Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-44368 — PyQuorum: Timing side‑channel in mul_mod

PyQuorum is a cryptographic library for secret sharing and key management. Prior to 0.2.1, the mul_mod function implements multiplication via a binary expansion loop whose execution time depends on t…

Remote | Cryptography
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.1 HIGH
CVE-2026-42602 — azureauthextension Authenticate method does not validate bearer tokens, allowing auth byp…

azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access toke…

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-42561 — Python-Multipart: Denial of Service via unbounded multipart part headers

Python-Multipart is a streaming multipart parser for Python. Prior to 0.0.27, python-multipart has a denial of service vulnerability in multipart part header parsing. When parsing multipart/form-data…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-42304 — Twisted: Denial of Service (DoS) in twisted.names via Crafted DNS Compression Pointer Cha…

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 26.4.0rc2, the twisted.names module is vulnerable to a Denial of Service (DoS) attack via resource exha…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
4.8 MEDIUM
CVE-2026-39428 — CubeCart: Stored Cross-Site Scripting (XSS)

CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious …

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.2 HIGH
CVE-2026-39358 — CubeCart: Time-based Blind SQL Injection

CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_ad…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.3 HIGH
CVE-2026-21821 — HCL BigFix SCM Reporting is affected by vulnerabilities in jQuery

The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expo…

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2025-27853 — Garmin WDU Authentication Bypass Vulnerability

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows its authentication to be bypassed. The WDU web site only performs authentication with the client within the client's browser…

| Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2025-27852 — Garmin WDU Reflected Cross-Site Scripting Vulnerability

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a reflected cross site scripting (XSS) attack. This allows an attacker on the local network segment to execute arbitrary Jav…

| Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2025-27851 — Garmin WDU Cross-Site Origin WebSocket Hijacking

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a cross-site origin WebSocket hijacking attack. Among other uses, the WDU utilizes WebSockets to control settings, including…

| Cross-Site Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2025-27850 — Garmin WDU Symlink File Disclosure

The locally served web site on the Garmin WDU (v1 1.4.6 and v2 5.0) allows a symlink attack. If a malicious graphics package containing symlinks is uploaded, the web server follows the supplied links…

| Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.3 CRITICAL
CVE-2026-44364 — misp-modules website - Missing CSRF protection in the website home blueprint

MISP modules are autonomous modules that can be used to extend MISP for new services. In 3.0.7 and earlier, a Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker …

Remote | Cross-Site Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.8 MEDIUM
CVE-2026-44363 — Unsafe remote resource fetching in expansion misp-modules

MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The h…

| Server-Side Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
9.1 CRITICAL
CVE-2026-44351 — fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass

fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to…

Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-42552 — Flight: Sensitive information disclosure via default error handler in flightphp/core

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute fil…

Remote | Information Disclosure
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-42551 — Flight: HTTP method override enabled by default enables CSRF escalation and middleware by…

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb…

Remote | Cross-Site Request Forgery
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.8 HIGH
CVE-2026-42550 — Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the k…

Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
4.4 MEDIUM
CVE-2026-42549 — Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside pro…

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nett…

| Path Traversal
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.6 HIGH
CVE-2026-42548 — Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp()

Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating tha…

Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.9 MEDIUM
CVE-2026-33381 — Users can generate Service Account tokens after permissions removal

When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.

Remote | Authorization
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
Showing 20 of 6415 Results