Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.5 MEDIUM
CVE-2026-44479 — Vercel: Non-interactive mode includes CLI arguments in suggested command output

Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), comma…

| Information Disclosure
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.5 HIGH
CVE-2026-44470 — Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Window…

| Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.4 HIGH
CVE-2026-44467 — Claude Desktop: SSH Host Key Verification Bypass Allows Man-in-the-Middle Attack on Remot…

The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development fea…

| Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
3.8 LOW
CVE-2026-44459 — Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows to…

hono | Remote | Authentication
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
4.3 MEDIUM
CVE-2026-44458 — Hono: CSS Declaration Injection via Style Object Values in JSX SSR

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted inpu…

hono | Remote | Injection
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44457 — Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user c…

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: A…

hono | Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
6.5 MEDIUM
CVE-2026-44456 — Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g…

hono | Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
4.7 MEDIUM
CVE-2026-44455 — Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be dire…

hono | Remote | Cross-Site Scripting
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.9 HIGH
CVE-2026-44432 — urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API

urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) c…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.2 HIGH
CVE-2026-44431 — urllib3: Sensitive headers forwarded across origins in proxied low-level redirects

urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=Fa…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.7 HIGH
CVE-2026-44295 — protobufjs-cli: Code injection in pbjs static output from crafted schema names

protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When ge…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44294 — protobufjs: Denial of service from crafted field names in generated code

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Cer…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.7 HIGH
CVE-2026-44293 — protobufjs: Code injection through bytes field defaults in generated toObject code

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived f…

Remote | Supply Chain
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44292 — protobufjs: Prototype injection in generated message constructors

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties ob…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
8.1 HIGH
CVE-2026-44291 — protobufjs: Code generation gadget after prototype pollution

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by gene…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-44290 — protobufjs: Process-wide denial of service through unsafe option paths

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while…

Remote | Misconfiguration
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
7.5 HIGH
CVE-2026-44289 — protobufjs: Denial of service through unbounded protobuf recursion

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs could recurse without a depth limit while decoding nested protobuf data. This affected bo…

Remote | Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
5.3 MEDIUM
CVE-2026-44288 — protobufjs: Overlong UTF-8 decoding

protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded …

Remote | Information Disclosure
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2026-43489 — liveupdate: luo_file: remember retrieve() status

In the Linux kernel, the following vulnerability has been resolved: liveupdate: luo_file: remember retrieve() status LUO keeps track of successful retrieve attempts on a LUO file. It does so to av…

| Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
0.0 NA
CVE-2026-43488 — usb: xhci: Prevent interrupt storm on host controller error (HCE)

In the Linux kernel, the following vulnerability has been resolved: usb: xhci: Prevent interrupt storm on host controller error (HCE) The xHCI controller reports a Host Controller Error (HCE) in UA…

| Denial of Service
May 13, 2026 May 13, 2026
May 13, 2026
May 13, 2026
Showing 20 of 6357 Results