Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.1 HIGH
CVE-2026-8843 — Calling createIndex with certain index types can crash mongod

Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A simi…

Remote | Misconfiguration
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
10.0 CRITICAL
CVE-2026-45829 — ChromaDB Remote Code Injection Vulnerability

A pre-authentication, code injection vulnerability in version 1.0.0 or later of the ChromaDB Python project allows an unauthenticated attacker to run arbitrary code on the server by sending a malicio…

Remote | Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.8 HIGH
CVE-2026-41085 — Thermo Fisher Scientific Torrent Suite Dx Privilege Escalation Vulnerability

Thermo Fisher Scientific Torrent Suite Dx through 5.14.2 has a privilege escalation vulnerability that may allow an authenticated user with limited access privileges to gain unauthorized administrato…

Remote
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.2 MEDIUM
CVE-2026-38719 — OpENer ENIP/CPF Out-of-Bounds Read Vulnerability

OpENer v2.3-558-g1e99582 contains an out-of-bounds read vulnerability in the Common Packet Format (CPF) parser, specifically in CreateCommonPacketFormatStructure() in source/src/enet_encap/cpf.c. A c…

| Memory Corruption
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
5.3 MEDIUM
CVE-2026-36438 — Intelbras VIP-1230-D-G4 Information Disclosure Vulnerability

An issue in Intelbras VIP-1230-D-G4 Version V2.800.00IB00C.0.T allows a remote attacker to obtain sensitive information via password reset functionality under /OutsideCmd

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.5 MEDIUM
CVE-2026-20685 — VMware PCC Path Traversal Information Disclosure

An attacker in a privileged network position may be able to leak sensitive information. A path handling issue was addressed with improved validation. This issue is fixed in PCC Release 5E290.3.

| Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.8 HIGH
CVE-2025-57282 — Ngrok Command Injection Vulnerability

ngrok v4.3.3 and 5.0.0-beta.2 is vulnerable to Command Injection.

Remote | Injection
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.5 HIGH
CVE-2025-56352 — TinyMQTT Broker Protocol Violation Leaving File Descriptors Open

In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), the broker mishandles protocol violations during CONNECT packet parsing. When receiving a CONNECT packet with a zero-length C…

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
8.2 HIGH
CVE-2026-41949 — Dify v1.14.1 Authorization Bypass via File Preview Endpoint

Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document acr…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.2 CRITICAL
CVE-2026-41948 — Dify v1.14.1 Path Traversal via Plugin Daemon Internal API Access

Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficie…

Remote | Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.1 CRITICAL
CVE-2026-41947 — Dify v1.14.1 Authorization Bypass via Trace Configuration Endpoints

Dify version 1.14.1 and prior contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant own…

Remote | Authorization
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.5 HIGH
CVE-2026-39079 — PrestaShop UPS Shipping Information Disclosure

An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBas…

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
0.0 NA
CVE-2026-26462 — Adobe Offline Hospital Management System Remote Code Execution Vulnerability

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation…

| Misconfiguration
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.5 HIGH
CVE-2026-42009 — Gnutls: gnutls: denial of service via dtls packet reordering vulnerability

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS pa…

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
6.3 MEDIUM
CVE-2026-8803 — opensourcepos Open Source Point of Sale Employee Login Employee.php login weak hash

A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation cau…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.8 CRITICAL
CVE-2026-7304 — CVE-2026-7304

SGLangs multimodal generation runtime is vulnerable to unauthenticated remote code execution when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will…

Remote | Authentication
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.1 CRITICAL
CVE-2026-7302 — CVE-2026-7302

SGLangs multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by …

Remote | Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
9.8 CRITICAL
CVE-2026-7301 — CVE-2026-7301

SGLangs multimodal generation runtime scheduler's ROUTER socket binds to 0.0.0.0 by default and contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the intern…

Remote | Information Disclosure
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
7.1 HIGH
CVE-2026-0983 — Denial of service vulnerability in M-Files Server

Denial-of-service condition in M-Files Server versions before 26.5.16015.0, before 26.2 LTS, and before 25.8 LTS SR3 allows an authenticated user to cause the MFserver process to crash

Remote | Denial of Service
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
5.3 MEDIUM
CVE-2026-8802 — opensourcepos Open Source Point of Sale Items.php getPicThumb path traversal

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argumen…

Remote | Path Traversal
May 18, 2026 May 18, 2026
May 18, 2026
May 18, 2026
Showing 20 of 6196 Results