Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.1 CRITICAL
CVE-2026-33843 — Microsoft Azure Active Directory B2C Elevation of Privilege Vulnerability

None

Remote
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
7.7 HIGH
CVE-2026-26147 — Azure Stack HCI Information Disclosure Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
9.3 CRITICAL
CVE-2026-41090 — Microsoft Copilot Tampering Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
6.5 MEDIUM
CVE-2026-42827 — M365 Copilot Information Disclosure Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
10.0 CRITICAL
CVE-2026-47280 — Azure Resource Manager Elevation of Privilege Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
9.9 CRITICAL
CVE-2026-40411 — Azure Virtual Network Gateway Remote Code Execution Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
8.8 HIGH
CVE-2026-35430 — Azure Privileged Identity Management (PIM) Elevation of Privilege Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
10.0 CRITICAL
CVE-2026-23652 — Microsoft Power Pages Remote Code Execution Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
10.0 CRITICAL
CVE-2026-40412 — Azure Orbital Spatio Remote Code Execution Vulnerability

None

May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
8.7 HIGH
CVE-2026-41147 — NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input saniti…

NukeViet CMS is a multi Content Management System. Versions 4.5.07 and prior contain a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Req…

Remote | Cross-Site Scripting
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
8.1 HIGH
CVE-2026-41076 — RT: LDAP authentication bypass via empty password

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations…

Remote | Authentication
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
8.8 HIGH
CVE-2026-41075 — RT: SQL injection via entry_aggregator parameter in JSON search

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft i…

Remote | Injection
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
7.1 HIGH
CVE-2026-41074 — RT has broken CSRF protection for authenticated users

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in…

Remote | Cross-Site Request Forgery
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
4.6 MEDIUM
CVE-2026-41073 — RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and simi…

RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled …

Remote | Injection
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
0.0 NA
CVE-2026-41071 — libheif: Heap buffer over-read in SampleAuxInfoReader via crafted HEIF sequence file with…

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chun…

| Memory Corruption
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
6.5 MEDIUM
CVE-2026-41069 — libheif allows Out-of-bounds vector access leading to invalid dereference (DoS)

libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS.…

Remote | Memory Corruption
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
8.7 HIGH
CVE-2026-3294 — Authentication Logic Vulnerability on Multiple TP-Link Range Extenders

An authentication logic vulnerability in multiple TP-Link range extenders allows an unauthenticated attacker on an adjacent network to manipulate a login parameter and reset the administrator passwor…

| Authentication
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
5.4 MEDIUM
CVE-2026-40864 — JupyterHub: Cross-origin form POSTs bypass XSRF

JupyterHub is software that allows users to create a multi-user server for Jupyter notebooks. In versions 4.1.0 through 5.4.4, XSRF protection (updated in 4.1.0) inappropriately treated requests with…

jupyterhub | Remote | Cross-Site Request Forgery
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
5.5 MEDIUM
CVE-2026-40610 — BentoML has Information Disclosure in `bentoml build` via symlink traversal in the build …

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symli…

bentoml | Path Traversal
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
0.0 NA
CVE-2026-39824 — Invoking integer overflow in NewNTUnicodeString in golang.org/x/sys/windows

NewNTUnicodeString does not check for string length overflow. When provided with a string that overflows the maximum size of a NTUnicodeString (a 16-bit number of bytes), it returns a truncated strin…

| Misconfiguration
May 22, 2026 May 22, 2026
May 22, 2026
May 22, 2026
Showing 20 of 6035 Results