Published threat advisories for May 12, 2026

A previous fix for ChurchCRM was incomplete and unintentionally removed, leaving versions 7.2.0-7.2.2 vulnerable to exploitation. This issue allows unauthorized access to sensitive data and system functions.

NVD published: May 12, 2026

By targeting the setup wizard in ChurchCRM, an external attacker can gain complete control over the host server. This allows the attacker to steal sensitive member data or maintain unauthorized, long-term access to the organization's infrastructure.

NVD published: May 12, 2026

Java applications using Thymeleaf are at risk from a security bypass vulnerability that could allow attackers to inject malicious code and gain control. This affects widely deployed web applications that process user input.

NVD published: May 12, 2026

Scramble can let attackers run code on your systems if its documentation features are exposed to the internet and use unchecked user input. Update to version 0.13.22 to fix this.

NVD published: May 12, 2026

A critical flaw in Enterprise Framework for Web allows attackers to move files anywhere, bypassing security controls. This could lead to data breaches or system disruption.

NVD published: May 12, 2026

A critical flaw in the Enterprise Framework for Web allows unauthenticated attackers to upload malicious code and take over your web servers, potentially exposing sensitive data.

NVD published: May 12, 2026

An internal attacker with access to Nginx UI can manipulate system settings to bypass network security controls. This allows them to interact with restricted internal services, potentially exposing critical configuration files or private business data.

NVD published: May 12, 2026

An internal attacker with existing wger permissions can reset the passwords of other users to take over their accounts. This enables unauthorized access to user profiles and sensitive information.

NVD published: May 12, 2026

An external attacker can send a malicious web request to an Arduino ESP32 device, potentially gaining full control over the unit and its connected hardware. This creates a significant risk to the security and operational reliability of any internet-connected system using this technology.

NVD published: May 12, 2026

A flaw in Django's file upload tool, django-s3file, could let attackers trick your app into loading files from anywhere, potentially exposing or changing sensitive data.

NVD published: May 12, 2026

Exim mail servers have a critical flaw that allows attackers to take complete control of your systems without needing any login. This serious vulnerability affects how Exim handles certain email transfers, making it a prime target for immediate attention.

NVD published: May 12, 2026

Pulpy contains a security flaw allowing an internal attacker to bypass access restrictions and steal sensitive data, such as SSH keys and cloud credentials. This could lead to unauthorized access to critical systems and compromise your organization's remote infrastructure.

NVD published: May 12, 2026

An internal attacker with limited ArcadeDB credentials can bypass security controls to read, change, or delete data in any database on the server. This flaw allows unauthorized access to sensitive company information and could result in the loss of administrative control over the entire database system.

NVD published: May 12, 2026

Relay Server versions 0.9.0-0.9.6 have a critical flaw allowing anyone to read or change shared documents without a password. This impacts real-time collaboration by letting attackers access sensitive content over the network.

NVD published: May 12, 2026

An internal attacker with administrative access to MongoDB Ops Manager can manipulate webhook settings to execute unauthorized commands. This could allow them to gain full control of the server, potentially exposing critical infrastructure and sensitive management systems to compromise.

NVD published: May 12, 2026

SPIP versions before 4.4.14 have a critical flaw allowing attackers to run any code on your website by exploiting certain server setups. This is a serious risk to your online presence.

NVD published: May 12, 2026

A critical flaw in Adobe Connect could let attackers take over user accounts or sessions by tricking them into clicking a bad link. This vulnerability, affecting the desktop application, allows attackers to inject malicious scripts.

NVD published: May 12, 2026

An external attacker can exploit Adobe Connect by luring users to malicious links, allowing them to run unauthorized code on the user's computer. This could lead to the theft of sensitive meeting materials and confidential company communications.

NVD published: May 12, 2026

A critical flaw in WGDashboard, a tool for managing WireGuard VPNs, allows anyone to access your server's files without a password, posing a significant security risk.

NVD published: May 12, 2026

A critical flaw in Fortinet FortiAuthenticator could let attackers run unauthorized code, potentially exposing sensitive data and systems. Act now to address this security risk.

