CVE-2026-47280 - Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a network.
Published: May 22, 2026; 7:16:56 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-42348 - OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no uppe... read CVE-2026-42348
Published: May 12, 2026; 2:17:24 PM -0400

V3.1: 7.5 HIGH

CVE-2018-25357 - Dolibarr ERP CRM 7.0.3 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting PHP code through the db_name parameter. Attackers can send a POST request to install/step1.php with ... read CVE-2018-25357
Published: May 23, 2026; 3:16:56 PM -0400

CVE-2026-48694 - FastNetMon Community Edition through 1.2.9 contains a configuration injection vulnerability in the Juniper router integration plugin. In src/juniper_plugin/fastnetmon_juniper.php, the $IP_ATTACK variable (received from argv[1]) is directly interpo... read CVE-2026-48694
Published: May 26, 2026; 2:16:52 PM -0400

V3.1: 8.1 HIGH

CVE-2026-48695 - FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The _log() function in src/mikrotik_plugin/fastnetmon_mikrotik.php (lines 107-108) constructs shell commands by co... read CVE-2026-48695
Published: May 26, 2026; 2:16:52 PM -0400

V3.1: 8.1 HIGH

CVE-2026-48696 - FastNetMon Community Edition through 1.2.9 has a buffer overflow, a different vulnerability than CVE-2026-48686 and CVE-2026-48689.
Published: May 26, 2026; 2:16:53 PM -0400

V3.1: 6.2 MEDIUM

CVE-2026-4051 - IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
Published: May 26, 2026; 3:16:28 PM -0400

CVE-2026-44730 - OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.9.7, an organization admin can escalate their privileges by adding a user from a different organization with higher privileges, to thei... read CVE-2026-44730
Published: May 26, 2026; 2:16:51 PM -0400

CVE-2026-48697 - FastNetMon Community Edition through 1.2.9 does not verify TLS certificates on outbound HTTPS connections. The execute_web_request_secure() function in src/fast_library.cpp creates a boost::asio::ssl::context with tls_client mode and calls set_def... read CVE-2026-48697
Published: May 26, 2026; 1:16:53 PM -0400

V3.1: 7.4 HIGH

CVE-2026-46745 - Apache Airflow FAB Auth Manager contains an LDAP filter injection vulnerability (CWE-90) that allows unauthenticated attackers to exfiltrate directory data or bypass authentication. Upgrade to apache-airflow-providers-fab 3.6.4 or later. If immedi... read CVE-2026-46745
Published: May 25, 2026; 7:16:18 AM -0400

CVE-2026-48691 - FastNetMon Community Edition through 1.2.9 contains an integer overflow in the BGP AS_PATH attribute encoder. In src/bgp_protocol.hpp, the IPv4UnicastAnnounce::get_attributes() function computes attribute_length as 'sizeof(bgp_as_path_segment_elem... read CVE-2026-48691
Published: May 26, 2026; 1:16:53 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-41069 - libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a malformed HEIF sequence file can trigger an out-of-bounds read in core sequence parsing logic, causing DoS. A malformed file can have stco.entry_count == 0... read CVE-2026-41069
Published: May 22, 2026; 5:16:43 PM -0400

CVE-2026-41071 - libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bo... read CVE-2026-41071
Published: May 22, 2026; 6:16:55 PM -0400

V3.1: 8.1 HIGH

CVE-2026-8492 - Modification of Assumed-Immutable Data (MAID) vulnerability in Drupal Translate Drupal with GTranslate allows Resource Location Spoofing. This issue affects Translate Drupal with GTranslate: from 0.0.0 before 3.0.5.
Published: May 19, 2026; 7:16:58 PM -0400

CVE-2026-8495 - Missing Authorization vulnerability in Drupal Date iCal allows Forceful Browsing. This issue affects Date iCal: from 0.0.0 before 4.0.15.
Published: May 19, 2026; 7:16:59 PM -0400

CVE-2026-8493 - Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Colorbox Inline allows Cross-Site Scripting (XSS). This issue affects Colorbox Inline: from 0.0.0 before 2.1.1.
Published: May 19, 2026; 7:16:58 PM -0400

CVE-2026-41315 - mdserver-web is a simple Linux panel. From 0.18.0 to 0.18.4, mdserver-web has a front-end unauthorized remote command execution vulnerability. Due to the lack of authentication on the /modify_crond and /start_task interfaces, it is possible to mod... read CVE-2026-41315
Published: May 14, 2026; 3:16:35 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-8491 - Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Node View Permissions allows Forceful Browsing. This issue affects Node View Permissions: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.1.
Published: May 19, 2026; 7:16:58 PM -0400

CVE-2026-45361 - Apache Airflow providers-google's `ComputeEngineSSHHook` disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Us... read CVE-2026-45361
Published: May 25, 2026; 6:16:15 AM -0400

CVE-2026-40033 - FreeRDP before 3.26.0 contains a heap-buffer-overflow vulnerability in gdi_CacheToSurface that allows remote attackers to write out-of-bounds heap memory. The vulnerability occurs because rectangle validation clamps coordinates to UINT16_MAX but p... read CVE-2026-40033
Published: May 26, 2026; 11:16:34 AM -0400