Published threat advisories for May 4, 2026

An unauthenticated attacker can hijack Nginx UI during startup to run any command on your server, potentially gaining full control. This affects internet-facing management interfaces, so act fast.

NVD published: May 4, 2026

Unauthenticated attackers can completely take over the Nginx UI system during its initial setup, potentially accessing sensitive data and gaining administrative control. This is a critical issue with no immediate patch available.

NVD published: May 4, 2026

An unauthenticated attacker can take over your Nginx UI during its initial setup, gaining full administrative control. This critical flaw affects versions before 2.3.8 and requires immediate attention to prevent unauthorized system takeover.

NVD published: May 4, 2026

An external attacker can send malicious commands to the WDR201A WiFi Extender's firewall settings to gain administrative access. This allows the attacker to silently monitor or manipulate sensitive network traffic and establish a persistent foothold within the organization’s network.

NVD published: May 4, 2026

A critical flaw in WDR201A WiFi Extenders lets attackers remotely run any command, potentially taking full control of your network devices from the internet.

NVD published: May 4, 2026

An external attacker can remotely take control of the WDR201A WiFi Extender by tricking it into running unauthorized commands. This could allow them to intercept sensitive network traffic or use the device as a launchpad to access the rest of your internal company network.

NVD published: May 4, 2026

The WDR201A WiFi Extender contains a security flaw that allows an external attacker to remotely take complete control of the device without a password. This exposes the business to credential theft, interception of network traffic, and unauthorized access to internal systems.

NVD published: May 4, 2026

The WDR201A WiFi Extender contains a flaw that allows an external attacker to take full control of the device without requiring login credentials. This exposes your network traffic to potential interception and enables unauthorized access to your private infrastructure.

NVD published: May 4, 2026

An internal attacker with workflow access can compromise the n8n platform by submitting malicious data. This allows them to run unauthorized commands to gain full control of the server, potentially exposing sensitive business data and privileged API keys.

NVD published: May 4, 2026

An internal attacker with n8n workflow permissions could exploit this flaw to take full control of the host server. This allows them to run unauthorized commands, steal sensitive business data, and gain persistent access to the organization's network.

NVD published: May 4, 2026

An external attacker can exploit a flaw in Arelle to remotely run unauthorized code without needing credentials. This allows them to take full control of the server, potentially leading to the theft of sensitive financial reporting data.

NVD published: May 4, 2026

An external attacker could exploit a flaw in OpenC3 COSMOS to delete or manipulate critical stored data. This creates a business risk by potentially disrupting operational monitoring and the management of embedded hardware.

NVD published: May 4, 2026

A flaw in Note Mark's login allows anyone to access user accounts by sending a blank password, potentially exposing sensitive notes. This unauthenticated bypass is now fixed in version 0.19.3.

NVD published: May 4, 2026

An internal attacker with existing access to Apache Polaris can manipulate table settings to direct data storage to unauthorized locations. This flaw could allow them to expose sensitive company information or corrupt critical files.

NVD published: May 4, 2026

Apache Polaris contains a flaw that allows an internal attacker with table management permissions to bypass access restrictions for cloud storage. By providing crafted names, they can gain unauthorized access to read, change, or delete sensitive data across an entire storage bucket, putting business information at ris…

NVD published: May 4, 2026

An internal attacker can exploit a flaw in Apache Polaris to bypass cloud storage security and access, modify, or delete sensitive business data. This vulnerability poses a significant risk to data privacy and could allow unauthorized destruction of proprietary information.

NVD published: May 4, 2026

An external attacker can manipulate Apache Polaris table creation requests to obtain unauthorized credentials for restricted storage locations. This flaw allows unauthorized parties to steal or modify sensitive cloud data, impacting business information integrity.

NVD published: May 4, 2026

An internal attacker can exploit a hardcoded password in the D-Link DIR-456U Hardware Revision A1 to gain full administrative control of the device. This access allows an attacker to intercept network traffic or move further into the business network.

