Common Vulnerabilities and Exposures (CVE)

CVE-2026-44309

May 15, 2026 17:43:59 UTC

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking th...

CVE-2026-46474

May 15, 2026 17:41:32 UTC

Trog::TOTP versions before 1.006 for Perl generate secrets using rand. Secrets were generated using Perl's built-in rand function, which is predictable and unsuitable for security usage.

CVE-2026-23695

May 15, 2026 17:40:59 UTC

Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using n...

CVE-2026-45035

May 15, 2026 17:39:40 UTC

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supports a run command that directly executes...

CVE-2026-45036

May 15, 2026 17:38:49 UTC

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby before 1.0.233 automatically confirms ZMODEM protocol detection on all terminal session output without user interaction, enabling shell command ex...

CVE-2026-42155

May 15, 2026 17:36:27 UTC

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to 20.18.0, the XML-RPC / SOAP API se...

CVE-2026-8695

May 15, 2026 17:34:27 UTC

radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response. Atta...

CVE-2026-44717

May 15, 2026 17:25:39 UTC

MCP Calculate Server is a mathematical calculation service based on MCP protocol and SymPy library. Prior to 0.1.1, the use of eval() to evaluate mathematical expressions without proper input sanitization leads to remote code execution. Thi...

CVE-2026-29203

May 15, 2026 17:14:52 UTC

A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel use...

CVE-2026-21530

May 15, 2026 17:13:47 UTC

Double free in Windows Rich Text Edit allows an authorized attacker to elevate privileges locally.

CVE-2026-32170

May 15, 2026 17:13:46 UTC

Double free in Windows Rich Text Edit Control allows an authorized attacker to elevate privileges locally.

CVE-2026-32161

May 15, 2026 17:13:45 UTC

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.

CVE-2026-40379

May 15, 2026 17:13:45 UTC

Exposure of sensitive information to an unauthorized actor in Azure Entra ID allows an unauthorized attacker to perform spoofing over a network.

CVE-2026-42897

May 15, 2026 17:13:44 UTC

Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.

CVE-2026-41615

May 15, 2026 17:13:43 UTC

Exposure of sensitive information to an unauthorized actor in Microsoft Authenticator allows an unauthorized attacker to disclose information over a network.