Latest CVE Vulnerabilities

9.3 CRITICAL

CVE-2026-41090 — Microsoft Copilot Tampering Vulnerability

None

May 22, 2026 May 22, 2026

May 22, 2026

6.5 MEDIUM

CVE-2026-42827 — M365 Copilot Information Disclosure Vulnerability

None

May 22, 2026 May 22, 2026

May 22, 2026

10.0 CRITICAL

CVE-2026-47280 — Azure Resource Manager Elevation of Privilege Vulnerability

None

May 22, 2026 May 22, 2026

May 22, 2026

9.9 CRITICAL

CVE-2026-40411 — Azure Virtual Network Gateway Remote Code Execution Vulnerability

None

May 22, 2026 May 22, 2026

May 22, 2026

8.8 HIGH

CVE-2026-35430 — Azure Privileged Identity Management (PIM) Elevation of Privilege Vulnerability

None

May 22, 2026 May 22, 2026

May 22, 2026

10.0 CRITICAL

CVE-2026-23652 — Microsoft Power Pages Remote Code Execution Vulnerability

None

May 22, 2026 May 22, 2026

May 22, 2026

10.0 CRITICAL

CVE-2026-40412 — Azure Orbital Spatio Remote Code Execution Vulnerability

None

May 22, 2026 May 22, 2026

May 22, 2026

8.7 HIGH

CVE-2026-41147 — NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input saniti…

NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Req…

Remote | Cross-Site Scripting

May 22, 2026 May 22, 2026

May 22, 2026

8.1 HIGH

CVE-2026-41076 — RT: LDAP authentication bypass via empty password

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations…

Remote | Authentication

May 22, 2026 May 22, 2026

May 22, 2026

8.8 HIGH

CVE-2026-41075 — RT: SQL injection via entry_aggregator parameter in JSON search

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft i…

Remote | Injection

May 22, 2026 May 22, 2026

May 22, 2026

7.1 HIGH

CVE-2026-41074 — RT has broken CSRF protection for authenticated users

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in…

Remote | Cross-Site Request Forgery

May 22, 2026 May 22, 2026

May 22, 2026

4.6 MEDIUM

CVE-2026-41073 — RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and simi…

RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled …

Remote | Injection

May 22, 2026 May 22, 2026

May 22, 2026

0.0 NA

CVE-2026-41071 — libheif: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with…

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chun…

| Memory Corruption

May 22, 2026 May 22, 2026

May 22, 2026

6.5 MEDIUM

CVE-2026-41069 — libheif allows Out-of-bounds vector access leading to invalid dereference (DoS)

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS.…

Remote | Memory Corruption

May 22, 2026 May 22, 2026

May 22, 2026

8.7 HIGH

CVE-2026-3294 — Authentication Logic Vulnerability on Multiple TP-Link Range Extenders

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator passwor…

| Authentication

May 22, 2026 May 22, 2026

May 22, 2026

5.4 MEDIUM

CVE-2026-40864 — JupyterHub: Cross-origin form POSTs bypass XSRF

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with…

jupyterhub | Remote | Cross-Site Request Forgery

May 22, 2026 May 22, 2026

May 22, 2026

5.5 MEDIUM

CVE-2026-40610 — BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build …

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symli…

bentoml | Path Traversal

May 22, 2026 May 22, 2026

May 22, 2026

0.0 NA

CVE-2026-39824 — Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated strin…

| Misconfiguration

May 22, 2026 May 22, 2026

May 22, 2026

0.0 NA

CVE-2026-40607 — MantisBT is Vulnerable to Stored XSS Through its Saved-Filter Owner Column

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.11.0 through 2.28.1, a Stored XSS vulnerability is caused by incorrect escaping of a saved filter's owner, allowing an att…

mantisbt | Cross-Site Scripting

May 22, 2026 May 22, 2026

May 22, 2026

0.0 NA

CVE-2026-40598 — MantisBT has Potential Referer-Based Reflected HTML Injection / XSS in Tag Update Page

Mantis Bug Tracker (MantisBT) is an open source issue tracker. In versions 2.28.1 and below, improper escaping of the redirection page (retrieved from the request's Referer header) allows an attacker…

mantisbt | Cross-Site Scripting

May 22, 2026 May 22, 2026

May 22, 2026

Browse by Apps

Latest CVE Feed

Cookie Preferences