Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.6 CRITICAL
CVE-2026-42087 — OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Base

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability e…

cosmos | Remote | Injection
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
4.6 MEDIUM
CVE-2026-42086 — OpenC3 COSMOS: Self-XSS in the Command Sender

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on…

cosmos | Remote | Cross-Site Scripting
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
4.3 MEDIUM
CVE-2026-42085 — OpenC3 COSMOS: Arbitrary write to plugins directory via path-traversed config filenames

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in…

cosmos | Remote | Path Traversal
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
8.1 HIGH
CVE-2026-42084 — OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence

OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionalit…

cosmos | Remote | Authentication
May 04, 2026 May 08, 2026
May 04, 2026
May 08, 2026
6.0 MEDIUM
CVE-2026-42052 — beets is Vulnerable to XSS

Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ..…

Remote | Cross-Site Scripting
May 04, 2026 May 05, 2026
May 04, 2026
May 05, 2026
5.3 MEDIUM
CVE-2026-41572 — Note Mark: Unauthenticated read of notes and assets in soft-deleted public books

Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/…

note_mark | Remote | Authorization
May 04, 2026 May 07, 2026
May 04, 2026
May 07, 2026
9.4 CRITICAL
CVE-2026-41571 — Note Mark: OIDC-registered users authenticated by submitting password "null"

Note Mark is an open-source note-taking application. In version 0.19.2, IsPasswordMatch in backend/db/models.go falls back to a hard-coded bcrypt("null") placeholder whenever a user has no stored pas…

note_mark | Remote | Authentication
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
8.2 HIGH
CVE-2026-41471 — Easy PayPal Events & Tickets < 1.4 Information Disclosure via QR Code Endpoint

The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enu…

Remote | Information Disclosure
May 04, 2026 May 26, 2026
May 04, 2026
May 26, 2026
7.5 HIGH
CVE-2026-37459 — FRRouting BGP UPDATE Message Integer Underflow Denial of Service Vulnerability

An integer underflow in FRRouting (FRR) stable/10.0 to stable/10.6 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.

Remote | Denial of Service
May 04, 2026 May 05, 2026
May 04, 2026
May 05, 2026
8.7 HIGH
CVE-2026-32834 — Easy PayPal Events & Tickets < 1.4 Authentication Bypass via QR Code Scanning

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote …

Remote | Authentication
May 04, 2026 May 13, 2026
May 04, 2026
May 13, 2026
8.1 HIGH
CVE-2026-29004 — BusyBox DHCPv6 Client Heap Buffer Overflow via DNS_SERVERS

BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attac…

| Memory Corruption
May 04, 2026 May 06, 2026
May 04, 2026
May 06, 2026
8.8 HIGH
CVE-2026-0073 — Qualcomm ADB TLS Certificate Bypass Vulnerability

In adbd_tls_verify_cert of auth.cpp, there is a possible bypass of wireless ADB mutual authentication due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution as…

android | Authentication
May 04, 2026 May 05, 2026
May 04, 2026
May 05, 2026
Showing 20 of 7112 Results