Total
6322 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-8221 | 2026-05-11 | 3.3 LOW | 2.4 LOW | ||
| A flaw has been found in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /inventory/item-save. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8218 | 2026-05-11 | 3.3 LOW | 2.4 LOW | ||
| A weakness has been identified in Devs Palace ERP Online up to 4.0.0. The affected element is an unknown function of the file /inventory/purchase_return_save. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8255 | 2026-05-11 | 3.3 LOW | 2.4 LOW | ||
| A weakness has been identified in Devs Palace ERP Online up to 4.0.0. This affects an unknown part of the file /inventory/add_new_customer. This manipulation causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8253 | 2026-05-11 | 3.3 LOW | 2.4 LOW | ||
| A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchase_save. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8256 | 2026-05-11 | 3.3 LOW | 2.4 LOW | ||
| A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. This vulnerability affects unknown code of the file /accounts/mr-save. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8219 | 2026-05-11 | 3.3 LOW | 2.4 LOW | ||
| A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. The impacted element is an unknown function of the file /inventory/supplier-save. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-8254 | 2026-05-11 | 3.3 LOW | 2.4 LOW | ||
| A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/sales_save. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2026-25077 | 1 Apache | 1 Cloudstack | 2026-05-10 | N/A | 8.8 HIGH |
| Account users are allowed by default to register templates to be downloaded directly to the primary storage for deploying instances using the KVM hypervisor. Due to missing file name sanitization, an attacker can register malicious templates to execute arbitrary code on the KVM hosts. This can result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of the KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack versions 4.20.3.0 or 4.22.0.1, or later, which fixes this issue. | |||||
| CVE-2026-21671 | 1 Veeam | 1 Veeam Backup \& Replication | 2026-05-10 | N/A | 9.1 CRITICAL |
| A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication. | |||||
| CVE-2026-21669 | 1 Veeam | 1 Veeam Backup \& Replication | 2026-05-10 | N/A | 9.9 CRITICAL |
| A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. | |||||
| CVE-2026-36458 | 2026-05-08 | N/A | 9.8 CRITICAL | ||
| ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered. | |||||
| CVE-2025-63706 | 2026-05-08 | N/A | 9.8 CRITICAL | ||
| NPM package next-npm-version1.0.1 is vulnerable to Command injection. | |||||
| CVE-2024-46507 | 1 Yeti-platform | 1 Yeti | 2026-05-08 | N/A | 7.3 HIGH |
| A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server. | |||||
| CVE-2026-41645 | 1 Projectdiscovery | 1 Nuclei | 2026-05-08 | N/A | 5.3 MEDIUM |
| Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response data containing helper/function syntax gets reused by multi-step templates. If the -env-vars / -ev option is explicitly enabled, this can expose host environment variables. That option is off by default, so standard configurations are not affected by the information disclosure risk. This issue has been patched in version 3.8.0. | |||||
| CVE-2026-24118 | 1 Vm2 Project | 1 Vm2 | 2026-05-08 | N/A | 9.8 CRITICAL |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | |||||
| CVE-2026-24120 | 1 Vm2 Project | 1 Vm2 | 2026-05-08 | N/A | 9.8 CRITICAL |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.10.5, the fix for CVE-2023-37466 is insufficient and can be circumvented allowing attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.10.5. | |||||
| CVE-2026-24781 | 1 Vm2 Project | 1 Vm2 | 2026-05-08 | N/A | 9.8 CRITICAL |
| vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability through the inspect function. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0. | |||||
| CVE-2026-44334 | 1 Praison | 1 Praisonai | 2026-05-08 | N/A | 8.4 HIGH |
| PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32. | |||||
| CVE-2026-38431 | 1 Frappe | 1 Erpnext | 2026-05-08 | N/A | 9.8 CRITICAL |
| ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on the server when the template is rendered. | |||||
| CVE-2026-8136 | 2026-05-08 | 3.3 LOW | 2.4 LOW | ||
| A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. | |||||