Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
3.7 LOW
CVE-2026-44242 — Micronaut Framework: Unbounded bundleCache in ResourceBundleMessageSource Allows Memory E…

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Prior to 4.10.22, the bundleCache is keyed by (Locale, baseName) where th…

micronaut | Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-44241 — Micronaut Framework: Unbounded formattersCache in TimeConverterRegistrar Allows Memory Ex…

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. From 4.3.0 to before 4.10.22, TimeConverterRegistrar caches DateTimeForma…

micronaut | Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.5 HIGH
CVE-2026-44015 — Nginx UI: Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access t…

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitra…

nginx_ui | Remote | Server-Side Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.9 CRITICAL
CVE-2026-43948 — wger: cross-tenant password reset and plaintext disclosure via gym=None bypass

wger is a free, open-source workout and fitness manager. Prior to 2.6, the reset_user_password and gym_permissions_user_edit views in wger perform a gym-scope authorization check using Python object …

wger | Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-42855 — arduino-esp32: Digest authentication URI mismatch bypass in WebServer allows cross-resour…

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer Digest authentication implementation in arduino-esp…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.8 CRITICAL
CVE-2026-42854 — arduino-esp32: Stack buffer overflow in WebServer multipart boundary parsing leads to rem…

arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, the WebServer multipart form parser in arduino-esp32 allocates a …

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.7 HIGH
CVE-2026-42844 — Grav: Low-privileged API users can create super-admin accounts via blueprint-upload

Grav is a file-based Web platform. In Grav 2.0.0-beta.2, a low-privileged authenticated API user with api.media.write can abuse /api/v1/blueprint-upload to write an arbitrary YAML file into user/acco…

grav-plugin-admin | Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.9 MEDIUM
CVE-2026-42545 — Granian: DoS via WSGI response header panic

Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI respo…

Remote | Misconfiguration
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-42544 — Granian: Unauthenticated DoS via WebSocket subprotocol header panic

Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protoc…

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.2 HIGH
CVE-2026-42268 — ModSecurity: Unsigned integer underflow in @verifySSN / @verifyCPF / @verifySVNR operators

ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. From 3.0.0 to before 3.0.15, there is an unhandled exception (std::out_of_range) caused …

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.9 CRITICAL
CVE-2026-42196 — django-s3file: Relative path traversal

django-s3file is a lightweight file upload input for Django and Amazon S3. Prior to 7.0.2, S3FileMiddleware is vulnerable to relative path traversal attacks, where an attacker can use a modified requ…

django-s3file | Remote | Path Traversal
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.0 MEDIUM
CVE-2026-41195 — mosparo: Rule package source URL stored SSRF enables internal HTTP probing

mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker…

Remote | Server-Side Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-40902 — PhpSpreadsheet: CPU Denial of Service via Unbounded Row Number in XLSX Row Dimensions

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method…

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-40863 — PhpSpreadsheet: CPU Denial of Service via Unbounded Row Index in SpreadsheetML XML Reader

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:I…

Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.3 MEDIUM
CVE-2026-35555 — Subnet Solutions PowerSYSTEM Center Incorrect Authorization

PowerSYSTEM Center feature for device project groups allows an authenticated user with limited permissions to perform an unauthorized deletion of project groups.

| Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.7 MEDIUM
CVE-2026-33570 — Subnet Solutions PowerSYSTEM Center Incorrect Authorization

PowerSYSTEM Center REST API endpoint for devices allows a low privilege authenticated user to access information normally limited by operational permissions.

| Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.2 HIGH
CVE-2026-26289 — Subnet Solutions PowerSYSTEM Center Incorrect Authorization

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions …

| Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.6 HIGH
CVE-2026-44403 — Wing FTP Server 8.1.2 Authenticated Remote Code Execution via Session Serialization

Wing FTP Server 8.1.2 contains an authenticated remote code execution vulnerability in the session serialization mechanism that allows authenticated administrators to inject arbitrary Lua code throug…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.2 HIGH
CVE-2026-44246 — nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/…

nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable…

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-44240 — basic-ftp allows a malicious FTP server to cause client-side denial of service via unboun…

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP s…

basic-ftp | Remote | Denial of Service
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
Showing 20 of 6290 Results