Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-6146 — Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys

Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data d…

| Cryptography
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
6.8 MEDIUM
CVE-2026-45026 — WeGIA: Stored XSS in html/atendido/processo_aceitacao.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the …

Remote | Cross-Site Scripting
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
6.8 MEDIUM
CVE-2026-45025 — WeGIA: Stored XSS in html/atendido/etapa_processo.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the …

Remote | Cross-Site Scripting
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
4.5 MEDIUM
CVE-2026-42887 — Audiobookshelf: Stored Cross-Site Scripting in Login Page Custom Message

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due to improper sanitization of the authLogin…

Remote | Cross-Site Scripting
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
4.9 MEDIUM
CVE-2026-42886 — Audiobookshelf: Memory amplification DoS via oversized compressed details entry in backup…

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely …

Remote | Denial of Service
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
4.3 MEDIUM
CVE-2026-42885 — Audiobookshelf: Path prefix bypass in filesystem existence check leaks out-of-scope file …

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a …

Remote | Path Traversal
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
4.3 MEDIUM
CVE-2026-42884 — Audiobookshelf: Collection endpoints bypass library access controls exposing restricted l…

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking w…

Remote | Authorization
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
6.5 MEDIUM
CVE-2026-42883 — Audiobookshelf: Cross-library file exfiltration via unscoped bulk download endpoint

Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in t…

Remote | Authorization
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
9.4 CRITICAL
CVE-2026-42882 — oxyno-zeta/s3-proxy: Security Issues in Resource Path Matching

oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware a…

Remote | Authentication
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
4.9 MEDIUM
CVE-2026-42876 — External Secrets Operator: Priviledge escalation with secret overwriting

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.1, a user who only has permission to create ExternalSec…

external_secrets_operator | Remote | Authentication
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
5.3 MEDIUM
CVE-2026-42875 — External Secrets Operator: Namespace Isolation Bypass in CAProvider ConfigMap Resolution …

External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Prior to 2.4.0, Namespaced SecretStore resources that used CAProvide…

external_secrets_operator | Remote | Misconfiguration
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
3.7 LOW
CVE-2026-42874 — Microdot: HTTP response splitting in Response.set_cookie()

Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n se…

Remote | Injection
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
0.0 NONE
CVE-2026-42873 — WeGIA: Error Handling Upload DocDependente

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, when attempting to upload a file with malicious content to funcionario/docdependente_upload.php, the application respo…

Remote | Information Disclosure
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
6.1 MEDIUM
CVE-2026-42872 — WeGIA: Reflected XSS in listar_arquivos_etapa.php

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a reflected Cross-Site Scripting (XSS) vulnerability exists in lista_arquivos_etapa.php due to improper handling of use…

Remote | Cross-Site Scripting
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
6.4 MEDIUM
CVE-2026-42870 — WeGIA: Cross-Site Scripting (XSS) Stored endpoint 'informacao_adicional.php' parameter 'd…

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.0, a Stored Cross-Site Scripting (XSS) flaw was identified at the following endpoint: funcionario/profile_funcionario.php?…

Remote | Cross-Site Scripting
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
10.0 CRITICAL
CVE-2026-42869 — SOCFortress CoPilot: Hardcoded JWT secret allows unauthenticated full admin compromise an…

SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value i…

Remote | Authentication
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
4.3 MEDIUM
CVE-2026-42565 — @workos/authkit-session: Open Redirect via state-derived redirect target

@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient valida…

Remote | Misconfiguration
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
5.5 MEDIUM
CVE-2026-42050 — ImageMagick: Stack buffer overflow in XTileImage

ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to 7.1.2-21 and 6.9.13-46, a malicious MIFF file could trigger an overflow when a user opens it in…

| Memory Corruption
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
0.0 NA
CVE-2026-36734 — EDIMAX BR-6428nS Command Injection Vulnerability

EDIMAX BR-6428nS V3 1.15 is vulnerable to Command Injection. An authenticated attacker with access to the network can submit crafted input to the WLAN configuration functionality. Due to insufficient…

| Injection
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
7.5 HIGH
CVE-2026-2614 — Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow

A vulnerability in the `_create_model_version()` handler of `mlflow/server/handlers.py` in mlflow/mlflow versions 3.9.0 and earlier allows an unauthenticated remote attacker to read arbitrary files f…

Remote | Path Traversal
May 11, 2026 May 11, 2026
May 11, 2026
May 11, 2026
Showing 20 of 5789 Results