Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.1 HIGH
CVE-2026-34358 — CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on …

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
4.8 MEDIUM
CVE-2026-34246 — CtrlPanel: Stored XSS in Admin Role Management via Unescaped DataTable HTML Output

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability exists in the admin role management interface. In a…

Remote | Cross-Site Scripting
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.7 HIGH
CVE-2026-34241 — CtrlPanel: Stored XSS in Ticket Reply Notifications Allows Session Hijacking

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability in the ticket reply notification system. Unsanitize…

Remote | Cross-Site Scripting
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
10.0 CRITICAL
CVE-2026-34234 — CtrlPanel: Unauthenticated RCE using installer script

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the web-based installer (public/installer/index.php) is vulnerable to unauthenticated Remote Code Executi…

Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
4.6 MEDIUM
CVE-2025-15645 — Ledger Nano X, Flex, Stax MCU Firmware Update Denial of Service

Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. A…

| Denial of Service
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
4.6 MEDIUM
CVE-2024-36343 — Intel AMT SMM Buffer Overflow

Improper input validation in the System Management Mode (SMM) communications buffer could allow a privileged attacker to perform an out of bounds read or write to a limited section of the Top of Memo…

| Memory Corruption
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2023-7345 — Ledger Live hw-app-eth EIP-712 Message Parsing Integer Truncation

Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting inc…

Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
0.0 NA
CVE-2026-39250 — Innoshop Authorization Bypass

An authorization vulnerability exists in Innoshop 0.6.0. After logging into the frontend, an attacker can directly access backend application interfaces, leading to further dangerous operations.

| Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-34233 — CtrlPanel has Missing Authentication Checks in Datatable Admin Endpoints

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenti…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.6 MEDIUM
CVE-2026-34216 — CtrlPanel: Authenticated Remote Code Execution via Dynamic Class Instantiation in Setting…

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied requ…

Remote | Authentication
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
7.1 HIGH
CVE-2026-32882 — libheif: Heap Buffer OOB Read in overlay compositing due to wrong alpha stride

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap buffer over-read in HeifPixelImage::overlay() in libheif/pixelimage.cc. When compositing an overla…

Remote | Memory Corruption
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-32814 — libheif: Uninitialized Heap Memory Information Leak via Failed Grid Tiles

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, when decoding a HEIF grid image with strict_decoding=false (the default), a corrupted tile silently fails to …

Remote | Memory Corruption
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
7.1 HIGH
CVE-2026-32741 — libheif has a heap buffer overflow in decode_mask_image()

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and below contain a heap buffer overflow in MaskImageCodec::decode_mask_image(). When decoding a HEIF file containing a mas…

Remote | Memory Corruption
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
5.5 MEDIUM
CVE-2025-57798 — Joplin has Denial of Service (DoS) via Uncontrolled Resource Allocation through Title Inp…

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input …

| Denial of Service
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
5.3 MEDIUM
CVE-2026-42526 — Apache Airflow Amazon provider: Prevent unauthorized access to team-scoped secrets in AWS…

In the AWS Secrets Manager and SSM Parameter Store secrets backends of `apache-airflow-providers-amazon` prior to 9.28.0, the team-scoping logic could resolve a `conn_id` containing a `/` (e.g. `"my_…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.8 HIGH
CVE-2026-32740 — libheif: Heap-Buffer-Overflow Write in Grid Tile Chroma Compositing

libheif is a HEIF and AVIF file format decoder and encoder. Versions 1.21.2 and prior contain a heap-buffer-overflow (write) vulnerability in the grid tile compositing, allowing an attacker to write …

Remote | Memory Corruption
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-32739 — libheif is Vulnerable to Infinite Loop DoS via stts Sample Duration Lookup

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and below, a crafted 800-byte HEIF sequence file causes an infinite loop in Box_stts::get_sample_duration(), consuming 1…

Remote | Denial of Service
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.7 HIGH
CVE-2026-27173 — Apache Airflow CNCF Kubernetes provider: JWT Token Exposure in KubernetesExecutor Command…

JWT tokens that were used by workers in Kubernetes Executors have been exposed to users who had read only access to Kuberentes Pods. This could allow users with just read-only access to perform actio…

| Information Disclosure
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.5 HIGH
CVE-2026-8370 — Automic Automation Agent Unix privilege escalation

Execution with unnecessary privileges vulnerability in Broadcom Automic Automation Agent Unix on Linux x64, Linux Power 64 BE, Linux Power 64 LE, zLinux (zSeries), AIX, Solaris x64, Solaris Sparc 64 …

| Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-8096 — Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Subm…

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not p…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
Showing 20 of 6394 Results