Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-44832 — Snipe-IT: Privilege Escalation via API Permissions Assignment

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, aAn authenticated user with only users.edit permission can escalate their own privileges to admin by sending a PATCH request to /api…

snipe-it | Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.4 MEDIUM
CVE-2026-44831 — Snipe-IT: XSS vulnerability in component notes

Snipe-IT is an IT asset/license management system. Prior to 8.4.1, users with component view access could be impacted by an unescaped notes column, resulting in cross-site scripting (XSS). This vulne…

snipe-it | Remote | Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.8 MEDIUM
CVE-2026-44214 — eventsource-encoder: SSE event injection via unsanitized event and id fields

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event (SSE) messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage b…

Remote | Injection
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
6.3 MEDIUM
CVE-2026-27331 — WordPress WpTravelly plugin <= 2.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5.

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
4.3 MEDIUM
CVE-2026-25444 — WordPress WpBookingly plugin <= 1.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.3 MEDIUM
CVE-2026-25426 — WordPress Taxi Booking Manager for WooCommerce plugin <= 2.0.1 - Broken Access Control vu…

Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking M…

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
4.3 MEDIUM
CVE-2026-24520 — WordPress Tiktok Feed plugin <= 1.0.24 - Broken Access Control vulnerability

Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24.

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
0.0 NA
CVE-2025-68710 — Easyelife App Lock Fingerprinting Bypass Vulnerability

Easyelife App lock (aka Fingerprint,Applock or locker.app.safe.applocker) 1.9.2 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay …

| Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
0.0 NA
CVE-2025-68709 — SailingLab AppLock JavaScript Injection Vulnerability

SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker to trigger arbitrary JavaScript execution via BrowserMainActivity, which accepts VIEW intents with javascript: URI…

| Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
3.3 LOW
CVE-2026-9572 — GPAC MP4Box media.c Media_GetSample memory leak

A security vulnerability has been detected in GPAC up to 2.4.0. Affected by this issue is the function Media_GetSample of the file src/isomedia/media.c of the component MP4Box. Such manipulation of t…

| Memory Corruption
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.1 MEDIUM
CVE-2026-9568 — ThingsBoard YAML provision getGatewayDockerComposeFile code injection

A weakness has been identified in ThingsBoard up to 4.3.1.1. Affected by this vulnerability is the function getGatewayDockerComposeFile of the file /api/v1/provision of the component YAML Handler. Th…

Remote | Injection
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
8.8 HIGH
CVE-2026-8890 — code100x Mobile API Authentication Bypass via Header Spoofing

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP hea…

Remote | Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.2 HIGH
CVE-2026-4051 — IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth …

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.

Remote | Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
9.8 CRITICAL
CVE-2026-48689 — FastNetMon Heap-Based Buffer Overflow Vulnerability

FastNetMon Community Edition through 1.2.9 contains an off-by-one heap-based buffer overflow in the dynamic_binary_buffer_t class (src/dynamic_binary_buffer.hpp). Five methods (append_dynamic_buffer,…

fastnetmon | Remote | Memory Corruption
May 26, 2026 May 27, 2026
May 26, 2026
May 27, 2026
9.8 CRITICAL
CVE-2026-3660 — IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Authentication By…

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the ap…

Remote | Authentication
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.1 HIGH
CVE-2026-3603 — IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to XML external enti…

IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. An authenticated attacker could exploit this vuln…

Remote | XML External Entity
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
3.3 LOW
CVE-2026-9567 — GPAC MP4Box isom_intern.c MergeFragment null pointer dereference

A security flaw has been discovered in GPAC up to 2.4.0. Affected is the function MergeFragment of the file src/isomedia/isom_intern.c of the component MP4Box. The manipulation results in null pointe…

| Memory Corruption
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
5.0 MEDIUM
CVE-2026-9566 — teableio teable Sign-up LoginPage.tsx cross site scripting

A vulnerability was identified in teableio teable up to 1.9.x. This impacts an unknown function of the file apps/nextjs-app/src/features/auth/pages/LoginPage.tsx of the component Sign-up. The manipul…

Remote | Cross-Site Scripting
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
9.4 CRITICAL
CVE-2026-9560 — OpenVPN Connect Privilege Escalation Vulnerability

Privilege escalation via background service of OpenVPN Connect 3.5.1 through 3.8.1 on macOS allows attackers to execute arbitrary commands with elevated privileges via local IPC channel

| Authorization
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
7.5 HIGH
CVE-2026-9170 — IBM WebSphere Application Server and WebSphere Application Server Liberty are affected DO…

IBM Web Server Plug-ins for WebSphere Application Server and WebSphere Liberty 8.5, 9.0 IBM WebSphere Application Server and WebSphere Application Server Liberty are vulnerable to denial of service a…

Remote | Denial of Service
May 26, 2026 May 26, 2026
May 26, 2026
May 26, 2026
Showing 20 of 6058 Results