Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.6 HIGH
CVE-2026-8077 — Weak credentials vulnerability in the CashDro 3 web administration panel

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By mod…

Remote | Authorization
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2026-25199 — Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access

Instances deployed via the Proxmox extension allow unauthorized access to instances belonging to other tenants. This issue affects Apache CloudStack: from 4.21.0.0 through 4.22.0.0. The Proxm…

| Authorization
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2026-25077 — Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates

Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an…

| Path Traversal
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
6.5 MEDIUM
CVE-2025-69233 — Apache CloudStack: Domain/account resources limits not honored

Due to multiple time-of-check time-of-use race conditions in the resource count check and increment logic, as well as missing validations, users of the platform are able to exceed the allocation limi…

Remote | Race Condition
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
8.0 HIGH
CVE-2025-66467 — Apache CloudStack: MinIO policy remains intact on bucket deletion

Missing MinIO policy cleanup on bucket deletion via Apache CloudStack allows users to retain access to buckets which they previously owned. If another user creates a new bucket with the same name, th…

Remote | Authorization
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2025-66172 — Apache CloudStack: Any user can attach a volume in their VMs from backups they should not…

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is e…

| Authorization
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2025-66171 — Apache CloudStack: Any user can create a new VM from backups they should not have access …

The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is e…

| Authorization
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2025-66170 — Apache CloudStack: Any user can list backups that they should not have access to

The CloudStack Backup plugin has an improper authorization logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plug…

| Authorization
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
9.2 CRITICAL
CVE-2022-50994 — DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands…

Remote | Injection
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2025-71301 — drm/tests: shmem: Hold reservation lock around vmap/vunmap

In the Linux kernel, the following vulnerability has been resolved: drm/tests: shmem: Hold reservation lock around vmap/vunmap Acquire and release the GEM object's reservation lock around vmap and …

| Race Condition
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2025-71300 — Revert "arm64: zynqmp: Add an OP-TEE node to the device tree"

In the Linux kernel, the following vulnerability has been resolved: Revert "arm64: zynqmp: Add an OP-TEE node to the device tree" This reverts commit 06d22ed6b6635b17551f386b50bb5aaff9b75fbe. OP-T…

| Misconfiguration
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
9.3 CRITICAL
CVE-2026-44125 — Missing Authorization in GINAv2

SEPPmail Secure Email Gateway before version 15.0.4 fails to enforce authorization checks for multiple endpoints in the new GINA UI, allowing unauthenticated remote attackers to access functionality …

Remote | Authorization
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
8.3 HIGH
CVE-2026-44129 — Server-side template injection

SEPPmail Secure Email Gateway before version 15.0.4 contains a server-side template injection vulnerability in the new GINA UI because an endpoint accepts attacker-controlled template, allowing remot…

Remote | Injection
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2026-41493 — yard: Possible arbitrary path traversal and file access via yard server

YARD is a Ruby Documentation tool. Prior to version 0.9.42, a path traversal vulnerability was discovered in YARD when using yard server to serve documentation. This bug would allow unsanitized HTTP …

| Path Traversal
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
9.3 CRITICAL
CVE-2026-44128 — Unauthenticated Remote Code Execution

SEPPmail Secure Email Gateway before version 15.0.2.1 allows unauthenticated remote code execution in the new GINA UI because an endpoint passes attacker-controlled input from a parameter to Perl's e…

Remote | Injection
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
8.8 HIGH
CVE-2026-44127 — Local File Inclusion (LFI) and Arbitrary File Deletion

SEPPmail Secure Email Gateway before version 15.0.4 contains an unauthenticated path traversal vulnerability in the identifier parameter of /api.app/attachment/preview that allows remote attackers to…

Remote | Path Traversal
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
6.9 MEDIUM
CVE-2026-7864 — Exposure of Sensitive Information to an Unauthorized Actor

SEPPmail Secure Email Gateway before version 15.0.4 exposes server environment variables through an unauthenticated endpoint in the new GINA UI, allowing remote attackers to obtain sensitive system i…

Remote | Information Disclosure
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2026-43315 — KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Remove a user-triggerable WARN on nested_svm_load_cr3() succeeding Drop the WARN in svm_set_nested_state() on nested_s…

| Misconfiguration
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2026-43314 — dm: remove fake timeout to avoid leak request

In the Linux kernel, the following vulnerability has been resolved: dm: remove fake timeout to avoid leak request Since commit 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_r…

| Denial of Service
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
0.0 NA
CVE-2026-43313 — ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4() In acpi_processor_errata_piix4(), the pointer dev …

| Memory Corruption
May 08, 2026 May 08, 2026
May 08, 2026
May 08, 2026
Showing 20 of 5753 Results