Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-42027 — Apache OpenNLP: Arbitrary Class Instantiation via Model Manifest in ExtensionLoader

Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader Versions Affected: before 2.5.9, before 3.0.0-M3 Description:  The ExtensionLoader.instantiateExtension(C…

opennlp | Remote | Misconfiguration
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
9.1 CRITICAL
CVE-2026-40682 — Apache OpenNLP: XXE via Dictionary Parsing in DictionaryEntryPersistor

XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor Versions Affected: before 2.5.9, before 3.0.0-M3 Description: The DictionaryEntryPersistor …

opennlp | Remote | XML External Entity
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
6.1 MEDIUM
CVE-2026-38669 — WordPress CMS Cross Site Scripting (XSS)

wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.

Remote | Cross-Site Scripting
May 04, 2026 May 05, 2026
May 04, 2026
May 05, 2026
7.5 HIGH
CVE-2026-37461 — Gobgp BGP UPDATE Message Out-of-Bounds Read Denial of Service Vulnerability

An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Remote | Denial of Service
May 04, 2026 May 07, 2026
May 04, 2026
May 07, 2026
8.8 HIGH
CVE-2026-29514 — NetBox 4.3.5 - 4.5.4 RCE via RenderTemplateMixin

NetBox versions 4.3.5 through 4.5.4 contain a remote code execution vulnerability in the RenderTemplateMixin.get_environment_params() method that allows authenticated users with exporttemplate or con…

Remote | Authentication
May 04, 2026 May 05, 2026
May 04, 2026
May 05, 2026
9.8 CRITICAL
CVE-2026-26956 — vm2: WASM Sandbox Escape (Node 25 only)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run() obtains host process object and …

vm2 | Remote | Misconfiguration
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
10.0 CRITICAL
CVE-2026-26332 — vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0.

vm2 | Remote | Supply Chain
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
9.8 CRITICAL
CVE-2026-25293 — Incorrect authorization in PLC FW

Buffer overflow due to incorrect authorization in PLC FW

qca7005_firmware qca7005 | Remote | Authorization
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
7.8 HIGH
CVE-2026-25266 — Exposed dangerous function in windows host

Memory corruption while processing IOCTL command when device is in power-save state.

wcd9380_firmware wcd9385_firmware wsa8830_firmware wsa8835_firmware wsa8832_firmware fastconnect_6900_firmware +42 more | Memory Corruption
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
9.8 CRITICAL
CVE-2026-24781 — vm2: Sandbox Breakout Through Inspect

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can es…

vm2 | Remote | Injection
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
9.8 CRITICAL
CVE-2026-24120 — vm2: Sandbox Breakout Through Promise Species

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM…

vm2 | Remote | Misconfiguration
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
9.8 CRITICAL
CVE-2026-24118 — VM2 Sandbox Breakout Through __lookupGetter__

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and…

vm2 | Remote | Misconfiguration
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
7.8 HIGH
CVE-2026-24082 — Use After Free in Automotive GPU

Memory Corruption when copying data from a freed source while executing performance counter deselect operation.

qam8295p_firmware qca6391_firmware qca6574au_firmware qca6595au_firmware qca6696_firmware sa6145p_firmware +346 more | Memory Corruption
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
7.8 HIGH
CVE-2025-47408 — Untrusted Pointer Dereference in Power Optimization Firmware

Memory corruption when another driver calls an IOCTL with invalid input/output buffer.

sd865_5g_firmware wcd9380_firmware wcd9385_firmware wsa8810_firmware wsa8815_firmware sm6250_firmware +34 more | Memory Corruption
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
7.8 HIGH
CVE-2025-47407 — Time-of-check Time-of-use (TOCTOU) Race Condition in DSP Service

Memory corruption while creating a process on the digital signal processor due to allocation failure at the kernel level.

qca6391_firmware sd865_5g_firmware sw5100_firmware sw5100p_firmware wcd9380_firmware wcd9385_firmware +194 more | Memory Corruption
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
6.1 MEDIUM
CVE-2025-47406 — Buffer Over-read in DSP Service

Information Disclosure while processing IOCTL handler callbacks without verifying buffer size.

wcd9380_firmware wcd9385_firmware wsa8830_firmware wsa8835_firmware qcm6490_firmware snapdragon_7c\+_gen_3_compute_firmware +56 more | Information Disclosure
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
7.8 HIGH
CVE-2025-47405 — Untrusted Pointer Dereference in Camera

Memory corruption when processing camera sensor input/output control codes with invalid output buffers.

sd865_5g_firmware wcd9380_firmware wcd9385_firmware wsa8810_firmware wsa8815_firmware fastconnect_6900_firmware +26 more | Memory Corruption
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
7.8 HIGH
CVE-2025-47404 — Buffer Copy Without Checking Size of Input in Automotive Audio

Memory corruption when dynamically changing the size of a previously allocated buffer while its contents are being modified.

qam8295p_firmware qca6391_firmware qca6574au_firmware qca6595au_firmware qca6696_firmware sa6145p_firmware +370 more | Memory Corruption
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
7.5 HIGH
CVE-2025-47403 — Buffer Over-read in WLAN Firmware

Transient DOS when processing a malformed Fast Transition response frame with an invalid header structure during wireless roaming.

qca6391_firmware qca6574au_firmware qca6595au_firmware qca6696_firmware sd_8_gen1_5g_firmware wcd9380_firmware +508 more | Remote | Denial of Service
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
7.5 HIGH
CVE-2025-47401 — Buffer Over-read in WLAN HAL

Transient DOS when processing target power rate tables during channel configuration.

qam8295p_firmware qca6391_firmware qca6574au_firmware qca6595au_firmware qca6696_firmware sa6155p_firmware +484 more | Remote | Denial of Service
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
Showing 20 of 5754 Results