Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-7779 — Open5GS authentication-subscription Endpoint nudr-handler.c udm_nudr_dr_handle_subscripti…

A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication…

| Denial of Service
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
7.5 HIGH
CVE-2026-7768 — @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header C…

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct bu…

| Information Disclosure
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
7.5 HIGH
CVE-2026-6321 — fast-uri vulnerable to path traversal via percent-encoded dot segments

fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated like real slashes and par…

Remote | Path Traversal
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
8.3 HIGH
CVE-2026-41927 — WDR201A WiFi Extender Stack-Based Buffer Overflow via firewall.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains a stack-based buffer overflow vulnerability in the firewall.cgi and makeRequest.cgi binaries that allows unauthenticated attackers to o…

Remote | Memory Corruption
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.3 CRITICAL
CVE-2026-41926 — WDR201A WiFi Extender OS Command Injection via firewall.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the firewall.cgi binary across five request handlers that apply insufficient input validation.…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.3 CRITICAL
CVE-2026-41925 — WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time)

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the adm.cgi binary's reboot_time function that allows unauthenticated remote attackers to exec…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.3 CRITICAL
CVE-2026-41924 — WDR201A WiFi Extender OS Command Injection via makeRequest.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary s…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.3 CRITICAL
CVE-2026-41923 — WDR201A WiFi Extender OS Command Injection via internet.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shel…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
9.3 CRITICAL
CVE-2026-41922 — WDR201A WiFi Extender OS Command Injection via wireless.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell…

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
0.0 NA
CVE-2025-67796 — IKUS Rdiffweb Improper Authorization Vulnerability

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authen…

| Authorization
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
0.0 NA
CVE-2026-42238 — Unauthenticated Remote Code Execution via Backup Restore in nginx-ui

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 1…

| Authentication
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
0.0 NA
CVE-2026-42223 — nginx-ui: Settings API Exposes Protected Secrets

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns the…

| Information Disclosure
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
0.0 NA
CVE-2026-42222 — nginx-ui: Unauthenticated first-boot instance claim via POST /api/install allows remote b…

Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/insta…

| Authentication
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
0.0 NA
CVE-2026-42221 — nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx…

| Authentication
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
0.0 NA
CVE-2026-42220 — nginx-ui: Authenticated settings disclosure exposes node.secret and enables trusted-node …

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret.…

| Authentication
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
3.7 LOW
CVE-2026-43964 — Postfix Buffer Over-Read Vulnerability

Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

Remote | Memory Corruption
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
5.3 MEDIUM
CVE-2026-42237 — n8n: SQL Injection in Snowflake and MySQL Nodes

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both …

Remote | Injection
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
8.7 HIGH
CVE-2026-42236 — n8n: Unauthenticated Denial of Service via MCP Client Registration

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data…

Remote | Denial of Service
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
8.8 HIGH
CVE-2026-42235 — n8n: XSS via MCP OAuth client

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name.…

Remote | Cross-Site Scripting
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
7.1 HIGH
CVE-2026-42234 — n8n: Python Task Runner Sandbox Escape

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node c…

Remote | Denial of Service
May 04, 2026 May 04, 2026
May 04, 2026
May 04, 2026
Showing 20 of 5607 Results