Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-9501 — GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion

A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipul…

| Denial of Service
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NONE
CVE-2026-48589 — Apache Shiro: Jakarta EE open redirect via untrusted Referer in post-login redirect flow

Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In affected versions, insufficient validation of this client-controlled value coul…

Remote | Information Disclosure
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
5.1 MEDIUM
CVE-2026-44598 — Apache Shiro Jakarta EE module: Open redirect and SSRF (requires valid credentials)

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vulnerability in Apache Shiro. This issue affects Apache Shiro from 2.0-alpha…

Remote | Server-Side Request Forgery
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
5.9 MEDIUM
CVE-2026-43828 — Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set b…

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommen…

Remote | Misconfiguration
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
3.7 LOW
CVE-2026-48852 — PuTTY ECDSA Signature Verification Assertion Failure

PuTTY 0.71 before 0.84 has an assertion failure in ECDSA signature verification.

Remote | Cryptography
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
5.9 MEDIUM
CVE-2026-43827 — Apache Shiro: Session fixation: new session is not created after login by default

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1…

Remote | Authentication
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
3.1 LOW
CVE-2026-48851 — PuTTY TELNET Icon Trust Indication Vulnerability

PuTTY 0.77 before 0.84 uses a copy of the PuTTY icon as a trust indication for TELNET data but the trust status is not cleared between proxy authentication and the main session.

Remote | Misconfiguration
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9500 — GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow

A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipul…

| Memory Corruption
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
3.7 LOW
CVE-2026-48850 — PuTTY RSA KEX Double Free Vulnerability

PuTTY 0.72 before 0.84 has a double free in RSA KEX.

Remote | Memory Corruption
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9498 — Dromara lamp-cloud Message Template GroovyClassLoader.parseClass special elements used in…

A vulnerability has been found in Dromara lamp-cloud up to 5.6.2. Impacted is the function GroovyClassLoader.parseClass of the component Message Template Handler. Such manipulation of the argument De…

| Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9497 — changmingxie tcc-transaction Fastjson AutoType REST API Fastjson.parseObject deserializat…

A flaw has been found in changmingxie tcc-transaction up to 2.1.0. This issue affects the function Fastjson.parseObject of the component Fastjson AutoType REST API. This manipulation causes deseriali…

| Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
4.4 MEDIUM
CVE-2026-48849 — Roundcube Webmail Stored XSS/HTML/CSS Injection

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, an unsanitized subject field in the draft restored value could lead to stored XSS/HTML/CSS injection on shared mailboxes.

Remote | Cross-Site Scripting
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9486 — SourceCodester Student Grades Management System cross-site request forgery

A security flaw has been discovered in SourceCodester Student Grades Management System 1.0. This affects an unknown part. The manipulation results in cross-site request forgery. The attack can be exe…

| Cross-Site Request Forgery
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
7.2 HIGH
CVE-2026-48848 — Roundcube Webmail CSS Injection Vulnerability

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7 has insufficient HTML sanitization that could lead to Cascading Style Sheets (CSS) injection via an SVG document that has an animate element…

Remote | Cross-Site Scripting
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
5.3 MEDIUM
CVE-2026-24546 — WordPress GamiPress plugin <= 7.6.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Ruben Garcia GamiPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GamiPress: from n/a through 7.6.3.

Remote | Authorization
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
3.7 LOW
CVE-2026-48847 — Roundcube Webmail Redis/Memcache File Deletion Vulnerability

Roundcube Webmail 1.6.x before 1.6.16, and 1.7.x before 1.7.1 allows pre-authentication arbitrary file deletion via redis/memcache session poisoning bypass.

Remote | Misconfiguration
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
6.5 MEDIUM
CVE-2026-48846 — Roundcube Webmail CSS Injection Vulnerability

In Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1, the remote image blocking feature can be bypassed via a crafted CSS var() value in an e-mail message, which may lead to information di…

Remote | Information Disclosure
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
6.5 MEDIUM
CVE-2026-48845 — Roundcube Webmail Local/Private Image Disclosure Vulnerability

In Roundcube Webmail 1.6.x between 1.6.14 and 1.6.16 and 1.7.x before 1.7.1, remote image blocking was not honored for URLs pointing to local/private destinations, which may lead to information discl…

Remote | Information Disclosure
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
0.0 NA
CVE-2026-9485 — SourceCodester Student Grades Management System students.php cross site scripting

A vulnerability was identified in SourceCodester Student Grades Management System 1.0. Affected by this issue is some unknown functionality of the file students.php. The manipulation of the argument …

| Cross-Site Scripting
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
7.5 HIGH
CVE-2026-48844 — Roundcube Webmail LDAP Code Injection Vulnerability

Roundcube Webmail 1.6.x before 1.6.16 and 1.7.x before 1.7.1 has insecure code evaluation logic in LDAP the autovalues option that could lead to code injection. (Support for code evaluation has been …

Remote | Injection
May 25, 2026 May 25, 2026
May 25, 2026
May 25, 2026
Showing 20 of 5834 Results