Published threat advisories for May 13, 2026

An external attacker can exploit a flaw in Web::Passwd to take full control of the host server. This enables unauthorized access to sensitive system files and user credentials, which could lead to a complete compromise of the environment.

NVD published: May 13, 2026

An external attacker could exploit a flaw in the OPNsense firewall to gain full system control, potentially allowing them to intercept network traffic and compromise the organization's entire network gateway.

NVD published: May 13, 2026

A critical flaw in ERPNext allows any logged-in user to change company data they're not supposed to. Update ERPNext now to prevent unauthorized data manipulation in your business operations.

NVD published: May 13, 2026

An internal attacker with management privileges could gain full control of OPNsense firewalls by entering malicious commands into user email fields. This allows them to bypass security settings, risking complete system compromise and the potential failure of network defenses.

NVD published: May 13, 2026

An external attacker with administrative credentials could exploit OPNsense to gain full control over the firewall. This allows them to intercept network traffic and dismantle security defenses, putting the entire organization's internal network at risk.

NVD published: May 13, 2026

CubeCart versions before 6.7.0 have a critical flaw allowing any administrator to run commands on the server, potentially exposing your e-commerce data and systems. Update now to 6.7.0 or later.

NVD published: May 13, 2026

CubeCart's e-commerce stores are vulnerable to takeover via a critical file upload flaw in its API. Attackers can execute code on your server, potentially stealing data or gaining full control. This affects all versions prior to 6.7.0.

NVD published: May 13, 2026

A critical flaw in MISP, a threat intelligence platform, could allow attackers to steal or alter sensitive data by manipulating database queries. This affects internet-facing installations and requires immediate attention.

NVD published: May 13, 2026

CubeCart administrators can be tricked into revealing sensitive data or letting attackers run malicious code on the e-commerce site. This critical issue needs immediate attention for affected online stores.

NVD published: May 13, 2026

An external attacker could gain full administrative control of the Garmin WDU by tricking a user into visiting a malicious website. This could lead to unauthorized manipulation of maritime system functions and full operational control of the unit.

NVD published: May 13, 2026

An external attacker can trick a logged-in user of MISP Modules into unintentionally changing search parameters. This could allow the attacker to manipulate results, potentially leading to the misdirection or exposure of sensitive threat intelligence.

NVD published: May 13, 2026

A critical flaw in fast-jwt allows attackers to forge authentication tokens, potentially granting them access to sensitive data or administrative control by bypassing security checks without needing any credentials.

NVD published: May 13, 2026

An external attacker can exploit a flaw in Netty to confuse the application about which server response belongs to a specific request. This could allow them to hijack user sessions or access sensitive information by tricking the system into misinterpreting incoming data streams.

NVD published: May 13, 2026

A critical vulnerability in the Netty framework could allow attackers to hijack requests by tricking it into misinterpreting data, potentially impacting internet-facing applications and sensitive data.

NVD published: May 13, 2026

An external attacker can exploit a vulnerability in the Netty framework by sending malicious network traffic to our applications. This could allow them to crash our services or gain unauthorized control over systems processing this data, potentially disrupting business operations.

NVD published: May 13, 2026

A vulnerability in the Zoom Workplace VDI Plugin for Windows Installer may allow an authenticated local user to escalate privileges. This could affect organizations by enabling unauthorized access to systems and data. The risk is associated with local access to the affected installer.

NVD published: May 13, 2026

An external attacker can bypass the vm2 sandbox to execute unauthorized commands on the host system. This allows the attacker to gain full control over the infrastructure, creating a significant risk to the security of business operations.

NVD published: May 13, 2026

A critical flaw in the vm2 Node.js sandbox lets attackers take full control of services, potentially exposing sensitive data and undermining systems. This is a high priority because it's often used in internet-facing applications.

NVD published: May 13, 2026

A critical security flaw in the Node.js vm2 sandbox allows attackers to escape and run any code on your system, potentially exposing sensitive operations. Update vm2 immediately.

NVD published: May 13, 2026

A critical flaw in the vm2 Node.js sandbox allows attackers with privileged access to run any command on your system. Update vm2 to version 3.11.1 immediately to prevent full system compromise.

NVD published: May 13, 2026

An external attacker can exploit a security flaw in vm2 to bypass built-in protections and run unauthorized commands on our server. This could lead to a full system compromise and unauthorized access to sensitive business data.

NVD published: May 13, 2026

An external attacker can escape the vm2 sandbox by exploiting a flaw in its security controls. This allows the attacker to run unauthorized commands on the underlying server, which could lead to a total compromise of the host system.

NVD published: May 13, 2026

An external attacker can exploit a weakness in the vm2 library to break through security boundaries and run unauthorized software on host servers. This could result in full system compromise and unauthorized access to sensitive company resources.

NVD published: May 13, 2026

An external attacker can exploit a flaw in the vm2 sandbox to bypass its security boundaries and run unauthorized code. This could allow the attacker to expose sensitive business data or compromise the underlying host system.

NVD published: May 13, 2026

A critical flaw in NGINX could let anyone crash your web server or even run their own code by sending a bad request. This impacts widely used NGINX servers and needs your immediate attention.

NVD published: May 13, 2026

An issue in Ecommerce Systempay allows attackers to guess your secret key and steal payment data, potentially changing transaction amounts. This public-facing system needs immediate attention to protect finances.

NVD published: May 13, 2026

ELECOM wireless devices have a critical flaw that lets anyone take control without a password, potentially impacting your network access points.

NVD published: May 13, 2026

An internal attacker can bypass login screens on ELECOM wireless LAN access points to manage device settings without authorization. By gaining administrative control, they could tamper with network configurations or intercept sensitive business traffic.

NVD published: May 13, 2026

A flaw in Fleet allows an internal attacker with existing repository access to expose sensitive credentials stored across connected systems. This vulnerability risks significant data theft and could allow unauthorized control over critical business infrastructure.

NVD published: May 13, 2026

A vulnerability in GUARDIANWALL Mail products could allow attackers to run any code they want on your systems remotely. This is critical because it could let them take control of your mail security devices.

NVD published: May 13, 2026

An internal attacker with administrative access to Pentaho Data Integration & Analytics could exploit a flaw in database connection settings to run malicious code. This could allow them to take full control of the host server and access sensitive information.

NVD published: May 13, 2026