| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-42606 | AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass | AzuraCast | AzuraCast | High | 8.1 | 2026-05-09 19:43:36 | Deep Dive |
| CVE-2026-42258 | net-imap: Command Injection via unvalidated Symbol inputs | ruby | net-imap | - | - | 2026-05-09 19:40:49 | Deep Dive |
| CVE-2026-42257 | net-imap: Command Injection via "raw" arguments to multiple commands | ruby | net-imap | - | - | 2026-05-09 19:39:48 | Deep Dive |
| CVE-2026-42256 | net-imap: Denial of service via high iteration count for `SCRAM-*` authentication | ruby | net-imap | - | - | 2026-05-09 19:38:33 | Deep Dive |
| CVE-2026-42245 | net-imap: Quadratic complexity when reading response literals | ruby | net-imap | - | - | 2026-05-09 19:37:09 | Deep Dive |
| CVE-2026-42246 | net-imap vulnerable to STARTTLS stripping via invalid response timing | ruby | net-imap | - | - | 2026-05-09 19:33:18 | Deep Dive |
| CVE-2026-8194 | osTicket Dispatcher class.dispatcher.php cross-site request forgery | - | osTicket | Medium | 4.3 | 2026-05-09 19:30:10 | Deep Dive |
| CVE-2026-42601 | ArchiveBox Vulnerable to RCE via unvalidated per-crawl config overrides in AddView | ArchiveBox | ArchiveBox | - | - | 2026-05-09 19:29:23 | Deep Dive |
| CVE-2026-42576 | apko `DiscoverKeys` has a panic on non-rsa jwks key that causes crash during key discovery | chainguard-dev | apko | Medium | 6.5 | 2026-05-09 19:26:56 | Deep Dive |
| CVE-2026-42575 | apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible) | chainguard-dev | apko | High | 7.5 | 2026-05-09 19:26:27 | Deep Dive |
| CVE-2026-42574 | apko dirFS has a symlink-following path traversal that allows multiple entry points to escape the build root | chainguard-dev | apko | High | 7.5 | 2026-05-09 19:24:48 | Deep Dive |
| CVE-2026-42569 | phpvms: /importer authorization bypass causing full database wipe | phpvms | phpvms | Critical | 9.4 | 2026-05-09 19:21:49 | Deep Dive |
| CVE-2026-42571 | Privilege Escalation Attack affecting Pelican Web UI | PelicanPlatform | pelican | - | - | 2026-05-09 19:19:37 | Deep Dive |
| CVE-2026-42333 | quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations | quarkiverse | quarkus-openapi-generator | - | - | 2026-05-09 19:16:20 | Deep Dive |
| CVE-2026-41893 | Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force) | SignalK | signalk-server | - | - | 2026-05-09 19:12:10 | Deep Dive |
| CVE-2026-42562 | Plainpad: Privilege Escalation via Writable Admin Field in Profile Update (Access Control) | alextselegidis | plainpad | High | 8.3 | 2026-05-09 19:09:49 | Deep Dive |
| CVE-2026-8193 | Akaunting Invoice PDF Rendering dompdf.php server-side request forgery | - | Akaunting | Medium | 6.3 | 2026-05-09 18:45:08 | Deep Dive |
| CVE-2026-8192 | Wavlink NU516U1 adm.cgi wzdap os command injection | Wavlink | NU516U1 | Medium | 6.3 | 2026-05-09 18:30:12 | Deep Dive |
| CVE-2026-8191 | Wavlink NU516U1 adm.cgi wifi_region os command injection | Wavlink | NU516U1 | Medium | 6.3 | 2026-05-09 18:15:10 | Deep Dive |
| CVE-2026-8190 | Wavlink NU516U1 adm.cgi wan os command injection | Wavlink | NU516U1 | Medium | 6.3 | 2026-05-09 17:15:09 | Deep Dive |