Published threat advisories for May 8, 2026

The Postiz AI scheduling tool has a flaw allowing authenticated users to embed malicious HTML in posts, which can then be executed when shared via a preview link, potentially exposing sensitive data. Update to version 2.21.7 to fix this.

NVD published: May 8, 2026

By injecting unauthorized commands through Termix, an internal attacker can install backdoors to gain full administrative access to your managed servers. This flaw poses a significant risk to the integrity of your entire production infrastructure.

NVD published: May 8, 2026

A critical flaw in Sentry's SAML login allows anyone to hijack any user account if they know the victim's email and can set up a fake login system. This is a serious risk for organizations using Sentry for error tracking.

NVD published: May 8, 2026

A security flaw in the FastGPT agent-sandbox allows an external attacker to bypass access controls and gain full control of the environment. This lets them run unauthorized commands, creating a risk that sensitive AI data or system secrets could be stolen.

NVD published: May 8, 2026

An external attacker can exploit a flaw in the Postiz build system to steal sensitive administrative credentials. This allows them to modify the code, which could enable them to distribute unauthorized changes to users.

NVD published: May 8, 2026

A critical flaw in Emlog allows unauthenticated attackers to steal data or destroy websites by injecting malicious commands directly into the database. Update Emlog now to prevent potential system compromise.

NVD published: May 8, 2026

Plunk's email platform has a serious flaw allowing attackers to trigger fake notifications, disrupt services, and potentially increase costs by manipulating email workflows without any authentication.

NVD published: May 8, 2026

A critical flaw in Data Space Portal allows unauthorized access to customer data through a loophole in account registration. This issue is now urgent as it could enable attackers to take control of sensitive information.

NVD published: May 8, 2026

An internal attacker can exploit a flaw in the Amazon Redshift JDBC Driver to execute unauthorized code on the host system. This could enable them to compromise the application, steal sensitive database credentials, and access protected information.

NVD published: May 8, 2026

An external attacker could weaken password security by exploiting a flaw in the Crypt::PasswdMD5 software. This could lead to the exposure of sensitive credentials and unauthorized access to user accounts.

NVD published: May 8, 2026

NornicDB is incorrectly accessible to the entire local network, allowing an internal attacker to use default credentials to gain full administrative control. This could lead to unauthorized access to sensitive business data.

NVD published: May 8, 2026

A vulnerability in fohrloop dash-uploader could let attackers run their own code on your systems by uploading specially crafted files. This is a serious risk for any system that accepts file uploads over the internet.

NVD published: May 8, 2026

OpenVPN authentication plugin flaw lets unauthenticated users into your VPN. This critical issue, affecting a specific plugin mode, bypasses security checks and grants unauthorized network access. Upgrade immediately to prevent breaches.

NVD published: May 8, 2026

Zebra, a Zcash node, incorrectly accepts blocks that violate network rules, potentially splitting the network and disrupting service. Update to version 4.4.0 or later.

NVD published: May 8, 2026

A critical flaw in Zcash node software could cause a blockchain split, disrupting transactions and network integrity. Promptly update your Zcash software to protect against this risk.

NVD published: May 8, 2026

An internal attacker with administrative access to a system running the Linux kernel mlx5e driver can exploit a memory handling error by sending crafted network traffic while running custom programs. This can trigger a system crash, causing a denial of service that disrupts network availability and system stability.

NVD published: May 8, 2026

An internal attacker with system access could exploit a flaw in the Linux kernel QLogic storage driver to force a system crash. This could lead to unplanned outages and the disruption of critical business storage workflows.

NVD published: May 8, 2026

An internal attacker with network access to the Ceph storage cluster could trigger a system crash and disrupt business operations. This vulnerability also risks exposing sensitive information from system memory, threatening both data privacy and overall service reliability.

NVD published: May 8, 2026

A security flaw in Linux kernel Ceph storage allows an internal attacker to send malicious data to trigger system crashes or access sensitive memory. This exposes the business to potential storage outages and the compromise of privileged system information.

NVD published: May 8, 2026

The Linux kernel has a security flaw that allows an internal attacker with local system access to manipulate memory, potentially resulting in unauthorized elevated privileges or system crashes. This creates a risk of operational disruption and compromised data security.

NVD published: May 8, 2026

An external attacker can exploit a flaw in the Linux kernel by analyzing system response times to guess secret authentication codes. This allows them to impersonate trusted network devices to intercept or inject sensitive data, potentially compromising the integrity of critical communications.

NVD published: May 8, 2026

An external attacker can exploit a flaw in the Linux kernel to guess secret network authentication keys by analyzing connection timing. This could allow them to impersonate trusted network devices, enabling unauthorized interception of sensitive data or the injection of malicious network traffic.

NVD published: May 8, 2026

An external attacker can exploit a vulnerability in the Linux kernel file-sharing service to crash the system or gain unauthorized control over the server. This threatens business operations by potentially causing service outages or allowing an attacker to compromise critical system access.

NVD published: May 8, 2026

An external attacker can exploit Linux's ksmbd file-sharing service to trigger a system crash or service outage. This flaw could allow unauthorized access to server memory, potentially leading to a complete compromise of the affected system.

NVD published: May 8, 2026

A critical flaw in the Zcash node software, Zebra, lets anyone on the internet crash the service by sending a fake transaction, potentially disrupting the network. Update immediately.

NVD published: May 8, 2026

Zebra's Zcash software could be tricked into accepting invalid transactions, potentially splitting the network into two conflicting versions, disrupting operations. Update immediately.

NVD published: May 8, 2026

Nhost authentication is broken, letting attackers steal user accounts by linking their own email via flawed login methods. Update Nhost immediately to prevent unauthorized access to sensitive data.

