Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-42553 — Cinny: Access token disclosure via invalidated emoji pack avatar URL in service worker

Cinny is a Matrix client. Prior to 4.10.3, A remote authenticated attacker who shares a room with a victim and has permissions to create room emotes (for example in a DM) can cause the victim's clien…

cinny | Remote | Information Disclosure
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.2 MEDIUM
CVE-2026-42328 — go-ipld-prime: DAG-CBOR and DAG-JSON decoders unbounded recursion depth

go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on …

go-ipld-prime | Denial of Service
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-38808 — "uzy-ssm-mall SQL Injection"

SQL Injection vulnerability in uzy-ssm-mall v1.1.0 allows a remote attacker to obtain sensitive information via the ProductMapper.xml and /OrderUtil.java components

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-38807 — Apache kvf-admin Privilege Escalation Vulnerability

Insecure Permissions vulnerability in kvf-admin v1.0.0 allows a remote attacker to escalate privileges via the UserController.java component

| Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2025-69600 — Raynet rvia Command Injection Vulnerability

Command injection in Raynet rvia 12.6.4392.49-amd64.deb allows adversaries to execute commands via getconfig, and upload through the URL argument, and oracle through the -o flag The Supplier's perspe…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2025-67903 — Northern.tech Mender Client Cryptographic Signature Verification Bypass

Northern.tech Mender Client 5 before 5.0.4 allows a Cryptographic signature verification bypass.

| Cryptography
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
4.3 MEDIUM
CVE-2026-49054 — WordPress The Post Grid plugin <= 7.9.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Post Grid: from n/a through 7.9.2.

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.8 CRITICAL
CVE-2026-48027 — Compromised Nx Console version 18.95.0

Nx Console is the user interface for Nx & Lerna. On 19 May 2026, a malicious version of Nx Console, 18.95.0, was published at 12:30 PM UTC and removed soon after at 12:48 PM UTC, leaving it available…

nx_console | Remote | Supply Chain
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
5.4 MEDIUM
CVE-2026-45335 — WeGIA: Middleware whitelist bypass → open redirect via InternoControle.nextPage

WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically th…

wegia | Remote | Misconfiguration
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
5.9 MEDIUM
CVE-2026-45027 — WeGIA: Use of Weak Password Hashing Algorithm (SHA-256, no salt) in html/login.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorith…

wegia | Remote | Cryptography
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.2 HIGH
CVE-2026-44483 — RVF: Prototype pollution in @rvf/set-get reachable via @rvf/core preprocessFormData (HTTP…

RVF (formerly Remix Validated Form) provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get (used by @rvf/core to flatten incoming …

Remote | Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.1 MEDIUM
CVE-2026-44475 — Ella Core: UE Security Capability bypass on NGAP PathSwitchRequest

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored va…

ella_core | Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
3.7 LOW
CVE-2026-44474 — Ella Core: Handover failures during concurrent Security Mode Command

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, Ella Core didn't enforce security rules on concurrent running of security procedures defined in TS 33.501 §6.9.5.1 — it could se…

ella_core | Race Condition
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.1 HIGH
CVE-2026-44473 — Ella Core: UE Downlink Redirection via Forged PDUSessionResourceSetupResponse

Ella Core is a 5G core designed for private networks. Prior to 1.10.0, a radio with a valid NG Setup can send a forged PDUSessionResourceSetupResponse carrying any UE's AMF-UE-NGAP-ID. Ella Core does…

ella_core | Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
6.5 MEDIUM
CVE-2026-44353 — Streamlink: Arbitrary local file read via file:// URI in HLS and DASH

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries an…

Remote | Path Traversal
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
10.0 CRITICAL
CVE-2026-44330 — free5GC: NEF nnef-pfdmanagement API is unauthenticated; forged bearer tokens can read PFD…

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-pfdmanagement route group without inbound OAuth2/bearer-token authorization. A network a…

free5gc | Remote | Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
10.0 CRITICAL
CVE-2026-44329 — free5GC: SMF UPI management interface lacks auth middleware; unauthenticated topology rea…

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without OAuth2/bearer-token authorization middleware. A network at…

free5gc | Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.2 HIGH
CVE-2026-44328 — free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF…

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi…

free5gc | Remote | Denial of Service
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
10.0 CRITICAL
CVE-2026-44327 — free5GC: NEF nnef-oam route group is unauthenticated; no-token requests reach the OAM han…

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the nnef-oam route group without inbound OAuth2/bearer-token authorization. A network attacker wh…

free5gc | Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.4 CRITICAL
CVE-2026-44326 — free5GC: NEF 3gpp-traffic-influence API is unauthenticated; missing or forged bearer toke…

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the 3gpp-traffic-influence API without inbound OAuth2/bearer-token authorization. A network attac…

free5gc | Remote | Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
Showing 20 of 6571 Results