Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.9 MEDIUM
CVE-2026-8328 — FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host…

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpee…

Remote | Server-Side Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-45714 — CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Inv…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.2 HIGH
CVE-2026-45708 — CubeCart: Authenticated RCE via Invoice Template → Order Print

CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order,…

Remote | Information Disclosure
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.8 HIGH
CVE-2026-45229 — Quark Drive < 0.8.5 Mass Assignment via POST /update

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui…

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.4 MEDIUM
CVE-2026-45228 — Quark Drive < 0.8.5 Stored XSS via System Configuration

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without…

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.1 HIGH
CVE-2026-45055 — CubeCart: Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header

CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded …

Remote | Server-Side Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
4.9 MEDIUM
CVE-2026-45054 — CubeCart: Authenticated SQL Injection via `sort[]` Parameter in Admin Orders Transactions…

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-con…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-45053 — CubeCart: Authenticated Arbitrary File Upload to RCE in REST Files API

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The end…

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-44418 — Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.3 CRITICAL
CVE-2026-44381 — MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute lis…

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow …

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.6 HIGH
CVE-2026-44380 — MISP: Improper access control in auth key reset allows privilege escalation to site admi…

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organ…

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44379 — MISP: Improper UUID validation in MISP Collections

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or mo…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-44377 — CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and …

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.1 MEDIUM
CVE-2026-44376 — CubeCart: Reflected XSS in Store Search Bar

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.p…

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44373 — Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward…

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44372 — Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.9 MEDIUM
CVE-2026-44368 — PyQuorum: Timing side‑channel in mul_mod

PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on t…

Remote | Cryptography
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.1 HIGH
CVE-2026-42602 — azureauthextension Authenticate method does not validate bearer tokens, allowing auth byp…

azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access toke…

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-42561 — Python-Multipart: Denial of Service via unbounded multipart part headers

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-42304 — Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Cha…

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exha…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
Showing 20 of 6409 Results