Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.8 CRITICAL
CVE-2025-41274 — Nozomi Networks Labs Waterfall WF-500 OS Command Injection

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in versio…

wf-500_firmware wf-500 | Remote | Injection
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
9.8 CRITICAL
CVE-2025-41273 — Nozomi Networks Labs Nozomi Waterfall Authentication Bypass

Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows…

wf-500_firmware wf-500 | Remote | Authentication
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
9.8 CRITICAL
CVE-2025-41272 — Nozomi Networks Waterfall WF-500 OS Command Injection

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in versio…

wf-500_firmware wf-500 | Remote | Injection
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.7 HIGH
CVE-2025-41271 — Nozomi Networks Waterfall WF-500 Relative Path Traversal

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers …

wf-500_firmware wf-500 | Remote | Path Traversal
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
9.8 CRITICAL
CVE-2025-41270 — Nozomi Networks Waterfall WF-500 OS Command Injection

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in versio…

wf-500_firmware wf-500 | Remote | Injection
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
9.8 CRITICAL
CVE-2025-41269 — Nozomi Networks Waterfall WF-500 OS Command Injection

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in versio…

wf-500_firmware wf-500 | Remote | Injection
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
9.1 CRITICAL
CVE-2025-41268 — Nozomi Networks Waterfall WF-500 RX Host Relative Path Traversal Remote File Deletion

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated att…

wf-500_firmware wf-500 | Remote | Path Traversal
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.5 HIGH
CVE-2025-41267 — Nozomi Networks Waterfall WF-500 OS Command Injection

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version…

wf-500_firmware wf-500 | Remote | Injection
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.6 HIGH
CVE-2025-41266 — Nozomi Networks Waterfall WF-500 TX Host OS Command Injection

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version…

wf-500_firmware wf-500 | Remote | Injection
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.6 HIGH
CVE-2025-41265 — Nozomi Networks Waterfall WF-500 TX Host OS Command Injection

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version…

wf-500_firmware wf-500 | Remote | Injection
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
9.9 CRITICAL
CVE-2026-9558 — Mautic Twig Template Injection Vulnerability

A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated us…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
6.4 MEDIUM
CVE-2026-9557 — Mautic Focus SSRF

A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests f…

Remote | Server-Side Request Forgery
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
10.0 CRITICAL
CVE-2026-49201 — Acer Wave 7 router: Hardcoded Cryptographic Key

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating pers…

Remote | Cryptography
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
7.4 HIGH
CVE-2026-46579 — Openshift/router: openshift/router: mtls client certificate spoofing via unstripped x-ssl…

A flaw was found in the OpenShift Router. When a Route has `insecureEdgeTerminationPolicy` set to Allow, the HTTP frontend does not remove `X-SSL-Client-*` headers from incoming requests. This allows…

openshift_container_platform | Remote | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
7.7 HIGH
CVE-2026-42965 — Openshift/router: openshift/router: cloud metadata ssrf via fqdn-typed endpointslice bypa…

A flaw was found in the OpenShift Router. A user with EndpointSlice write access can exploit this vulnerability by creating a Service backed by an FQDN (Fully Qualified Domain Name) EndpointSlice tha…

openshift_container_platform | Remote | Server-Side Request Forgery
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
2.7 LOW
CVE-2026-10078 — Quay/config-tool: quay/config-tool: gitlab oauth client_secret exposed in url querystring

A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL que…

quay | Remote | Information Disclosure
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
5.3 MEDIUM
CVE-2025-12714 — Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization …

The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in al…

seo | Remote | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
5.3 MEDIUM
CVE-2026-9189 — Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Ins…

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Althou…

paypal_\&_stripe_add-on | Remote | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.1 HIGH
CVE-2026-6075 — Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handle…

media_library_assistant | Remote | Cross-Site Request Forgery
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
10.0 CRITICAL
CVE-2026-49200 — Acer Wave 7 router: Broken Access Control

The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized s…

Remote | Information Disclosure
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
Showing 20 of 7213 Results