NVD published: May 4, 2026

An external attacker could take full control of a computer running Notesnook if a user exports a malicious note to PDF. This action enables the attacker to run hidden commands, risking total system compromise and unauthorized access to the victim's sensitive personal information.

NVD published: May 4, 2026

An Evolver AI engine flaw lets attackers run any command on your server without logging in. This critical issue needs immediate attention due to its widespread impact and ease of exploitation.

NVD published: May 4, 2026

An external attacker can exploit a vulnerability in Apache OpenNLP by providing a malicious model file to execute unauthorized commands on your systems. This could result in the theft of sensitive business credentials or unauthorized access to internal files.

NVD published: May 4, 2026

By submitting a manipulated dictionary file to Apache OpenNLP, an external attacker can trick the system into revealing sensitive files or internal network data. This creates a risk of unauthorized access to business credentials and configuration information.

NVD published: May 4, 2026

A flaw in the vm2 software allows an external attacker to bypass security controls and run unauthorized commands on the underlying server. This risk could lead to a full system compromise, granting the attacker control over server operations and access to sensitive data.

NVD published: May 4, 2026

An external attacker can exploit a flaw in the vm2 software to bypass security controls, allowing them to take control of the server. This could lead to a breach of sensitive data or total system compromise, giving unauthorized users access to the underlying infrastructure.

NVD published: May 4, 2026

An internal attacker can exploit a flaw in Qualcomm PLC firmware to gain control over the device and run unauthorized commands. This poses a business risk by allowing the attacker to disrupt critical industrial operations or potentially manipulate connected physical equipment.

NVD published: May 4, 2026

An external attacker can exploit a vulnerability in the VM2 sandboxing tool to escape security boundaries and execute unauthorized commands. This could lead to a full server compromise, granting the attacker access to sensitive business files and credentials.

NVD published: May 4, 2026

An external attacker can exploit a flaw in the vm2 sandbox to bypass its security, allowing them to run unauthorized commands on the host server. This could lead to a complete system compromise, granting the attacker access to sensitive business data and administrative control.

NVD published: May 4, 2026

An external attacker can exploit a flaw in the vm2 software to bypass its security protections and take control of your host server. This could lead to a total system compromise, potentially exposing sensitive credentials and files stored on your infrastructure.

NVD published: May 4, 2026

An external attacker can take control of systems using the Assimp library by providing a maliciously crafted 3D model file. If opened, this allows the attacker to run unauthorized code on the host system, potentially leading to a complete compromise of the affected application.

NVD published: May 4, 2026

An external attacker can crash applications or corrupt memory using GnuTLS, disrupting services and potentially enabling further attacks. This matters to the business due to the potential for service outages.

NVD published: May 4, 2026

A critical vulnerability in Tegsoft's Online Support Application could let attackers steal customer data or take control of services by injecting harmful code into web pages, and it's accessible online.

NVD published: May 4, 2026

A critical flaw in Comet Backup allows any administrator to access or control other customers' data. This vulnerability is exposed via the internet and could impact many users.

NVD published: May 4, 2026

phpBB software has a flaw that lets attackers hijack accounts by sending users fake password reset links. This is a significant risk for online forums.

NVD published: May 4, 2026

A critical flaw in GeoVision GV-VMS allows unauthenticated attackers to execute code remotely and take full control of video surveillance systems, which are often accessible online.

NVD published: May 4, 2026

An internal attacker on your local network could intercept GeoVision GV-IP Device Utility traffic to steal device passwords. This unauthorized access allows them to take full control of your hardware, enabling them to alter security configurations or reset devices to factory settings.

NVD published: May 4, 2026

A critical flaw in GeoVision GV-VMS allows unauthenticated attackers to take complete control of video surveillance systems through a simple web request, impacting internet-facing security devices.

NVD published: May 4, 2026

This critical vulnerability in GeoVision's video software, GV-VMS V20, allows unauthenticated attackers to remotely take full control of your security cameras and devices.

NVD published: May 4, 2026

A critical flaw in GeoVision devices lets anyone with network access take full control by tricking the web interface into running unauthorized commands. This is a serious risk for devices often exposed online.

NVD published: May 4, 2026