Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.6 HIGH
CVE-2026-42463 — SQLBot: Unauthorized Access Vulnerability

SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass …

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.3 HIGH
CVE-2026-32993 — Apache HTTP Server HTTP Header Injection

Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.2 HIGH
CVE-2026-32992 — Apache DNS SSL Verification Bypass

SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.6 HIGH
CVE-2026-29205 — Apache Cassandra Path Traversal Vulnerability

Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.9 MEDIUM
CVE-2026-8328 — FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host…

The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpee…

Remote | Server-Side Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-45714 — CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Inv…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.2 HIGH
CVE-2026-45708 — CubeCart: Authenticated RCE via Invoice Template → Order Print

CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw <?php … ?> into the Invoice Editor. The next time any admin clicks Print on any order,…

Remote | Information Disclosure
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.8 HIGH
CVE-2026-45229 — Quark Drive < 0.8.5 Mass Assignment via POST /update

Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui…

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.4 MEDIUM
CVE-2026-45228 — Quark Drive < 0.8.5 Stored XSS via System Configuration

Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without…

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.1 HIGH
CVE-2026-45055 — CubeCart: Pre-Authenticated Password Reset Link Poisoning via HTTP Host Header

CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded …

Remote | Server-Side Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
4.9 MEDIUM
CVE-2026-45054 — CubeCart: Authenticated SQL Injection via `sort[]` Parameter in Admin Orders Transactions…

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-con…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-45053 — CubeCart: Authenticated Arbitrary File Upload to RCE in REST Files API

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Arbitrary File Upload vulnerability exists in the REST API File Manager endpoint (POST /api/v1/files) of CubeCart. The end…

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-44418 — Incomplete fix for CVE-2026-35184: SQL Injection in phili67/ecclesiacrm

EcclesiaCRM is CRM Software for church management. In 8.0.0 and earlier, the ValidateInput() function's default case in EcclesiaCRM's query view passes user-supplied POST parameters directly into SQL…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.3 CRITICAL
CVE-2026-44381 — MISP: SQL injection via unvalidated ordering parameters in event and shadow attribute lis…

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, a SQL injection vulnerability existed in the handling of user-controlled ordering parameters in the event and shadow …

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.6 HIGH
CVE-2026-44380 — MISP: Improper access control in auth key reset allows privilege escalation to site admi…

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organ…

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44379 — MISP: Improper UUID validation in MISP Collections

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, MISP Collections did not enforce RFC 4122 UUID validation on the uuid field. As a result, a user able to create or mo…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-44377 — CubeCart: Server-Side Template Injection (SSTI) in Smarty Templates leading to RCE

CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and …

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.1 MEDIUM
CVE-2026-44376 — CubeCart: Reflected XSS in Store Search Bar

CubeCart is an ecommerce software solution. Prior to 6.7.0, an unauthenticated Reflected XSS vulnerability exists in the CubeCart v6.x search feature. Due to a logic flaw in classes/catalogue.class.p…

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44373 — Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could bypass a proxy route rule by sending percent-encoded path traversal (..%2f) in the URL, causing Nitro to forward…

Remote | Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44372 — Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
Showing 20 of 6415 Results