NVD published: May 8, 2026

A critical flaw in the Beauty Parlour Management System allows attackers to steal sensitive customer data remotely by accessing appointment details. This is a serious concern as it exposes private information and can be exploited without any special access.

NVD published: May 8, 2026

A critical flaw in PraisonAI allows unauthorized users to write files anywhere on your system, potentially leading to code execution and access to sensitive data. Upgrade PraisonAI to version 4.6.34 or newer immediately.

NVD published: May 8, 2026

A critical flaw in SEPPmail Secure Email Gateway lets attackers remotely execute code on your systems by tricking the GINA UI, potentially exposing sensitive data. This demands immediate attention due to its internet-facing nature.

NVD published: May 8, 2026

A critical flaw in SEPPmail Secure Email Gateway allows unauthenticated attackers to run their own code remotely by exploiting how it handles untrusted data, potentially compromising your email services.

NVD published: May 8, 2026

Unauthenticated attackers can access sensitive functions on SEPPmail Secure Email Gateway, a system protecting email communications, because of a flaw in its new interface. This advisory warrants attention now as the gateway is often internet-facing.

NVD published: May 8, 2026

An external attacker could send specific network traffic to the Linux kernel, potentially causing memory corruption and a system crash. This issue poses a risk to business operations by enabling disruptions to system availability.

NVD published: May 8, 2026

An internal attacker can exploit a flaw in Linux Ceph storage to force a system crash. This could disrupt critical business operations by making storage services unavailable.

NVD published: May 8, 2026

An external attacker can exploit the AI-scanner to run unauthorized commands on the system. This allows them to take full control of the server, potentially exposing sensitive model data and security credentials.

NVD published: May 8, 2026

A critical flaw in math-codegen allows attackers to run any command on your systems by exploiting how user input is processed, potentially giving them full control.

NVD published: May 8, 2026

PraisonAI versions before 4.6.9 have a critical flaw letting attackers run any command, potentially stealing data or disrupting services by exploiting its command handling. This needs immediate attention as it affects internet-facing systems.

NVD published: May 8, 2026

An internal attacker with legitimate access to Apache CloudStack can hijack other tenants' virtual machines. This could allow them to stop, start, or destroy those machines, resulting in service disruption and potential compromise of sensitive cloud resources.

NVD published: May 8, 2026

A critical flaw in DrayTek Vigor 2960 network gateways allows remote attackers to run any commands they want, potentially taking control of your network equipment. This requires basic credentials but could expose your entire network.

NVD published: May 8, 2026

An issue in Universal Robots PolyScope allows an internal attacker to run unauthorized commands on the robot’s operating system. This could provide full control over the robot, potentially causing significant disruptions to manufacturing processes.

NVD published: May 8, 2026

An external attacker can exploit weak PIN-based authentication on the CashDro 3 web panel to gain unauthorized administrative access by guessing login codes. This allows them to modify sensitive financial settings or alter the device's operational controls, potentially compromising system security.

NVD published: May 8, 2026

An external attacker can exploit a flaw in Remote Spark SparkView to bypass security checks and gain full administrative control of the server. This access allows them to run unauthorized commands, creating a severe risk of complete system compromise.

NVD published: May 8, 2026

Apache::Session for Perl can revive deleted sessions, potentially exposing old sensitive customer data. This advisory merits attention due to the risk of data recovery on internet-facing web applications.

NVD published: May 8, 2026

An internal attacker with valid administrative credentials could exploit the Netgate pfSense CE firewall to run unauthorized commands, potentially leading to full system control. This exposes the business to significant risk, as it could allow unauthorized manipulation of network traffic and compromise the security pe…

NVD published: May 8, 2026

An internal attacker with administrative access to Netgate pfSense CE can run unauthorized commands to take full control of the system. This allows them to modify critical security rules and intercept internal network traffic, potentially leading to long-term compromise of your network infrastructure.

NVD published: May 8, 2026

An internal attacker with limited access to the RayVentory Scan Engine can manipulate system settings to run unauthorized programs. This could grant them full administrative control over the host, potentially leading to a complete system compromise.

NVD published: May 8, 2026

An internal attacker with translation privileges in 1C-Bitrix can run unauthorized commands on the server. This allows the attacker to take full control of the system and access sensitive company data.

NVD published: May 8, 2026

GL.iNet devices have a critical flaw that lets attackers take full control by bypassing login using a special username, potentially exposing your network.

NVD published: May 8, 2026

An internal attacker with administrative access to LibreNMS can execute unauthorized commands to take full control of the monitoring server. This enables them to access sensitive network information or potentially compromise other critical business systems.

NVD published: May 8, 2026

An internal attacker can trick Electerm users into clicking malicious links or shortcuts to gain full control over their devices. This risk is significant because it can lead to the theft of sensitive login credentials and unauthorized access to remote servers managed by the software.

NVD published: May 8, 2026

An external attacker can exploit the Electerm terminal client by enticing users to click malicious links. This allows the attacker to run unauthorized programs or access private local files, potentially resulting in full control of the victim's machine and their management session.

NVD published: May 8, 2026

A critical flaw in the Axios library, used in Node.js applications, could allow attackers to hijack outbound requests if other application components are also compromised, potentially leading to data theft or unauthorized control.

NVD published: May 8, 2026

An external attacker could exploit a vulnerability in Electerm’s update process to execute unauthorized commands on the host machine. This could allow them to steal session credentials, delete files, and potentially take complete control of the system.

NVD published: May 8, 2026

Electerm contains a flaw that could allow an internal attacker to execute unauthorized commands on a user's machine. This issue puts stored credentials and sensitive network infrastructure at risk of exposure, potentially leading to full system compromise.

NVD published: May 8, 2026