CVE Vulnerabilities - 19 May 2026

CtrlPanel's web installer in versions 1.1.1 and earlier can be exploited by attackers to run arbitrary commands on the server. This vulnerability is critical for hosting providers using CtrlPanel, as ...

Between May 11 and May 22, 2026, malicious versions of the @beproduct/nestjs-auth package were published on npm. These versions contained code that could steal sensitive information like login tokens,...

The 9router software exposes unauthenticated API endpoints that can be used to execute arbitrary OS commands without any prerequisites or credentials. This vulnerability exists because the authenticat...

HestiaCP versions 1.9.0 to 1.9.4 have a security weakness in the web terminal. Attackers can exploit this weakness to gain full control over a system with the web terminal feature enabled. To protect ...

A security issue affects Kitty Terminal versions 0.46.2 and below. An attacker can send malicious commands to a Kitty Terminal, potentially allowing them to execute code remotely. To fix this, update ...

The ProxyShare feature in rok Python allows attackers to bypass security settings and access internal servers by manipulating URL paths. This could lead to unauthorized access to sensitive data or sys...

A module in Drupal allows anyone to access sensitive date fields without permission. This could allow unauthorized users to view or manipulate sensitive information. Update the module to ensure it pro...

Turborepo's build system can run malicious code if you use it in a project from an unknown or untrusted source. This can happen if the project's configuration contains malicious code. To stay safe, up...

Kopia's HTTP server allows unauthenticated access when started without a username or password. An attacker can inject malicious commands into the SSH connection, potentially executing arbitrary code a...

Versions of Kitty terminal below 0.46.2 are vulnerable to data corruption when displaying malicious input. This can happen if an attacker is able to send specific commands to a Kitty terminal, such as...

A security issue affects Kitty terminal versions 0.46.2 and below. An attacker can write malicious code to a Kitty terminal to access memory it shouldn't have, potentially leading to security breaches...

ScadaBR's admin credentials are hardcoded, allowing unauthorized access to the SCADA system. This is a serious risk because an attacker can gain full control of the system. Update to a fixed version o...

An attacker can execute system commands with root privileges on the SCADA system. This could allow unauthorized access and control of the system. Update to the latest version of ScadaBR to fix this vu...

The Panabit PAP-XM320's built-in web server has a weakness that could let attackers access it without needing a password. This is because the server checks a password-related cookie in a way that an a...

The hitarth-gg Zenshin application has a security flaw that could allow an attacker to execute unauthorized system commands. This could potentially lead to data theft, system compromise, or other mali...

APScheduler's JSON and CBOR deserialization features allow attackers to execute malicious code remotely. This can happen if an attacker submits a specially crafted payload to an application using thes...

The LalanaChami Pharmacy Management System has a security issue that allows anyone to give themselves extra privileges. This could allow unauthorized users to access sensitive information or make chan...

The Scalar Astro proxy endpoint can be tricked into sending requests to malicious URLs, potentially exposing sensitive information like authentication cookies. This could allow unauthorized access to ...

An attacker can upload a malicious file, potentially executing code on your server. This is a serious issue, especially if you're hosting user-uploaded content. Update to the latest version of Scalar ...

Tyler Identity Local's default admin credentials are not changed before deployment, which means an attacker could gain full access to the system if they know these credentials. This is a concern becau...

A security flaw in Debian Linux can allow unauthorized users to access and modify sensitive files. This affects Debian Linux systems and can compromise system integrity. To protect your system, ensure...

A vulnerability in the Firefox Networking: JAR component can cause the browser to crash or behave unexpectedly. This issue affects Firefox versions prior to 151 and Firefox ESR versions prior to 140.1...

Apache Camel versions 3.18.0 to 4.18.2 have a security issue that allows attackers to inject malicious headers into messages. This can lead to unauthorized code execution or file access. To fix this, ...

The Piotnet Forms plugin for WordPress doesn't properly check the type of files being uploaded, which means an attacker can upload any type of file. This could allow an attacker to execute malicious c...

A bug in the Linux kernel's crypto module (pcrypt) could cause a busy error when handling certain requests. This could lead to system instability or crashes. Linux kernel developers have fixed this is...