NVD published: May 12, 2026

Pingvin Share X has a critical flaw where an attacker with a valid username and password can bypass the second layer of security, risking access to your files. Upgrade now to protect your data.

NVD published: May 12, 2026

An external attacker can exploit a flaw in Cleanuparr to bypass security and gain full administrative access by spoofing network requests. This allows them to modify automation settings, manipulate connected download clients, or delete files without authorization.

NVD published: May 12, 2026

An internal attacker can exploit a flaw in Microsoft Dynamics 365 (on-premises) to run unauthorized code on the server, potentially gaining full administrative control. This could result in the theft of sensitive business data and allow further movement within the company network.

NVD published: May 12, 2026

Microsoft Dynamics 365 (on-premises) contains a flaw that allows an internal attacker to run unauthorized system commands. This risk could enable them to gain full administrative control over the application server and access sensitive enterprise data.

NVD published: May 12, 2026

An internal attacker with existing access to Azure Logic Apps could manipulate the system to grant themselves unauthorized permissions. This allows them to disable critical business automations, potentially compromising sensitive data and gaining control over connected systems.

NVD published: May 12, 2026

DevGuard vulnerability management can be fully controlled by an attacker over the internet, impacting all users and sensitive organizational resources.

NVD published: May 12, 2026

An internal attacker with valid login credentials can exploit a flaw in Langflow to delete files from the server. This could lead to permanent data loss and critical service disruptions for the business.

NVD published: May 12, 2026

A critical flaw in the Microsoft SSO Plugin for Jira and Confluence allows unauthorized attackers to gain administrative control remotely, potentially exposing sensitive company data.

NVD published: May 12, 2026

An external attacker can send malicious network traffic to the Microsoft Windows DNS service to gain full control of the affected server. Since this service is fundamental to network communication, a breach could allow unauthorized access to critical systems and sensitive company information.

NVD published: May 12, 2026

An external attacker could exploit a flaw in Windows Netlogon to steal administrative credentials and move through the network. This risk could result in a complete business disruption and unauthorized access to your company’s entire digital environment.

NVD published: May 12, 2026

An internal attacker could gain administrative control of virtualized environments by exploiting a memory flaw in Windows Hyper-V. This could lead to system compromise or lateral movement within the network.

NVD published: May 12, 2026

A vulnerability in Microsoft Azure Entra ID allows unauthorized access to sensitive information and impersonation over the network, impacting a widely used identity service.

NVD published: May 12, 2026

A memory management flaw in Microsoft Office allows an unauthorized attacker to execute code locally on affected systems, potentially leading to data compromise and business disruption. This vulnerability impacts various Microsoft Office products. The risk is classified as internal, meaning exploitation typically requi

NVD published: May 12, 2026

An internal attacker with basic Microsoft Dynamics 365 Customer Insights access could trick the system to gain administrative privileges. This allows them to access sensitive customer data and manipulate critical business settings, potentially compromising proprietary information.

NVD published: May 12, 2026

An external attacker could exploit a flaw in the Azure SDK to bypass security controls, potentially gaining unauthorized access to sensitive company data or administrative control over cloud-hosted resources.

NVD published: May 12, 2026

The mem0 server has a critical flaw allowing anyone to wipe all its data and shut down the service. This affects systems using mem0 v1.0.0, potentially leading to total data loss.

NVD published: May 12, 2026

The Mamba language model framework allows an external attacker to compromise systems if a developer downloads a compromised pre-trained model. This flaw lets the attacker run unauthorized software, which could lead to the theft of sensitive company data and credentials.

NVD published: May 12, 2026

An external attacker can use the Ludwig framework to seize control of the host server by submitting a malicious model file. This could result in a full compromise of the system and unauthorized access to sensitive business data.

NVD published: May 12, 2026

The Ludwig framework contains a security flaw that allows an external attacker to run unauthorized commands on your system by providing a malicious data file. This can lead to a full system compromise, granting them control over your infrastructure and access to sensitive files.

NVD published: May 12, 2026

An internal attacker could use the llm tool to take full control of a user’s computer. This could result in the theft of sensitive local files and stored credentials, creating a serious security risk for business information.

