Total
358423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-41104 | 1 Microsoft | 1 Planetary Computer | 2026-05-29 | N/A | 10.0 CRITICAL |
| Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose information over a network. | |||||
| CVE-2026-22554 | 1 Mediaarea | 1 Mediainfolib | 2026-05-29 | N/A | 7.8 HIGH |
| MediaArea MediaInfoLib Channel Splitting heap-based buffer overflow vulnerability | |||||
| CVE-2026-45321 | 16 Abhishake1, Agentworkhq, Antoinebcx and 13 more | 171 Supersurkhet\/cli, Supersurkhet\/sdk, Taskflow-corp\/cli and 168 more | 2026-05-29 | N/A | 9.6 CRITICAL |
| On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart. | |||||
| CVE-2026-48735 | 1 Pypdf Project | 1 Pypdf | 2026-05-29 | N/A | 5.5 MEDIUM |
| pypdf is a free and open-source pure-python PDF library. Prior to 6.12.1, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing large XMP metadata, possibly with lots of unnecessary elements. This vulnerability is fixed in 6.12.1. | |||||
| CVE-2026-48156 | 1 Pypdf Project | 1 Pypdf | 2026-05-29 | N/A | 3.3 LOW |
| pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with /W [0 0 0] values and large /Size values. This vulnerability is fixed in 6.12.0. | |||||
| CVE-2026-48155 | 1 Pypdf Project | 1 Pypdf | 2026-05-29 | N/A | 5.5 MEDIUM |
| pypdf is a free and open-source pure-python PDF library. Prior to 6.12.0, an attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting text in layout mode with large character offsets. This vulnerability is fixed in 6.12.0. | |||||
| CVE-2026-3660 | 1 Ibm | 1 Engineering Lifecycle Management | 2026-05-29 | N/A | 9.8 CRITICAL |
| IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an unauthenticated remote attacker to update server property files that would allow them to gain unauthorized access to the application. | |||||
| CVE-2026-44985 | 1 Amirraminfar | 1 Dozzle | 2026-05-29 | N/A | 9.6 CRITICAL |
| Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables Cross-Site WebSocket Hijacking (CSWSH). An attacker hosting a page on a same-site origin (e.g., a sibling subdomain, or another service on localhost) can initiate a WebSocket connection to the exec endpoint that carries the victim's valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This vulnerability is fixed in 10.5.2. | |||||
| CVE-2026-42081 | 1 Free5gc | 1 Free5gc | 2026-05-29 | N/A | 6.1 MEDIUM |
| free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, the AMF in Free5GC does not verify the UE Security Capabilities received in NGAP PathSwitchRequest messages against its locally stored values, as mandated by 3GPP TS 33.501 §6.7.3.1. A malicious gNB can overwrite the AMF's stored UE security capabilities with arbitrary values, which are then propagated in PathSwitchRequest Acknowledge messages and subsequent Handover Request messages. This leads to persistent handover denial-of-service for affected UEs. This vulnerability is fixed in 4.2.2. | |||||
| CVE-2026-45298 | 1 Amirraminfar | 1 Dozzle | 2026-05-29 | N/A | 8.6 HIGH |
| Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2. | |||||
| CVE-2026-20994 | 1 Samsung | 1 Account | 2026-05-29 | N/A | 6.1 MEDIUM |
| URL redirection in Samsung Account prior to version 15.5.01.1 allows local attackers to potentially get access token. | |||||
| CVE-2026-10065 | 2026-05-29 | 9.0 HIGH | 8.8 HIGH | ||
| A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2026-10004 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-05-29 | N/A | 6.5 MEDIUM |
| Insufficient validation of untrusted input in Passwords in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2026-10002 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-05-29 | N/A | 8.8 HIGH |
| Use after free in PDFium in Google Chrome prior to 148.0.7778.216 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: High) | |||||
| CVE-2026-9156 | 1 Tanium | 1 Server | 2026-05-29 | N/A | 6.5 MEDIUM |
| Tanium addressed a denial of service vulnerability in Tanium Server. | |||||
| CVE-2023-52945 | 1 Synology | 1 Beedrive | 2026-05-29 | N/A | 7.8 HIGH |
| Uncontrolled search path element vulnerability in OpenSSL DLL component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2026-3117 | 1 Mattermost | 1 Mattermost Server | 2026-05-29 | N/A | 6.5 MEDIUM |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to properly check for permissions when processing commands in the Gitlab plugin which allows normal users to uninstall instances or setup webhook connections via the {{gitlab instance {option}}} or the {{/gitlab webhook {option}}} commands. Mattermost Advisory ID: MMSA-2026-00600 | |||||
| CVE-2026-6342 | 1 Mattermost | 1 Mattermost Server | 2026-05-29 | N/A | 4.3 MEDIUM |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to appropriately check for valid namespaces which allows plugin users to create subscriptions to groups that were not whitelisted via creating groups that share the same prefix as a whitelisted group. Mattermost Advisory ID: MMSA-2026-00601 | |||||
| CVE-2026-6341 | 1 Mattermost | 1 Mattermost Server | 2026-05-29 | N/A | 4.3 MEDIUM |
| Mattermost Plugins versions <=11.5 11.1.5 10.13.11 11.3.4.0 fail to have API-level checks on which groups the user can create issues or attach comments to which allows a user that is member of multiple groups to create issues to a locked group via direct API requests. Mattermost Advisory ID: MMSA-2026-00602 | |||||
| CVE-2026-6334 | 1 Mattermost | 1 Mattermost Server | 2026-05-29 | N/A | 3.1 LOW |
| Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermost Advisory ID: MMSA-2026-00570 | |||||