumen…

Remote | Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.3 CRITICAL
CVE-2026-4320 — Authorization Bypass in ICMS Content Management by Creartia Internet Consulting

Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.8 MEDIUM
CVE-2026-41119 — Dell Live Optics Certificate Validation Vulnerability

Dell Live Optics Windows and Personal Edition collectors contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leadi…

Remote | Misconfiguration
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.8 HIGH
CVE-2026-7498 — Stored XSS in Basamak Informatics' DernekWeb

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored…

Remote | Cross-Site Scripting
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.7 HIGH
CVE-2026-6902 — Code Injection in Perforce P4 (Helix Core)

A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.

Remote | Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.6 HIGH
CVE-2026-6347 — Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a su…

mattermost_server | Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.7 HIGH
CVE-2026-6346 — Sensitive credentials exposed in plaintext in Mattermost support packets

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermo…

mattermost_server | Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.5 MEDIUM
CVE-2026-6345 — Prevent password disclosure and force reset during Slack import

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of som…

mattermost_server | Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
Showing 20 of 6245 Results