NVD published: May 12, 2026

The Imgaug library contains a flaw that allows an internal attacker to run unauthorized code on host systems. By manipulating shared data, they could take control of the system, potentially accessing sensitive files or establishing long-term access.

NVD published: May 12, 2026

Horovod's KVStore has a critical flaw allowing attackers to execute code on your systems by sending malicious data over the network. This affects distributed computing environments.

NVD published: May 12, 2026

A security flaw in Guardrails AI could allow an internal attacker to execute malicious code during package installations. This could lead to stolen credentials, exposed source code, and unauthorized control over developer workstations and connected environments.

NVD published: May 12, 2026

Cognee versions before 0.4.0 have a critical flaw in their code execution feature that lets attackers run any command on your server remotely and take complete control. Act now to protect your systems.

NVD published: May 12, 2026

An internal attacker can exploit a flaw in the Adversarial Robustness Toolbox to gain control of the application. This could lead to a full system compromise, providing them with unauthorized administrative access to the machine learning evaluation environment.

NVD published: May 12, 2026

A critical flaw in the Adversarial Robustness Toolbox lets attackers run their own code by uploading a fake model file, potentially giving them control over your systems.

NVD published: May 12, 2026

WHMCS customers' account data can be accessed by other authenticated users due to an insufficient ownership check, potentially exposing sensitive information.

NVD published: May 12, 2026

A critical flaw in Fortinet FortiSandbox allows anyone on the internet to run unauthorized commands, potentially taking control of your security systems. Update immediately.

NVD published: May 12, 2026

JunoClaw records secret wallet access keys within system logs and data streams. An external attacker can intercept this data to hijack accounts, resulting in unauthorized asset transfers and loss of control over the wallet.

NVD published: May 12, 2026

An internal attacker could exploit a flaw in the Intel Graphics Driver for VMware ESXi to gain administrative access, potentially compromising the confidentiality, integrity, and availability of critical system components. This matters to the business as it could lead to unauthorized control over sensitive data and es…

NVD published: May 12, 2026

An external attacker can target the Open Source Kubectl MCP Server by tricking users into visiting a malicious webpage. This flaw allows the attacker to execute unauthorized commands, potentially leading to full administrative access over connected Kubernetes clusters and exposing sensitive infrastructure data.

NVD published: May 12, 2026

Apache Tomcat has a critical flaw allowing unauthorized access to applications. This issue affects web servers when authorization rules are misconfigured, potentially exposing sensitive data and allowing unauthorized actions.

NVD published: May 12, 2026

A critical flaw in Apache Tomcat lets anyone bypass login to access sensitive applications or data. This affects internet-facing systems, so immediate patching is crucial.

NVD published: May 12, 2026

A critical flaw in Apache Tomcat allows unauthenticated attackers to take control of services or steal data over the network. Because Tomcat is widely used to host web applications, this issue deserves immediate attention.

NVD published: May 12, 2026

An external attacker could exploit a flaw in the Adversarial Robustness Toolbox by providing malicious model configuration parameters. This allows them to execute unauthorized commands on the underlying system, leading to full control and unauthorized access to valuable model data.

NVD published: May 12, 2026

TinyZero has a security flaw that allows an internal attacker to execute unauthorized system commands by supplying malicious file paths. This could lead to a complete compromise of the underlying host, enabling access to sensitive training data and environment secrets.

NVD published: May 12, 2026

An external attacker can exploit the PySyft platform by submitting malicious code to gain complete control over the server. This flaw creates a severe risk, enabling unauthorized access to sensitive data and a full compromise of the hosting environment.

NVD published: May 12, 2026

An internal attacker can exploit a flaw in Optimate to gain full control of the system by processing malicious files. This unauthorized access allows them to steal sensitive environment variables, source code, and internal resources, threatening critical business operations.

NVD published: May 12, 2026

A critical flaw in nexent's backend allows anyone to delete important files remotely, risking data loss and service downtime. This needs immediate attention.

