Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.3 CRITICAL
CVE-2026-4320 — Authorization Bypass in ICMS Content Management by Creartia Internet Consulting

Authorization Bypass vulnerability in Creartia's ICMS software could allow an attacker to gain unauthorized access to protected features by manipulating the HTTP redirect headers of the login process…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-8802 — opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argumen…

| Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.8 MEDIUM
CVE-2026-41119 — Dell Live Optics Certificate Validation Vulnerability

Dell Live Optics Windows and Personal Edition collectors contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leadi…

Remote | Misconfiguration
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.8 HIGH
CVE-2026-7498 — Stored XSS in Basamak Informatics' DernekWeb

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Basamak Information Technology Consulting and Organization Trade Ltd. Co. DernekWeb allows Stored…

Remote | Cross-Site Scripting
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.7 HIGH
CVE-2026-6902 — Code Injection in Perforce P4 (Helix Core)

A vulnerability in Command-Line Client in P4 Server prior to the 2025.2 Patch 2, identified as CVE-2026-6902, has been fixed in P4 Server to address potential security risks.

Remote | Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.6 HIGH
CVE-2026-6347 — Mattermost Calls plugin exposes TURN server credentials in plaintext in support packets

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields in the Mattermost Calls plugin which allows an attacker with access to a su…

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.7 HIGH
CVE-2026-6346 — Sensitive credentials exposed in plaintext in Mattermost support packets

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to sanitize sensitive configuration fields before including them in support packet generation, which allows a Mattermo…

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.5 MEDIUM
CVE-2026-6345 — Prevent password disclosure and force reset during Slack import

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail prevent disclosure of created user password which allows a malicious attacker to impersonate a user via the use of som…

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-6343 — Mattermost Playbooks Plugin fails to enforce view permissions in list endpoints, allowing…

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 fail to check public/private permissions which allows members without these permissions to access public playbooks via /get…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-6339 — Missing request origin validation on burn-on-read reveal endpoint

Mattermost versions 11.5.x <= 11.5.1, 11.4.x <= 11.4.3 fail to validate the X-Requested-With header on the burn-on-read reveal endpoint which allows an authenticated channel member to force the revea…

Remote | Cross-Site Request Forgery
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
3.5 LOW
CVE-2026-6333 — SSRF via Host Header Spoofing in Custom Slash Commands

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to validate the Host header when constructing response URLs for custom slash commands which allows an authenticated attacker to redirect…

Remote | Server-Side Request Forgery
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.5 MEDIUM
CVE-2026-5163 — Missing authorization check in AI message rewrite endpoint allows access to private threa…

Mattermost versions 11.5.x <= 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private ch…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
3.5 LOW
CVE-2026-4643 — Calling window.close() from server-side content causes crash in the Mattermost Desktop App

Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent server-rendered content from closing an underlying application view in the Mattermost Desktop App which allows a malicious server …

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
3.1 LOW
CVE-2026-4286 — Playbooks Plugin fails to validate team transfers, allowing unauthorized removal of membe…

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to check if {{team_id}} was being changed when updating playbooks, allowing users with only {{Manage Playbook Configurations}} permissio…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.5 MEDIUM
CVE-2026-3471 — Opening a window with {{javascript:alert()}} as URL causes crash in the Mattermost Deskto…

Mattermost Desktop App versions <=6.1 6.0.1 5.4.13.0 fail to prevent an invalid URL from loading in a pop-up window in the Mattermost Desktop App which allows a malicious server owner to repeated cra…

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.5 MEDIUM
CVE-2026-3117 — Instance and webhook GitLab plugin commands were able to be run by non-admin users

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or se…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-28732 — Slash command trigger-word update allowed command hijacking

Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to enforce slash command trigger-word uniqueness during command updates which allows an authenticated team member with…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-8788 — Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections

Net::Statsd::Lite versions through 0.10.0 for Perl allowed metric injections. The values from the set_add method were not checked for newlines, colons or pipes. Metrics generated from untrusted sour…

| Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-6342 — Group prefix matching bypass for subscriptions

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via …

Remote | Misconfiguration
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
4.3 MEDIUM
CVE-2026-6341 — Incomplete group locking implementation

Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multip…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
Showing 20 of 6161 Results