Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-45292 — opentelemetry-java: Unbounded Memory Allocation in W3C Baggage Propagation

opentelemetry-java is the Java implementation of the OpenTelemetry API for recording telemetry, and SDK for managing telemetry recorded by the API. Prior to 1.62.0, a vulnerability affects the baggag…

Remote | Denial of Service
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.3 CRITICAL
CVE-2026-45261 — GitButler: Link injection via forge integration enables arbitrary script execution

GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An a…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.8 MEDIUM
CVE-2026-45078 — Synapse CPU starvation (Denial of Service)

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing o…

| Denial of Service
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.1 MEDIUM
CVE-2026-45076 — Synapse pagination denial of service

Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full h…

Remote | Denial of Service
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.7 HIGH
CVE-2026-44543 — Local Path Provisioner: HelperPod Template Injection

Local Path Provisioner provides a way for the Kubernetes users to utilize the local storage in each node. Prior to 0.0.36, a malicious user with permission to edit the local-path-config ConfigMap in …

Remote | Misconfiguration
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.4 CRITICAL
CVE-2026-44477 — CloudNativePG: Metrics exporter allows privilege escalation to PostgreSQL superuser and O…

CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics exporter opens its PostgreSQL connection as t…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-44466 — Zed: Allowlist Bypass via Bash Arithmetic Expansion in Terminal Tool Permissions

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowli…

| Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-44465 — Zed: Zed IDE Arbitrary Code Execution via untrusted repository with poisoned .git/config

Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allow…

| Misconfiguration
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-44463 — Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g.,…

| Misconfiguration
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.4 MEDIUM
CVE-2026-44462 — Zed: Allowlist Bypass via Bash Variable Expansion Chain in Terminal Tool Permissions

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowliste…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.6 HIGH
CVE-2026-44461 — Zed: Remote Command Injection via Unquoted Environment Variable Keys (SSH / WSL Remote)

Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or…

| Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.0 MEDIUM
CVE-2026-41185 — ServiceAccount token disclosure via Azure IPAM CNI plugin logs

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, t…

Remote | Information Disclosure
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.0 MEDIUM
CVE-2026-41184 — ServiceAccount token disclosure via install-cni container logs

In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico d…

Remote | Information Disclosure
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-41160 — EspoCRM: Broken Access Control / IDOR in Note Pinning API allows unauthorized modificatio…

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary not…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.5 MEDIUM
CVE-2026-41141 — EspoCRM: IDOR in EmailTemplate Prepare Endpoint Leaks Entity Data via Email Address Lookup

EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning e…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.8 CRITICAL
CVE-2026-38707 — InHand Networks IPSec VPN Command Injection Vulnerability

A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier ve…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.8 CRITICAL
CVE-2026-38704 — InHand Networks WireGuard Command Injection Vulnerability

A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlie…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.8 CRITICAL
CVE-2026-38703 — "InHand Networks ZeroTier VPN Command Injection"

A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.8 CRITICAL
CVE-2026-38702 — InHand Networks IR Series Command Injection Vulnerability

A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
9.8 CRITICAL
CVE-2026-24444 — SDMC NE6037 Hardcoded Password via mgmt.php/npcmd.php

SDMC NE6037 cable modem routers running firmware 7.1.6.0.25 and 7.1.6.1.9_B9 contain a hardcoded password vulnerability in the web management interface recovery endpoints (mgmt.php, npcmd.php) that a…

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
Showing 20 of 6784 Results