Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-9583 — SourceCodester CET Automated Grading System with AI Predictive Analytics SQL index.php in…

A weakness has been identified in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This impacts an unknown function of the file /index.php of the component SQL Handler. E…

Remote | Injection
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.0 MEDIUM
CVE-2026-9582 — SourceCodester CET Automated Grading System with AI Predictive Analytics cross-site reque…

A security flaw has been discovered in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This affects an unknown function. Performing a manipulation results in cross-site …

Remote | Cross-Site Request Forgery
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.5 MEDIUM
CVE-2026-9581 — JeecgBoot add access control

A vulnerability was identified in JeecgBoot up to 3.9.1. The impacted element is an unknown function of the file /sys/comment/add. Such manipulation leads to improper access controls. The attack can …

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.5 HIGH
CVE-2026-9580 — JeecgBoot selectDepart LoginController.selectDepart access control

A vulnerability was determined in JeecgBoot up to 3.9.1. The affected element is the function LoginController.selectDepart of the file /sys/selectDepart. This manipulation causes improper access cont…

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.5 MEDIUM
CVE-2026-9579 — JeecgBoot SysUser userEdit user.getUsername access control

A vulnerability was found in JeecgBoot up to 3.9.1. Impacted is the function user.getUsername of the file /sys/user/login/setting/userEdit of the component SysUser. The manipulation of the argument u…

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.8 HIGH
CVE-2026-8676 — "Bluetooth LE Bond Spoofing Vulnerability in Vendor's Product"

An attacker is able to downgrade the security of a Bluetooth LE connection by deleting an existing bond, spoofing the bonded device and creating a new bond.

| Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.9 MEDIUM
CVE-2026-48593 — Unbounded range expansion in cron describe causes memory exhaustion in oban_web

Uncontrolled Resource Consumption vulnerability in oban-bg oban_web ('Elixir.Oban.Web.CronExpr' modules) allows memory exhaustion via unbounded cron range expansion. An attacker with access to sched…

Remote | Denial of Service
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.3 MEDIUM
CVE-2026-48592 — Missing authorization check on save-job event handler in oban_web

Missing Authorization vulnerability in oban-bg oban_web ('Elixir.Oban.Web.Jobs.DetailComponent' modules) allows unauthorized job worker substitution. The handle_event("save-job", ...) handler in 'El…

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.5 MEDIUM
CVE-2026-47672 — epa4all-client: Unauthenticated REST API for Patient Record Writes

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic he…

| Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.4 HIGH
CVE-2026-45575 — epa4all-client: Improper Verification of Cryptographic Signature

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker who can MITM the TLS connection between the client and the IDP (within the TI netwo…

Remote | Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.9 MEDIUM
CVE-2026-45413 — MaxKB: Unsalted MD5 Password Hashing

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute f…

| Cryptography
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.3 MEDIUM
CVE-2026-45412 — MaxKB: Unauthenticated SSRF via Workflow Template Import

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetc…

Remote | Server-Side Request Forgery
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
4.7 MEDIUM
CVE-2026-44899 — Mistune Image Directive CSS Injection Vulnerability

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, the Image directive plugin validates the :width: and :height: options with a regex compiled as _num_re = re.compile(r"^…

mistune | Remote | Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.1 MEDIUM
CVE-2026-44898 — Mistune TOC Anchor Injection XSS

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, render_toc_ul() builds a <ul> table-of-contents tree from a list of (level, id, text) tuples. Both the id value (used a…

mistune | Remote | Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.1 MEDIUM
CVE-2026-44897 — Mistune Heading ID Attribute Injection XSS

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.2.1, HTMLRenderer.heading() builds the opening <hN> tag by string-concatenating the id attribute value directly into the HTM…

mistune | Remote | Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.3 MEDIUM
CVE-2026-44896 — Mistune: XSS via unescaped figclass/figwidth in Figure directive

Mistune is a Python Markdown parser with renderers and plugins. In 3.2.0 and realier, in src/mistune/directives/image.py, the render_figure() function concatenates figclass and figwidth options direc…

mistune | Remote | Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.5 HIGH
CVE-2026-44847 — MaxKB: Webhook Trigger Authentication Bypass

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth clas…

Remote | Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.3 MEDIUM
CVE-2026-44844 — eml_parser: Recursion DoS via nested message/rfc822 attachments

eml_parser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to 3.0.1, EmlParser.get_raw_body_text() recurse…

Remote | Denial of Service
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.2 HIGH
CVE-2026-44843 — LangChain: Unsafe deserialization of attacker-controlled LangChain objects through overly…

LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.85 and 1.3.3, LangChain contains older runtime code paths that deserialize run inputs, run outputs, or other ap…

langchain | Remote | Misconfiguration
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.9 MEDIUM
CVE-2026-44837 — view_component: System Test Entry Point Path Check Allows Sibling Directory Escape

view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file …

Remote | Path Traversal
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
Showing 20 of 6058 Results