Monitor vulnerabilities that affect your stack. Sign up free to get alerts when software you use is affected.

CVE Vulnerabilities - 11 May 2026

RSS

739 vulnerabilities published on 11 May 2026

Severity:
SOCFortress CoPilot allows unauthorized access to admin accounts
CVE-2026-42869
SOCFortress CoPilot, a security operations tool, had a secret key that was publicly known. This allowed an attacker to create fake admin accounts without a password. The issue is fixed in version 0.1....
10.0
SandboxJS allows malicious code to escape the sandbox
GHSA-g8f2-4f4f-5jqw CVE-2026-43898
A vulnerability in SandboxJS allows malicious code to access and manipulate the host environment, potentially executing arbitrary JavaScript. This is a significant risk because it could allow attacker...
10.0
Angular Expressions Remote Code Execution in Versions 1.5.1 and Earlier
CVE-2026-44643 GHSA-pw8r-6689-xvf4
Using Angular Expressions versions 1.5.1 and earlier, an attacker could potentially execute arbitrary code on your system. This is a serious issue because it could allow an attacker to gain full contr...
9.3
Unauthorized Access in pgAdmin 4: Shared Servers and Private Data
CVE-2026-7813 GHSA-h2x2-q2mc-24gw
A security issue in pgAdmin 4 allows an attacker to access another user's private servers, server groups, and background processes. This affects pgAdmin 4 versions before 9.15. To fix this, the develo...
9.4
Neat VNC server library crashes with malicious connection
DEBIAN-CVE-2026-42859
A malicious user can crash the Neat VNC server by sending a specially crafted connection request before authenticating. This could cause the server to stop working. Update to version 0.9.6 or later to...
9.9
Open edX Platform: Enterprise Admins can hijack server requests
CVE-2026-42858
An authenticated Enterprise Admin can trick the Open edX Platform into making unauthorized requests to internal network services or external websites. This could allow an attacker to access sensitive ...
9.9
Vaultwarden allows password brute-force attacks with 2FA
CVE-2026-43914
If you use Vaultwarden with email two-factor authentication, an attacker could try many passwords to guess your account credentials without being blocked. This vulnerability is fixed in version 1.35.4...
9.8
OpenClaw: Unauthorized Access via Bluebubbles Webhook
CVE-2026-8305
An attacker can bypass security checks and gain unauthorized access to OpenClaw by manipulating the Bluebubbles Webhook. This can happen remotely. To fix this, update OpenClaw to version 2026.2.12 or ...
5.5
XML Parsing Software May Crash from Malicious Data
CVE-2026-7210 BIT-libpython-2026-7210 BIT-python-2026-7210 PSF-2026-23
Some XML parsing software can be crashed by a specially designed XML file. This can happen if the software is not up to date, specifically if it's using an old version of the Expat library. To fix thi...
6.3
Flowise: Unsecured HTTP Client Use Prior to 3.1.0
CVE-2026-43995
Flowise's drag and drop interface had a security issue with how it made HTTP requests. This could have allowed hackers to intercept sensitive information. Update to Flowise 3.1.0 to fix this issue.
5.3
XML Parsing in Python Can Be Overwhelmed by Malicious Data
UBUNTU-CVE-2026-7210
A maliciously crafted XML document can overwhelm the XML parsing system in Python, potentially leading to performance issues or system crashes. This issue affects Python's xml.etree.ElementTree and xm...
7.3
WebdriverIO BrowserStack Service allows malicious code execution
GHSA-5c46-x3qw-q7j7 CVE-2026-25244
A vulnerability in WebdriverIO's BrowserStack Service allows attackers to execute malicious code when processing git branch names in test orchestration. This can happen if an attacker creates a malici...
9.8
Dell ECS and ObjectScale UI Formula Vulnerability
CVE-2026-35157
Dell ECS and ObjectScale software have a security flaw in their user interface that could allow an attacker to run unauthorized code remotely. This could potentially lead to unauthorized access or dat...
9.8
Tenda AC6 Wi-Fi Settings Can Be Hijacked Remotely
CVE-2026-8263
The Tenda AC6 Wi-Fi router has a security flaw that allows an attacker to remotely take control of its Wi-Fi settings. This could be used to disrupt or hijack the router's Wi-Fi connection. Tenda shou...
2.0
DeepChat: Unsecured AI Agent Platform Open to Attack
CVE-2026-43899
DeepChat's open-source AI platform was vulnerable to attacks that could bypass security controls and execute malicious code. This issue has been fixed in version 1.0.4-beta.1, so it's essential to upd...
9.6
PraisonAI MCP Server Allows File System Access
CVE-2026-44336 GHSA-9mqq-jqxf-grvw
A previous version of PraisonAI's MCP server allowed an attacker to write files outside of a specific directory, potentially leading to code execution. This issue has been fixed in version 4.6.34. To ...
9.4
DeepChat prior to v1.0.4-beta.1 allows attackers to inject malicious code
CVE-2026-43900
DeepChat, an artificial intelligence platform, had a security weakness that allowed hackers to inject malicious code into the system. This could have led to unauthorized actions on the platform. The v...
9.3
Bitwarden Server Missing Authorization Allows Organization Takeover
CVE-2026-43639
A vulnerability in Bitwarden Server versions prior to 2026.4.0 allows a malicious user to take control of an organization. This affects cloud-hosted installations of Bitwarden Server, but not self-hos...
8.9
Unity Catalog Exposes Data to Unauthorized Access
CVE-2026-27478 GHSA-qqcj-rghw-829x
A critical security flaw in Unity Catalog's token exchange endpoint allows attackers to access data without proper authentication. This could lead to unauthorized access to sensitive data and AI infor...
9.1
Red Hat Hardened Images RPMs Update Fixes Security Flaws
RHSA-2026:7021
Red Hat Hardened Images RPMs have been updated to address security vulnerabilities and improve functionality. This update is important for users who rely on the hardened images for secure operations. ...
9.1
Apache::Session for Perl Creates Deleted Sessions
UBUNTU-CVE-2013-10075
Apache::Session for Perl versions up to 1.94 can revive deleted sessions, potentially exposing sensitive data. This is a concern if you store confidential information in user sessions. To fix this, up...
9.1
D-Link DIR-816 Remote Command Injection Vulnerability
CVE-2026-8345
A vulnerability in the D-Link DIR-816 router's port forwarding feature allows an attacker to execute commands remotely, potentially giving them control over the device. This could lead to unauthorized...
2.1
D-Link DIR-816 Router Command Injection Vulnerability
CVE-2026-8344
A weakness in the D-Link DIR-816 router's configuration page allows an attacker to inject malicious commands remotely, potentially taking control of the router. This vulnerability has been made public...
2.1
Pi-hole DNS Sinkhole: Unrestricted File Deletion and Recreation
CVE-2026-41489
An attacker with Pi-hole privileges can delete and recreate any file on the system, potentially gaining root access. This is fixed in Pi-hole Core 6.4.2 and FTL 6.6.1. Update your Pi-hole installation...
8.8
iOS Apps Can Break Out of Their Restricted Areas
CVE-2026-28995
A security issue in certain Apple operating systems allowed a malicious app to escape its restricted area. This could potentially allow the app to access sensitive information or cause harm. Apple has...
8.8
10 May 2026 All days 12 May 2026