Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.3 CRITICAL
CVE-2026-41924 — WDR201A WiFi Extender OS Command Injection via makeRequest.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary s…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.3 CRITICAL
CVE-2026-41923 — WDR201A WiFi Extender OS Command Injection via internet.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shel…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.3 CRITICAL
CVE-2026-41922 — WDR201A WiFi Extender OS Command Injection via wireless.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
0.0 NA
CVE-2025-67796 — IKUS Rdiffweb Improper Authorization Vulnerability

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authen…

| Authorization
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
3.7 LOW
CVE-2026-43964 — Postfix Buffer Over-Read Vulnerability

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

Remote | Memory Corruption
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
5.3 MEDIUM
CVE-2026-42237 — n8n: SQL Injection in Snowflake and MySQL Nodes

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both …

n8n | Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
8.7 HIGH
CVE-2026-42236 — n8n: Unauthenticated Denial of Service via MCP Client Registration

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data…

n8n | Remote | Denial of Service
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
8.8 HIGH
CVE-2026-42235 — n8n: XSS via MCP OAuth client

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name.…

n8n | Remote | Cross-Site Scripting
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
7.1 HIGH
CVE-2026-42234 — n8n: Python Task Runner Sandbox Escape

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node c…

n8n | Remote | Denial of Service
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
5.3 MEDIUM
CVE-2026-42233 — n8n: SQL Injection in Oracle Database Node via Limit Field

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the…

n8n | Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.4 CRITICAL
CVE-2026-42232 — n8n: XML Node Prototype Pollution to RCE

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype …

n8n | Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.4 CRITICAL
CVE-2026-42231 — n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prot…

n8n | Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
5.1 MEDIUM
CVE-2026-42230 — n8n: Open Redirect in MCP OAuth Consent Flow

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowi…

n8n | Remote | Authentication
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
5.3 MEDIUM
CVE-2026-42229 — n8n: SQL Injection in SeaTable Node

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be…

n8n | Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
6.3 MEDIUM
CVE-2026-42228 — n8n: Hijacking of Unauthenticated Chat Execution

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify tha…

n8n | Remote | Authorization
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
6.0 MEDIUM
CVE-2026-42227 — n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projec…

n8n | Remote | Authorization
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
7.1 HIGH
CVE-2026-42226 — n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Re…

n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use …

n8n | Remote | Authorization
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
7.5 HIGH
CVE-2026-42154 — Prometheus: remote read endpoint allows denial of service via crafted snappy payload

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a…

Remote | Denial of Service
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
7.5 HIGH
CVE-2026-42151 — Prometheus Azure AD remote write OAuth client secret exposed via config API

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD remote write OAuth configuration (storage/remote/a…

Remote | Information Disclosure
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
4.8 MEDIUM
CVE-2026-41686 — Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memor…

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in …

claude_sdk_for_typescript | Misconfiguration
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
Showing 20 of 5613 Results