Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-44714 — bitcoinj: ScriptExecution P2PKH/P2WPKH Verification Bypass

The bitcoinj library is a Java implementation of the Bitcoin protocol. Prior to 0.17.1, ScriptExecution.correctlySpends() contains two fast-path verification bugs for standard P2PKH and native P2WPKH…

Remote | Cryptography
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
9.1 CRITICAL
CVE-2026-44699 — LibJWT: Algorithm confusion allows JWT forgery with RSA JWK as empty-key HMAC

LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL back…

Remote | Authentication
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
7.1 HIGH
CVE-2026-44641 — Microsoft APM: plugin.json component paths escape plugin root and copy arbitrary host fil…

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.jso…

| Path Traversal
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-44310 — gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code calle…

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. From 0.4.0 to before 0.15.0, CertVerifier.Verify() in pkg/git/verifier.go unconditionally dereference…

gitsign | Remote | Authentication
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.3 MEDIUM
CVE-2026-44309 — gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion …

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's …

gitsign | Remote | Misconfiguration
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.3 MEDIUM
CVE-2026-42458 — Magento LTS: Reflected XSS - Import -> Data Flow (profiles)

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr…

magento | Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
6.1 MEDIUM
CVE-2026-42207 — Magento LTS: Open Redirect via Unvalidated `uenc` Parameter in `stockAction()` - magento-…

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr…

magento | Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
9.3 CRITICAL
CVE-2026-42155 — Magento LTS: Weak API Session ID — Predictable MD5 of Time-Derived Inputs

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr…

magento | Remote | Cryptography
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
9.1 CRITICAL
CVE-2026-41258 — OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRange

OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates databas…

Remote | Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
6.9 MEDIUM
CVE-2026-41181 — Traefik: Errors middleware forwards Authorization and Cookie headers to separate error pa…

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. Whe…

traefik | Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.4 MEDIUM
CVE-2026-23695 — Cockpit CMS 2.14.0 Stored XSS via Set Field Display Template

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is proce…

Remote | Cross-Site Scripting
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.4 HIGH
CVE-2026-46508 — Turborepo: VSCode Extension command injection

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14000, the Turborepo LSP VS Code extension could execute shell commands derived from workspace-contr…

| Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
3.5 LOW
CVE-2026-45803 — gh: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users vie…

Remote | Information Disclosure
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
5.1 MEDIUM
CVE-2026-45773 — Turborepo: Login callback CSRF/session fixation

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the l…

Remote | Cross-Site Request Forgery
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
0.0 NONE
CVE-2026-45772 — Turborepo: Unexpected local code execution during Yarn Berry detection

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted reposi…

Remote | Supply Chain
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
8.1 HIGH
CVE-2026-35194 — Apache Flink: Remote code execution via SQL injection in code generation

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers…

Remote | Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
10.0 CRITICAL
CVE-2026-2031 — Google Cloud Application Integration: Exposed internal APIs allow Information Disclosure …

An Improper Access Control vulnerability in several internal API endpoints for Google Cloud Application Integration prior to 2026-01-23 allows a remote, unauthenticated attacker to disclose sensitive…

Remote | Authorization
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
6.5 MEDIUM
CVE-2026-8669 — Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted …

Imager versions through 1.030 for Perl allow a heap out of bounds (OOB) write on crafted multi-frame GIF files. Imager::File::GIF's i_readgif_multi_low allocates a single per-row buffer GifRow sized…

Remote | Memory Corruption
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
3.6 LOW
CVE-2026-46483 — Vim: Command injection in tar#Vimuntar via missing shellescape {special} flag

Vim is an open source, command line text editor. Prior to 9.2.0479, a command injection vulnerability exists in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives on Unix-lik…

| Injection
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
4.4 MEDIUM
CVE-2026-45736 — ws: Uninitialized memory disclosure

ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the…

Remote | Memory Corruption
May 15, 2026 May 15, 2026
May 15, 2026
May 15, 2026
Showing 20 of 6322 Results