Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.8 HIGH
CVE-2026-8108 — Fuji Electric Tellus Exposed Dangerous Method or Function

The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

| Misconfiguration
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.1 HIGH
CVE-2026-5371 — MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitiv…

The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.1 HIGH
CVE-2026-44548 — ChurchCRM: CSRF via legacy GET-delete pages (FundRaiserDelete.php, PropertyTypeDelete.php…

ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDele…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.6 CRITICAL
CVE-2026-44547 — ChurchCRM: Incomplete fix for CVE-2026-40582: public API login still bypasses 2FA and acc…

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/publ…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.3 MEDIUM
CVE-2026-44352 — Flowsint: Broken Access Control allows reading of sketch logs from any user

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, Broken Access Control allows reading of sketch logs f…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.8 MEDIUM
CVE-2026-44347 — Warpgate: SSO CSRF -- State Token Not Validated on Return

Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux. Prior to 0.23.3, the SSO flow does not validate the state parameter, which makes it possible for an attacker to trick a user in…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.3 MEDIUM
CVE-2026-44341 — GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. Th…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.1 MEDIUM
CVE-2026-44245 — Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentio…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
0.0 NA
CVE-2026-43685 — Claris FileMaker Cloud Remote Code Execution Vulnerability

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to inject arbitrary operating system commands through unsanitized input in the External OD…

| Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
0.0 NA
CVE-2026-43680 — FileMaker Cloud Remote Code Execution

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operat…

| Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.8 HIGH
CVE-2026-42289 — ChurchCRM: Cross-Site Request Forgery (CSRF) Leading to Admin Privilege Escalation

ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token valid…

Remote | Cross-Site Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
10.0 CRITICAL
CVE-2026-42288 — ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via uns…

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard …

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
2.3 LOW
CVE-2026-42158 — Flowsint: Broken Access Control allows modification of investigation metadata from any us…

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, c…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.1 MEDIUM
CVE-2026-42157 — Flowsint: Stored XSS on map node marker in map page

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malici…

Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.1 HIGH
CVE-2026-42156 — Flowsint: Cypher query injection in node type on node creation

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a node with a malicious …

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.0 CRITICAL
CVE-2026-41901 — Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf ex…

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf…

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.5 HIGH
CVE-2026-1250 — Court Reservation – Manage Your Court Bookings Online <= 1.10.11 - Unauthenticated SQL In…

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insuf…

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.5 MEDIUM
CVE-2025-15463 — Advanced Custom Fields: Extended <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Executi…

The The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.9.2.3. This is due to the software allowing users …

Remote | Injection
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.8 HIGH
CVE-2026-8449 — Linux ksmbd Remote Memory Corruption via ACL Inheritance

Linux ksmbd contains a remote memory corruption vulnerability in the ACL inheritance path that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subse…

Remote | Memory Corruption
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.8 HIGH
CVE-2026-45227 — Heym < 0.0.21 Sandbox Escape via Python Introspection

Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspec…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
Showing 20 of 6289 Results