Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-22707 — Strapi Upload Plugin MIME Validation Bypass via Content API

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, the Upload plugin's Content API endpoints did not enforce the administrator-configured MIME type restr…

Remote | Misconfiguration
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
2.1 LOW
CVE-2026-22706 — Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions …

Remote | Authentication
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
9.3 CRITICAL
CVE-2026-22599 — Strapi Vulnerable to SQL Injection in Content Type Builder

Strapi is an open source headless content management system. In versions on the 4.x branch prior to 4.26.1 and on the 5.x branch prior to 5.33.2, a database-query injection vulnerability existed in t…

Remote | Injection
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
6.9 MEDIUM
CVE-2025-64526 — Strapi has a rate limit bypass on users-permissions plugin via attacker-controlled email …

Strapi is an open source headless content management system. In Strapi versions prior to 5.45.0, the rate-limit middleware in the users-permissions plugin derived its rate-limit key in part from `ctx…

Remote | Authentication
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
8.6 HIGH
CVE-2026-8629 — Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endpoints

Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests t…

Remote | Authorization
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43903 — OpenImageIO: SGI RLE decoder heap buffer overflow OIIO_DASSERT bounds checks are no-ops i…

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, sgiinput.cpp:265,274 use OIIO_DASSERT…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43904 — OpenImageIO: Softimage PIC RLE decoder heap buffer overflow — longCount not clamped to im…

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, softimageinput.cpp:469 (mixed RLE) an…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43905 — OpenImageIO: JPEG2000 (OpenJPH) signed integer overflow in buffer allocation

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, jpeg2000input.cpp:395 computes buffer…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43996 — OpenImageIO: Integer wraparound in bounds check of decode_pixel leads to out-of-bounds re…

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, the bounds check in TGAInput::decode_…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43907 — OpenImageIO: Integer overflow in QueryRGBBufferSizeInternal leads to heap out-of-bounds w…

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed integer overflow in QueryRGB…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-46356 — Fleet: IP spoofing allows bypassing API rate limiting

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing clien…

| Misconfiguration
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-26191 — Fleet vulnerable to OS command injection in software packages

Fleet is open source device management software. Prior to version 4.81.0, a vulnerability in Fleet's software installer pipeline could allow a crafted software package to execute arbitrary commands a…

| Injection
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43908 — OpenImageIO: Signed integer overflow in ConvertCbYCrYToRGB leads to heap out-of-bounds wr…

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in t…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-26062 — Fleet server may terminate unexpectedly when handling certain gRPC requests

Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service (DoS) issue in the gRPC Launcher `PublishLogs` endpoint. In affected versions, certain un…

| Denial of Service
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43909 — OpenImageIO: Signed integer overflow in SwapRGBABytes loop index leads to out-of-bounds r…

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a signed 32-bit integer overflow in t…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-24899 — Fleet Windows MDM Azure AD JWT Authentication Bypass

Fleet is open source device management software. Prior to version 4.82.0, a vulnerability in Fleet's Windows MDM enrollment flow allows authentication tokens from any Azure AD tenant to be accepted. …

| Authentication
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-24000 — Fleet has a rate limiting bypass via untrusted client IP headers

Fleet is open source device management software. Prior to version 4.80.1, Fleet trusted client-supplied IP address headers when determining the source IP for incoming requests. This allowed authentic…

| Misconfiguration
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
0.0 NA
CVE-2026-43906 — OpenImageIO: HEIF Heap overflow

OpenImageIO is a toolset for reading, writing, and manipulating image files of any image file format relevant to VFX / animation. Prior to 3.0.18.0 and 3.1.13.0, a heap-based buffer overflow in the H…

| Memory Corruption
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
6.8 MEDIUM
CVE-2026-6332 — Clear Text Storage of Sensitive Information on EcoStruxure™ Machine Expert HVAC

CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that could cause the disclosure of a sensitive information which could result in revealing protected source code and loss of …

| Information Disclosure
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
4.0 MEDIUM
CVE-2026-46470 — GStreamer gst-plugins-good Integer Division by Zero Denial of Service

An issue was discovered in GStreamer gst-plugins-good before 1.28.2. When parsing MP4 audio tracks, the isomp4 plugin's qtdemux_audio_caps function does not sufficiently validate atom data before per…

| Denial of Service
May 14, 2026 May 14, 2026
May 14, 2026
May 14, 2026
Showing 20 of 6283 Results