Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-44054 — Predictable afpd session token

Netatalk 2.0.0 through 4.4.2 generates AFP session tokens derived from predictable process IDs, which allows a remote authenticated attacker to cause a denial of service by exploiting the reconnect m…

Remote | Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.4 HIGH
CVE-2026-44053 — Weak cryptography in DHCAST128 UAM

Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic at…

Remote | Cryptography
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-44052 — LDAP simple-bind password exposure in log output

Netatalk 2.1.0 through 4.4.2 inserts LDAP simple-bind passwords into log output in cleartext, which allows an attacker with access to the log files to obtain LDAP credentials.

Remote | Information Disclosure
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
8.1 HIGH
CVE-2026-44051 — Arbitrary file read via attacker-controlled symlink creation

An improper link resolution vulnerability in Netatalk 3.0.2 through 4.4.2 allows a remote authenticated attacker to read arbitrary files or overwrite arbitrary files via attacker-controlled symlink c…

Remote | Path Traversal
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
9.9 CRITICAL
CVE-2026-44050 — Heap buffer overflow in CNID daemon comm_rcv()

A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code with escalated privileges or cause…

Remote | Memory Corruption
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
7.5 HIGH
CVE-2026-44049 — Out-of-bounds write in convert_charset() null termination

An out-of-bounds write due to improper null termination in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of serv…

Remote | Memory Corruption
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
8.8 HIGH
CVE-2026-44048 — Stack buffer overflow via UCS-2 type confusion in convert_charset()

A stack-based buffer overflow via UCS-2 type confusion in convert_charset() in Netatalk 2.0.4 through 4.4.2 allows a remote authenticated attacker to execute arbitrary code or cause a denial of servi…

Remote | Memory Corruption
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
8.8 HIGH
CVE-2026-44047 — SQL injection in MySQL CNID backend

An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial o…

Remote | Injection
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
9.8 CRITICAL
CVE-2026-6279 — Avada (Fusion) Builder <= 3.15.2 - Unauthenticated Remote Code Execution via PHP Function…

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `w…

Remote | Injection
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.5 MEDIUM
CVE-2026-2734 — Authorization Bypass in SearchModelVersions in mlflow/mlflow

In mlflow/mlflow versions up to 3.9.0, the `SearchModelVersions` REST API endpoint and the `mlflowSearchModelVersions` GraphQL query lack proper per-model authorization checks when basic authenticati…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.4 MEDIUM
CVE-2026-1543 — Avada (Fusion) Builder <= 3.15.2 - Authenticated (Subscriber+) Stored Cross-Site Scriptin…

The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitizatio…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
4.9 MEDIUM
CVE-2026-4811 — WPB Floating Menu or Categories – Sticky Floating Side Menu & Categories with Icons <= 1.…

The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all version…

Remote | Cross-Site Scripting
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
10.0 CRITICAL
CVE-2026-9152 — Unauthenticated SOAP Endpoint in Altium 365 SearchService Allows Cross-Tenant Data Exfilt…

A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of …

Remote | Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
10.0 CRITICAL
CVE-2026-48172 — LiteSpeed cPanel Plugin Privilege Escalation

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild in May 2026. LiteSpeed WHM Plugin (the parent plugin) is unaffected. Detection i…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
4.3 MEDIUM
CVE-2026-1881 — Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_…

The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on…

Remote | Authorization
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.5 MEDIUM
CVE-2026-9149 — Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted …

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted `.solv` file containing negative size values in the `repo_add_solv` function. T…

Remote | Memory Corruption
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
8.7 HIGH
CVE-2026-40165 — authentik: SAML NameID XML Comment Injection Enables Authentication Bypass via Identifier…

authentik is an open-source identity provider. Versions 2025.12.4 and prior, and versions 2026.2.0-rc1 through 2026.2.2 were vulnerable to Authentication Bypass through SAML NameID XML Comment Inject…

Remote | Authentication
May 21, 2026 May 21, 2026
May 21, 2026
May 21, 2026
6.5 MEDIUM
CVE-2026-9150 — Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sh…

A flaw was found in libsolv. This stack-based buffer overflow vulnerability occurs in libsolv's Debian metadata parser when processing specially crafted Debian repository metadata. An attacker could …

Remote | Memory Corruption
May 20, 2026 May 21, 2026
May 20, 2026
May 21, 2026
4.6 MEDIUM
CVE-2026-47782 — Siber Systems, Inc. RoboForm Android Intent URL Injection Vulnerability

Android App "RoboForm Password Manager" provided by Siber Systems, Inc. handles Android intents without sufficient URL validation, user confirmation nor notification. If a URL to some malicious web p…

| Misconfiguration
May 20, 2026 May 20, 2026
May 20, 2026
May 20, 2026
9.1 CRITICAL
CVE-2026-47372 — Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts

Crypt::SaltedHash versions through 0.09 for Perl generate insecure random values for salts. These versions use the built-in rand function, which is predictable and unsuitable for cryptography.

Remote | Cryptography
May 20, 2026 May 21, 2026
May 20, 2026
May 21, 2026
Showing 20 of 6423 Results