Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
3.7 LOW
CVE-2026-44219 — ciguard: SCA HTTP client reads response body without size cap

ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.lo…

Remote | Memory Corruption
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
3.0 LOW
CVE-2026-44218 — ciguard: Container image runs as root (no USER directive)

ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER…

| Misconfiguration
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
6.6 MEDIUM
CVE-2026-44217 — sse-channel: SSE Injection via unsanitized event fields

sse-channel is an SSE-implementation which can be used to any node.js http request/response stream. Prior to 4.0.1, implementations that allow user-provided values to be passed to event, retry or id …

Remote | Injection
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
4.4 MEDIUM
CVE-2026-44215 — NanaZip: Heap out-of-bounds write in NanaZip UFS directory parser

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a one-byte heap out-of-bounds null write exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is …

nanazip | Memory Corruption
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-42889 — Relay Server WebSocket authentication bypass when token is omitted

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured…

Remote | Authentication
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
4.4 MEDIUM
CVE-2026-42446 — NanaZip: Stack out-of-bounds read in NanaZip ZealFS bitmap parser

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a stack-based out-of-bounds read exists in the ZealFS filesystem image parser in NanaZip. The vulnerability is triggered …

nanazip | Memory Corruption
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
3.3 LOW
CVE-2026-42445 — NanaZip: Uncontrolled recursion in NanaZip UFS directory traversal causes stack exhaustion

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the UFS/UFS2 filesystem image parser in NanaZip. The function GetAllPat…

nanazip | Memory Corruption
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
3.3 LOW
CVE-2026-42444 — NanaZip: Unbounded resource consumption in NanaZip littlefs parser via attacker-controlle…

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists in the littlefs filesystem image parser in NanaZip. The handler's Open method re…

nanazip | Denial of Service
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
3.3 LOW
CVE-2026-42443 — NanaZip: Integer divide-by-zero in NanaZip UFS inode offset calculation

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when …

nanazip | Denial of Service
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
3.3 LOW
CVE-2026-42442 — NanaZip: Null-pointer dereference in NanaZip UFS parser when root inode is a symlink

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when…

nanazip | Memory Corruption
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
3.3 LOW
CVE-2026-42355 — NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive (ASAR) parser in NanaZip. When opening a crafted .…

nanazip | Denial of Service
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-42338 — ip-address: XSS in Address6 HTML-emitting methods

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before…

Remote | Cross-Site Scripting
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
6.5 MEDIUM
CVE-2026-42191 — OpenTelemetry.Exporter.OpenTelemetryProtocol: Disk retry default temp path enables local …

OpenTelemetry.Exporter.OpenTelemetryProtocol is the OTLP (OpenTelemetry Protocol) exporter implementation. From 1.8.0 to 1.15.2, the OTLP disk retry feature in OpenTelemetry.Exporter.OpenTelemetryPro…

opentelemetry.exporter.zipkin | Misconfiguration
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
7.8 HIGH
CVE-2026-34690 — After Effects | Stack-based Buffer Overflow (CWE-121)

After Effects versions 26.0, 25.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitat…

macos windows after_effects | Memory Corruption
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
6.2 MEDIUM
CVE-2026-34688 — CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit …

| Denial of Service
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
8.7 HIGH
CVE-2026-34686 — Adobe Commerce | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-pr…

commerce magento commerce_b2b | Remote | Cross-Site Scripting
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
3.4 LOW
CVE-2026-34685 — Adobe Commerce | Improper Input Validation (CWE-20)

Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier [NEEDS REVIEW: impact mismatch — ticket says 'Arbitrary file system write', CIA triad derives 'Sec…

commerce | Remote | Authorization
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
6.2 MEDIUM
CVE-2026-34680 — CAI Content Credentials | Integer Overflow or Wraparound (CWE-190)

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exp…

| Denial of Service
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
6.2 MEDIUM
CVE-2026-34679 — CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit …

| Denial of Service
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
6.2 MEDIUM
CVE-2026-34678 — CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could explo…

| Denial of Service
May 12, 2026 May 13, 2026
May 12, 2026
May 13, 2026
Showing 20 of 6414 Results