Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-43492 — lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl()

In the Linux kernel, the following vulnerability has been resolved: lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_sgl() Yiming reports an integer underflow in mpi_read_raw_from_sgl() …

| Memory Corruption
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
0.0 NA
CVE-2026-43491 — net: qrtr: ns: Limit the maximum server registration per node

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: ns: Limit the maximum server registration per node Current code does no bound checking on the number of servers added …

| Denial of Service
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.8 MEDIUM
CVE-2026-37982 — Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webaut…

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercep…

Remote | Authentication
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
4.3 MEDIUM
CVE-2026-37981 — Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access …

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) r…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-37979 — Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience…

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attac…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
4.9 MEDIUM
CVE-2026-37978 — Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes adm…

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) para…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.2 HIGH
CVE-2026-8827 — SQL Injection in extension "Address List" (tt_address)

The AddressRepository::getSqlQuery() method constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itsel…

Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
7.1 HIGH
CVE-2026-8727 — Remote Code Execution in extension "Site Crawler" (crawler)

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize(). An attacker controlling a crawled endpoint can inject arbitrary serialized PHP obj…

Remote | Information Disclosure
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.2 HIGH
CVE-2026-8726 — SQL Injection in extension "News system" (news)

The extension fails to properly sanitize user input before using it in a database query. As a result, an unauthenticated attacker can inject arbitrary SQL through a URL parameter on pages using the "…

Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
9.2 CRITICAL
CVE-2026-46725 — Remote Code Execution in extension "Content Element Selector" (ceselector)

The extension passes an attacker-controlled cookie directly to PHP's unserialize() without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to t…

Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
5.9 MEDIUM
CVE-2026-46724 — Path Traversal in extension "Faceted Search" (ke_search)

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system…

Remote | Path Traversal
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
5.9 MEDIUM
CVE-2026-46723 — Information Disclosure in extension "Faceted Search" (ke_search)

The additional_tables configuration of the page and tt_content indexers accepts arbitrary table and field names. A backend user with permission to edit indexer configurations can copy sensitive data …

Remote | Information Disclosure
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
5.9 MEDIUM
CVE-2026-46722 — XML External Entity Injection in extension "Faceted Search" (ke_search)

The OOXML parsing of the file indexer does not disable external entity resolution. A crafted xlsx or pptx document placed in an indexed directory can cause local files to be read or outbound HTTP req…

Remote | XML External Entity
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.9 MEDIUM
CVE-2026-46721 — Broken Access Control in extension "Frontend User Registration" (sf_register)

The create and edit flows do not restrict which user properties may be submitted and do not enforce access control on the frontend user group assignment. As a result, an attacker can assign an arbitr…

Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
7.3 HIGH
CVE-2026-46586 — Apache OFBiz: Improper Validation in traverseContent Service Enables Authenticated Groovy…

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') vulnerability in Apache OFBiz. This issue affects Ap…

ofbiz | Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
8.8 HIGH
CVE-2026-45434 — Apache OFBiz: Authentication Bypass via Password-Change Logic Flaw Leading to RCE

Improper Authentication vulnerability in Apache OFBiz via Password-Change Logic Flaw Leading to Remote Code Execution This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgr…

ofbiz | Remote | Authentication
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-45187 — Apache OFBiz: Improper Authorization in Scheduled Job Creation Allows Low-Privileged User…

Improper Authorization vulnerability in Apache OFBiz Webtools. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

ofbiz | Remote | Authorization
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
9.1 CRITICAL
CVE-2026-41919 — Apache OFBiz: Authentication Bypass due to Improper Neutralization of LDAP Special Elemen…

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrad…

ofbiz | Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
6.5 MEDIUM
CVE-2026-35086 — Apache OFBiz: Authenticated Remote Code Execution via Unsafe Template Expansion in email …

Improper Control of Generation of Code ('Code Injection') vulnerability in email services of Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to vers…

ofbiz | Remote | Injection
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
9.1 CRITICAL
CVE-2026-31986 — Apache OFBiz: Unauthenticated RCE via Default JWT Signing Key and Widget Template Injecti…

Use of Hard-coded Cryptographic Key vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue.

ofbiz | Remote | Cryptography
May 19, 2026 May 19, 2026
May 19, 2026
May 19, 2026
Showing 20 of 6367 Results