Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.1 CRITICAL
CVE-2026-46819

Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploi…

e-business_suite internet_procurement_connector | Remote
May 28, 2026 Jun 03, 2026
May 28, 2026
Jun 03, 2026
7.4 HIGH
CVE-2026-46818

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability al…

e-business_suite payments | Remote
May 28, 2026 Jun 04, 2026
May 28, 2026
Jun 04, 2026
9.8 CRITICAL
CVE-2026-46817

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allo…

e-business_suite payments | Remote
May 28, 2026 Jun 04, 2026
May 28, 2026
Jun 04, 2026
9.9 CRITICAL
CVE-2026-46775

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network acc…

rest_data_services | Remote
May 28, 2026 Jun 03, 2026
May 28, 2026
Jun 03, 2026
9.8 CRITICAL
CVE-2026-45288 — Marten has an SQL injection vulnerability in its full-text search regConfig parameter

Marten is a .NET Transactional Document DB and Event Store on PostgreSQL. Prior to 8.36.1, Marten's full-text search APIs interpolated the user-supplied regConfig parameter directly into the generate…

Remote | Injection
May 28, 2026 Jun 01, 2026
May 28, 2026
Jun 01, 2026
7.5 HIGH
CVE-2026-44657 — MantisBT: Stored XSS in File Download

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execu…

mantisbt | Remote | Cross-Site Request Forgery
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
8.6 HIGH
CVE-2026-44655 — MantisBT: Stored XSS on Move Attachments Admin Page

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator acces…

mantisbt | Remote | Cross-Site Scripting
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
6.5 MEDIUM
CVE-2026-42400 — Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user can send a specially crafted compressed request payload…

kibana | Remote | Denial of Service
May 28, 2026 Jun 01, 2026
May 28, 2026
Jun 01, 2026
6.5 MEDIUM
CVE-2026-42399 — Uncontrolled Resource Consumption in Kibana Leading to Denial of Service

Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated low-privileged user can cause Kibana to consume exponentiall…

kibana | Remote | Denial of Service
May 28, 2026 Jun 01, 2026
May 28, 2026
Jun 01, 2026
7.7 HIGH
CVE-2026-42398 — Server-Side Request Forgery (SSRF) in Kibana Leading to Unauthorized Network Access

Server-Side Request Forgery (CWE-918) in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connec…

kibana | Remote | Server-Side Request Forgery
May 28, 2026 Jun 01, 2026
May 28, 2026
Jun 01, 2026
7.2 HIGH
CVE-2026-42071 — MantisBT: Private Bugnote Attachment Content Leak via REST API

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to…

mantisbt | Remote | Authorization
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
5.3 MEDIUM
CVE-2026-42070 — MantisBT: Authorization Bypass in Bugnote Editing via Issue Update API

Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default setti…

mantisbt | Remote | Authorization
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
5.3 MEDIUM
CVE-2026-41897 — MantisBT: Reflected XSS in Rendering Dynamic Custom Textarea Field

Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issu…

mantisbt | Remote | Cross-Site Scripting
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
8.1 HIGH
CVE-2026-35277

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network acc…

rest_data_services | Remote
May 28, 2026 Jun 03, 2026
May 28, 2026
Jun 03, 2026
7.9 HIGH
CVE-2026-35266

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network a…

rest_data_services | Remote
May 28, 2026 Jun 03, 2026
May 28, 2026
Jun 03, 2026
9.8 CRITICAL
CVE-2026-34311

Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19…

hospitality_opera_5_property_services | Remote
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
8.6 HIGH
CVE-2026-9039 — Initialization of a resource with an insecure default in XCharge C6

A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The se…

| Misconfiguration
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
8.6 HIGH
CVE-2026-9038 — Stack-based buffer overflow in XCharge C6

A stack-based buffer overflow vulnerability in the charging controller’s signal-processing logic allows an attacker with physical access to the charging interface to supply message fields that exceed…

| Memory Corruption
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
9.3 CRITICAL
CVE-2026-9037 — Download of code without integrity check in XCharge C6

A firmware update mechanism in the affected charging controller fails to validate the authenticity of firmware packages delivered through the device's management interface. Because cryptographic sign…

Remote | Authentication
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
6.9 MEDIUM
CVE-2026-49130 — Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx

Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF by…

Remote | Injection
May 28, 2026 May 29, 2026
May 28, 2026
May 29, 2026
Showing 20 of 7094 Results