NVD published: May 12, 2026

An external attacker could exploit the Nexent backend to remotely delete files and sensitive data. This issue could lead to the permanent loss of business information and service outages, disrupting critical operations.

NVD published: May 12, 2026

An external attacker can trick the ml-engineering tool into processing a malicious file to take control of the system. This allows them to steal sensitive training data and API keys, creating a risk of full system compromise.

NVD published: May 12, 2026

Pandora FMS versions 777 through 800 have a critical flaw. An attacker can bypass security and access your system's monitoring data and controls through the API.

NVD published: May 12, 2026

An external attacker can compromise a Firefox user's workstation by luring them to a malicious website that exploits a flaw in the browser's profile backup process. This allows the attacker to steal private user data or install malicious software, potentially leading to a full system takeover.

NVD published: May 12, 2026

An internal attacker with valid system access can exploit a file handling flaw in Ivanti Xtraction to read sensitive data or inject malicious scripts. This could result in the theft of confidential information and hijacked user sessions, directly compromising the security of company data.

NVD published: May 12, 2026

The sealed-env library mistakenly exposes sensitive authentication codes in application logs and system dumps. An internal attacker can steal these credentials to bypass multi-factor security and gain unauthorized administrative control over sensitive internal systems.

NVD published: May 12, 2026

A critical flaw in Dovecot authentication could let attackers steal data or take control of your systems. Update now to prevent unauthorized access.

NVD published: May 12, 2026

An internal attacker with local access to an Ingecon Sun EMS Board could exploit a flaw to bypass login security and obtain administrative credentials. This would allow them to change device settings and gain full control over the energy management infrastructure.

NVD published: May 12, 2026

Databases created in Google Cloud AlloyDB for PostgreSQL using automation may contain insecure default passwords, allowing an external attacker to gain full administrative access. This could let unauthorized users steal sensitive business data and compromise your systems.

NVD published: May 12, 2026

A security vulnerability in ROS# allows an external attacker to bypass file protections and view sensitive system files. This unauthorized access can expose proprietary data and stored credentials, risking the confidentiality of business information.

NVD published: May 12, 2026

An internal attacker with access to Siemens motion control devices can exploit a software flaw to hijack other users' web sessions. This allows them to perform unauthorized administrative actions, potentially leading to modified system configurations or the disruption of critical industrial operations.

NVD published: May 12, 2026

Siemens PLCs have a flaw allowing an internal attacker to inject code into the web interface. If a legitimate user accesses the device, the attacker can hijack their session to modify critical operational settings or gain unauthorized control over the industrial system.

NVD published: May 12, 2026

An SQL injection flaw in Akilli Commerce's E-Commerce Website could allow unauthorized access to customer data or disruption of sales. This warrants attention due to the platform's likely internet exposure.

NVD published: May 12, 2026

An external attacker can exploit a security flaw in the Kura Sushi Official App to intercept or manipulate push notifications. This could allow attackers to send deceptive messages or phishing links to customers, potentially leading to unauthorized access to sensitive account information.

NVD published: May 12, 2026

A configuration flaw in SAP Commerce Cloud allows unauthorized access to execute harmful code on your servers, potentially compromising all your data and operations.

NVD published: May 12, 2026

An internal attacker with access to the SAP S/4HANA enterprise search feature can manipulate the system to view restricted business data or cause service crashes. This risks exposing sensitive organizational information and interrupting essential business operations.

NVD published: May 12, 2026

An external attacker could exploit a flaw in Cribl Edge to potentially intercept sensitive data or alter data routing. This could lead to unauthorized access to company telemetry, large-scale data exfiltration, or the subversion of internal security monitoring systems.

NVD published: May 12, 2026

An external attacker could potentially exploit a vulnerability in Cribl Stream to compromise critical data pipelines and sensitive logs. Because vulnerability details are currently reserved, the specific risk to business operations and system security remains uncertain.

NVD published: May 12, 2026

An external attacker could potentially exploit an undisclosed vulnerability in the Cribl Edge platform. While the specific technical impact remains unknown due to the lack of public disclosure, this flaw poses a risk to the sensitive observability data managed by the system.

NVD published: May 12, 2026