Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-42303 — Fides: Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection

Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affect…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.3 CRITICAL
CVE-2026-42300 — DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw strin…

Remote | Authentication
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.3 MEDIUM
CVE-2026-42177 — linux-entra-sso: PRT SSO cookie can leak to attacker-controlled hosts when broad host per…

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter i…

Remote | Authorization
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.5 MEDIUM
CVE-2026-42175 — requests-hardened: Server-Side Request Forgery (SSRF) in requests-hardened RFC 6598

requests-hardened is a library that overrides the default behaviors of the requests library, and adds new security features. Prior to , the SSRF protection in requests-hardened fails to block IP addr…

Remote | Server-Side Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.7 HIGH
CVE-2026-42141 — Xibo: Authenticated Server-Side Request Forgery (SSRF) in Library Upload via URL function…

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Prior to 4.4.1, an authenticated Server-Side Request Forgery (SSRF) vulnerabi…

Remote | Server-Side Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.6 CRITICAL
CVE-2026-42048 — Langflow: Path Traversal in Langflow Knowledge Bases API

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). Th…

Remote | Path Traversal
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.2 MEDIUM
CVE-2026-42045 — LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/featur…

lobehub | Remote | Cross-Site Scripting
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.2 HIGH
CVE-2026-41895 — changedetection.io: XXE vulnerability in the changedetection.io project

changedetection.io is a free open source web page change detection tool. In 0.54.9 and earlier, xpath_filter() switches to XML mode for XML/RSS content and creates etree.XMLParser(strip_cdata=False) …

changedetection | Remote | XML External Entity
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.2 MEDIUM
CVE-2026-41614 — M365 Copilot for Desktop Spoofing Vulnerability

Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.8 HIGH
CVE-2026-41613 — Visual Studio Code Elevation of Privilege Vulnerability

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
5.5 MEDIUM
CVE-2026-41612 — Visual Studio Code Information Disclosure Vulnerability

Relative path traversal in Visual Studio Code allows an unauthorized attacker to disclose information locally.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.8 HIGH
CVE-2026-41611 — Visual Studio Code Remote Code Execution Vulnerability

Improper neutralization of script-related html tags in a web page (basic xss) in Visual Studio Code allows an unauthorized attacker to execute code locally.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
6.3 MEDIUM
CVE-2026-41610 — Visual Studio Code Security Feature Bypass Vulnerability

Improper neutralization of input during web page generation ('cross-site scripting') in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.8 MEDIUM
CVE-2026-41513 — Horilla: Open Redirect via Unvalidated `next` Parameter in Notification Endpoints

Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted app…

Remote | Server-Side Request Forgery
May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
8.8 HIGH
CVE-2026-41109 — GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability

Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature ove…

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.4 HIGH
CVE-2026-41107 — Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

External control of file name or path in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
9.1 CRITICAL
CVE-2026-41103 — Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

Incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence allows an unauthorized attacker to elevate privileges over a network.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.1 HIGH
CVE-2026-41102 — Microsoft PowerPoint for Android Spoofing Vulnerability

Improper access control in Microsoft Office PowerPoint allows an authorized attacker to perform spoofing locally.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
7.1 HIGH
CVE-2026-41101 — Microsoft Word for Android Spoofing Vulnerability

Improper access control in Microsoft Office Word allows an authorized attacker to perform spoofing locally.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
4.4 MEDIUM
CVE-2026-41100 — Microsoft 365 Copilot for Android Spoofing Vulnerability

Improper access control in M365 Copilot allows an authorized attacker to perform spoofing locally.

May 12, 2026 May 12, 2026
May 12, 2026
May 12, 2026
Showing 20 of 6193 Results