Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.3 MEDIUM
CVE-2026-47270 — pam_usb: strtok() race condition in multi-threaded PAM hosts can corrupt deny_remote resu…

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb is a PAM module loaded into the host process (sudo, login, GDM, GNOME Shell). Display manage…

| Race Condition
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.4 HIGH
CVE-2026-47269 — pam_usb: deny_remote feature incorrectly classifies IPv4-mapped IPv6 remote connections a…

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, pam_usb's deny_remote feature checks utmpx ut_addr_v6 to detect whether an authentication request o…

Remote | Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.2 HIGH
CVE-2026-45137 — Anchor: Program<'info, System> is not properly validated

Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiri…

Remote | Authorization
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.6 HIGH
CVE-2026-45136 — claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/qu…

claude-code-cache-fix is a cache optimization proxy for Claude Code. From 3.5.0 to before 3.5.2, tools/quota-statusline.sh (introduced in v3.5.0) interpolates Claude Code's hook stdin payload directl…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.8 HIGH
CVE-2026-44713 — pam_usb: Command injection via $TMUX environment variable leads to RCE as root

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/tmux.c reads the user's $TMUX environment variable, splits it on commas, and interpolates the so…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.2 HIGH
CVE-2026-44712 — pam_usb: Shell injection via device UUID and username in pamusb-conf and pamusb-agent

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, a crafted UUID such as $(id>/tmp/rce) in the config causes root RCE when pamusb-conf --reset-pads is…

| Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.9 HIGH
CVE-2026-44711 — pam_usb: Symlink attacks on pad directory and pad files enable authentication bypass and …

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, symlink attacks on pad directory and pad files enable authentication bypass and root file corruption…

| Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
4.6 MEDIUM
CVE-2026-44710 — pam_usb: NULL pointer dereference from UDisks device fields causes PAM crash and login de…

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, src/device.c passed the return values of udisks_drive_get_serial(), udisks_drive_get_vendor(), and u…

| Memory Corruption
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
7.8 HIGH
CVE-2026-44709 — pam_usb: PINENTRY_FALLBACK_APP environment variable allows arbitrary command execution

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.8.7, pamusb-pinentry reads the PINENTRY_FALLBACK_APP environment variable and executes it directly withou…

| Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
8.7 HIGH
CVE-2026-44660 — UltraJSON: Memory Leak in ujson.dump() on Write Failure

UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an excepti…

Remote | Memory Corruption
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
4.0 MEDIUM
CVE-2026-21785 — HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Po…

A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass i…

Remote | Misconfiguration
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-45152 — uniget: Command Injection in tool.Check Leading to Arbitrary Code Execution

uniget is a universal installer and updater for (container) tools. Prior to 0.27.1, a command injection vulnerability exists in uniget due to unsafe execution of the check field from metadata files u…

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-44720 — OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leadin…

OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to 2.0.4, a critical authentication vulnerability was identified in OpenLearnX that could allow unauthorized access…

| Authentication
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-45083 — Goobi viewer: Unauthenticated Solr Streaming Expression Proxy

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted …

| Injection
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-9208 — Tanium addressed an unauthorized code execution vulnerability in Connect.

Tanium addressed an unauthorized code execution vulnerability in Connect.

May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
0.0 NA
CVE-2026-44247 — Volcano: Webhook server vulnerable to OOM due to unbounded HTTP request body size

Volcano is a Kubernetes-native batch scheduling system. Prior to v1.14.2, v1.13.3, and v1.12.4, the Volcano webhook server does not enforce a size limit on incoming HTTP request bodies. Any in-cluste…

| Denial of Service
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
5.5 MEDIUM
CVE-2026-9759 — NULL Pointer Dereference in Wireshark

ROHC protocol dissector crash in Wireshark 4.6.0 to 4.6.5 and 4.4.0 to 4.4.15 allows denial of service

| Denial of Service
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.8 CRITICAL
CVE-2026-8364 — Gladinet Triofox Missing Authentication for Critical Functions

Gladinet Triofox Cloud Server Agent Access Service (GladServerAgentService.exe) listens on TCP port 7878 and processes remote HTTP messages with URL paths starting with /resources, /status, /sysinfo,…

Remote | Information Disclosure
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.8 CRITICAL
CVE-2026-8363 — Gladinet Triofox Stack-based Buffer Overflow in WOSDeviceDropFolder.dll

A stack-based buffer overflow condition exists in WOSDeviceDropFolder.dll when processing a long URL path starting with /resources:

Remote | Memory Corruption
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
9.8 CRITICAL
CVE-2026-8362 — Gladinet Triofox Stack-based Buffer Overflow in WOSDefaultHttpModule.dll

A stack-based buffer overflow condition exists in WOSDefaultHttpModule.dll when processing a long URL path starting with /woshome

Remote | Memory Corruption
May 27, 2026 May 27, 2026
May 27, 2026
May 27, 2026
Showing 20 of 6597 Results