Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.4 HIGH
CVE-2026-40213 — OpenStack Cyborg Default Policy Authorization Bypass

OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless…

Remote | Authorization
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.6 HIGH
CVE-2026-35435 — Azure AI Foundry Elevation of Privilege Vulnerability

Improper access control in Azure AI Foundry M365 published agents allows an unauthorized attacker to elevate privileges over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
9.6 CRITICAL
CVE-2026-35428 — Azure Cloud Shell Spoofing Vulnerability

Improper neutralization of special elements used in a command ('command injection') in Azure Cloud Shell allows an unauthorized attacker to perform spoofing over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.2 HIGH
CVE-2026-34327 — Microsoft Partner Center Spoofing Vulnerability

Externally controlled reference to a resource in another sphere in Microsoft Partner Center allows an unauthorized attacker to perform spoofing over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
9.0 CRITICAL
CVE-2026-33844 — Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
9.6 CRITICAL
CVE-2026-33823 — Microsoft Team Events Portal Information Disclosure Vulnerability

Improper authorization in Microsoft Teams allows an authorized attacker to disclose information over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.5 HIGH
CVE-2026-33111 — Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability

Improper neutralization of special elements used in a command ('command injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
9.9 CRITICAL
CVE-2026-33109 — Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.8 HIGH
CVE-2026-32207 — Azure Machine Learning Notebook Spoofing Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.5 HIGH
CVE-2026-26164 — M365 Copilot Information Disclosure Vulnerability

Improper neutralization of special elements in output used by a downstream component ('injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.5 HIGH
CVE-2026-26129 — M365 Copilot Information Disclosure Vulnerability

Improper neutralization of special elements in M365 Copilot allows an unauthorized attacker to disclose information over a network.

May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
7.5 HIGH
CVE-2026-8098 — code-projects Feedback System checklogin.php sql injection

A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sq…

Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
6.5 MEDIUM
CVE-2026-8097 — CodeAstro Online Classroom askquery.php sql injection

A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of the argument squeryx results in sql injec…

Remote | Injection
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.5 HIGH
CVE-2026-42449 — n8n-MCP: IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling…

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the SDK embedder path (N8NDocumentationMCPServer…

n8n-mcp | Remote | Server-Side Request Forgery
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
8.6 HIGH
CVE-2026-42047 — Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTT…

Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows un…

Remote | Information Disclosure
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
4.7 MEDIUM
CVE-2026-41692 — i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/…

i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 4.0.8 substitute {{key}} interpolation tokens inside src and…

Remote | Cross-Site Scripting
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
6.5 MEDIUM
CVE-2026-41691 — i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns

Copilot said: i18nextify is a JavaScript library that adds i18nextify is a JavaScript library that adds website internationalization via a script tag, without source code changes. Versions prior to 3…

Remote | Path Traversal
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
0.0 NA
CVE-2026-8142 — CVE-2026-8142

VINCE versions 3.0.38 and earlier do not properly verify the From address authenticity due to encoding confusion and use the from address for automated actions such as Ticket creation or Ticket updat…

| Authentication
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
3.3 LOW
CVE-2026-8088 — OSGeo gdal GDapi.c GDfieldinfo out-of-bounds

A weakness has been identified in OSGeo gdal up to 3.13.0dev-4. The affected element is the function GDfieldinfo of the file frmts/hdf4/hdf-eos/GDapi.c. Executing a manipulation can lead to out-of-bo…

| Memory Corruption
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
5.3 MEDIUM
CVE-2026-8087 — OSGeo gdal GDapi.c GDnentries heap-based overflow

A security flaw has been discovered in OSGeo gdal up to 3.13.0dev-4. Impacted is the function GDnentries of the file frmts/hdf4/hdf-eos/GDapi.c. Performing a manipulation of the argument DataFieldNam…

| Memory Corruption
May 07, 2026 May 07, 2026
May 07, 2026
May 07, 2026
Showing 20 of 5879 Results