Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-41159 — Mermaid: Improper sanitization of configuration leads to CSS injection

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, Mermaid's default configuration allows injecting CSS that applies…

mermaid | Remote | Misconfiguration
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
5.3 MEDIUM
CVE-2026-41150 — Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS

Mermaid is a JavaScript tool that uses Markdown-inspired text to create and modify diagrams and charts. Prior to 10.9.6 and 11.15.0, there is a denial-of-service attack when rendering gantt charts, i…

mermaid | Remote | Denial of Service
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
7.3 HIGH
CVE-2026-39292 — Falco Solutions PHPPageBuilder File Upload RCE Vulnerability

Falco Solutions PHPPageBuilder v0.31.0 contains an unrestricted file upload vulnerability in the pagemanager/pagebuilder module that allows remote attackers to upload arbitrary files and achieve remo…

Remote | Misconfiguration
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
9.8 CRITICAL
CVE-2026-10063 — TRENDnet TEW-432BRP formWPS stack-based overflow

A vulnerability was identified in TRENDnet TEW-432BRP 3.10B20. Affected by this issue is the function formWPS of the file /goform/formWPS. Such manipulation of the argument peerPin leads to stack-bas…

tew-432brp tew-432brp_firmware tew-432brp | Remote | Memory Corruption
May 29, 2026 Jun 03, 2026
May 29, 2026
Jun 03, 2026
9.8 CRITICAL
CVE-2026-10062 — TRENDnet TEW-432BRP formSetRoute stack-based overflow

A vulnerability was determined in TRENDnet TEW-432BRP 3.10B20. Affected by this vulnerability is the function formSetRoute of the file /goform/formSetRoute. This manipulation of the argument ip/mask/…

tew-432brp tew-432brp_firmware tew-432brp | Remote | Memory Corruption
May 29, 2026 Jun 03, 2026
May 29, 2026
Jun 03, 2026
9.8 CRITICAL
CVE-2026-10042 — manga-image-translator RCE via Unsafe Pickle Deserialization in Share Model

manga-image-translator contains a remote code execution vulnerability in the shared API server mode due to unsafe deserialization of untrusted pickle data in the share.py module, where the /execute/{…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
4.6 MEDIUM
CVE-2026-49325 — Indian Scout Bobber 2025 WCM voltage-based shutdown

Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Modul…

| Misconfiguration
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
2.4 LOW
CVE-2026-49318 — Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at…

Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T…

| Misconfiguration
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
2.4 LOW
CVE-2026-49317 — Indian Scout Bobber 2025 Infotainment Digital Round skips PIN entry when WCM is silent at…

Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T…

| Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
4.6 MEDIUM
CVE-2026-49316 — Indian Scout Bobber 2025 WCM CAN bus-off attack silently bypasses anti-theft shutdown

Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown b…

| Denial of Service
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
7.1 HIGH
CVE-2026-47696 — WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST pa…

avideo | Remote | Authorization
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
5.4 MEDIUM
CVE-2026-47694 — WWBN AVideo: Stored XSS via unescaped Gallery category description

WWBN AVideo is an open source video platform. In 29.0 and earlier, AVideo stores category descriptions from user input and later renders category_description as raw HTML in the Gallery view. A user w…

avideo | Remote | Cross-Site Scripting
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.2 HIGH
CVE-2026-46510 — Prototype pollution in form-data-objectizer via bracket-notation form keys

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys (e.g. name[sub]) into nested objects without filtering __proto__, constructor, …

Remote | Misconfiguration
May 29, 2026 Jun 02, 2026
May 29, 2026
Jun 02, 2026
9.8 CRITICAL
CVE-2026-46376 — FreePBX: Unauthenticated Use of Hard-Coded Credentials Vulnerability in FreePBX UCP Inter…

FreePBX is an open source IP PBX. From 15.0.42 to before 16.0.45 and 17.0.7, unauthenticated users may be able to access the User Control Panel (UCP) using hard-coded initial template credentials if …

freepbx | Remote | Authentication
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
6.9 MEDIUM
CVE-2026-46337 — WWBN AVideo: Unauthenticated Arbitrary Image Read via Path Traversal in `view/img/image40…

WWBN AVideo is an open source video platform. In 29.0 and earlier, an unauthenticated remote attacker can read arbitrary image files anywhere on disk that the PHP user can open — including private us…

avideo | Remote | Path Traversal
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
6.9 MEDIUM
CVE-2026-45731 — WWBN AVideo: Authenticated Arbitrary File Read in view/update.php

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $_POST['updateFile'] as a relative path under updatedb/ and passes it to PHP's file() for line-by-line executi…

avideo | Remote | Path Traversal
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.1 HIGH
CVE-2026-45707 — n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant…

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLE_MULTI_TENANT=true, the HTTP transport documents that th…

n8n-mcp | Remote | Authorization
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
5.3 MEDIUM
CVE-2026-45620 — AVideo CVE-2026-43881 incomplete fix - `objects/mention.json.php:17` is an unauthenticate…

WWBN AVideo is an open source video platform. In 29.0 and earlier, objects/mention.json.php has no User::loginCheck() or admin gate. It only has an entry guard: preg_match('/^@/', $_REQUEST['term']) …

avideo | Remote | Authentication
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
6.5 MEDIUM
CVE-2026-45619 — AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` call sites still discard the `$r…

WWBN AVideo is an open source video platform. In 29.0 and earlier, EpgParser.php, plugin/AI/receiveAsync.json.php, and other locations do not use the $resolvedIP out-param of isSSRFSafeURL() for DNS …

avideo | Remote | Server-Side Request Forgery
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.2 HIGH
CVE-2026-45615 — mouse07410/asn1c: 1-byte Heap Out-of-Bounds Read in `INTEGER_decode_oer` via Malformed OE…

mouse07410/asn1c is an ASN.1 compiler. In 1.4 and earlier, a memory safety vulnerability was identified in the OER decoding skeleton files generated by asn1c (specifically INTEGER_oer.c). When parsin…

Remote | Memory Corruption
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
Showing 20 of 7216 Results