Published threat advisories for May 14, 2026

A vulnerability in HRConvert2 allows anyone to run commands on the server by uploading a file with a malicious name. This could lead to a full system compromise. Update to version 3.3.8.

NVD published: May 14, 2026

PrestaShop online stores are at risk of full admin takeover or data theft via a public website form, allowing attackers to hijack sessions. Update to version 8.2.6 or 9.1.1 immediately.

NVD published: May 14, 2026

An internal attacker can exploit Crabbox to expose sensitive information like API tokens and cloud credentials. This could lead to unauthorized access to your cloud resources or internal infrastructure.

NVD published: May 14, 2026

An external attacker can compromise a user's computer running Google Chrome by tricking them into visiting a malicious website. This flaw lets them bypass security protections to run unauthorized code and potentially steal sensitive files, leading to a full system compromise.

NVD published: May 14, 2026

An external attacker can exploit a flaw in Google Chrome by enticing users to visit a malicious website. This allows them to bypass security protections and potentially gain full control over user computers to steal sensitive data or install malicious programs.

NVD published: May 14, 2026

A flaw in SiYuan, a personal knowledge tool, allows malicious code to run when you view plugins in its marketplace, potentially exposing your information. Update SiYuan to version 3.7.0 or later.

NVD published: May 14, 2026

An external attacker could exploit a flaw in SiYuan to run unauthorized code on a user's computer. This could allow them to steal sensitive personal notes or gain full control over the host system.

NVD published: May 14, 2026

An external attacker can exploit a flaw in Gradient to register unauthorized systems, granting them access to sensitive job data. This allows them to inject malicious code, which could compromise the integrity of the company's software supply chain.

NVD published: May 14, 2026

SiYuan software has a critical flaw allowing malicious code execution from a crafted document title. This requires user interaction but can compromise your computer.

NVD published: May 14, 2026

An external attacker can exploit weak security settings in Note Mark to impersonate legitimate users. This allows them to gain unauthorized access to all stored notes and potentially take over administrator accounts.

NVD published: May 14, 2026

A critical vulnerability in mdserver-web allows anyone to take over your systems remotely by executing commands without any login. This issue is urgent because it's easy to exploit and can give attackers full control.

NVD published: May 14, 2026

Strapi CMS is vulnerable to unauthenticated administrative account takeover via its public content APIs. Attackers can exploit this by manipulating query parameters to extract sensitive tokens, leading to full system compromise.

NVD published: May 14, 2026

An internal attacker with administrative access to Strapi could use a flaw in its management tools to run unauthorized database commands. This allows them to steal sensitive files, crash systems, or gain full control over the database infrastructure.

NVD published: May 14, 2026

An external attacker could crash applications using GStreamer by submitting a malicious MP4 audio file. This interruption prevents media services from functioning, resulting in service outages that stop users from accessing content.

NVD published: May 14, 2026

FileBrowser Quantum has a critical flaw allowing unauthenticated attackers to delete any files they choose, not just those in shared folders, which could lead to significant data loss.

NVD published: May 14, 2026

An internal attacker with administrative access to the Valtimo platform could seize control of company systems and steal sensitive credentials. This puts confidential documents and business data at risk of unauthorized access or manipulation.

NVD published: May 14, 2026

Gotenberg's PDF processing API has a critical flaw allowing attackers to trick it into accessing your internal network services. Update immediately to version 8.31.0 to prevent this.

NVD published: May 14, 2026

Gotenberg servers processing PDFs can be fully controlled by attackers through a single unauthenticated request, allowing them to run any command on the server. This critical flaw affects versions prior to 8.31.0 and is easily exploitable over the network.

NVD published: May 14, 2026

An external attacker can manipulate MagicMirror² to probe private network resources and steal sensitive server credentials. This exposes confidential information and potentially allows unauthorized access to internal business systems.

NVD published: May 14, 2026

PyTorch Lightning contains a flaw that permits an internal attacker to covertly capture authentication materials when users run model training or fine-tuning scripts. This access could lead to unauthorized control over cloud environments and sensitive company resources.

NVD published: May 14, 2026

An external attacker can exploit a flaw in SoundCloud-RPC to gain control over a user's computer by manipulating track information. This allows the attacker to execute unauthorized commands, potentially leading to the theft of sensitive data or full system compromise.

NVD published: May 14, 2026

An internal attacker using the vCluster Platform can inject harmful code into templates to take over an administrator’s session. This could allow them to create unauthorized administrative accounts and gain full, unrestricted control over the platform.

NVD published: May 14, 2026

A flaw in E-Commerce Website software lets anyone hijack user accounts and steal sensitive data by bypassing security controls. This impacts online businesses and their customers directly.

NVD published: May 14, 2026

An SQL injection vulnerability in Akilli E-Commerce Website allows attackers to steal sensitive data or take control of your site, impacting customer information and business operations.

NVD published: May 14, 2026

A WordPress plugin called InfusedWoo Pro has a critical flaw allowing anyone to delete products, orders, or other site content without logging in, potentially disrupting sales and causing data loss.

NVD published: May 14, 2026

A critical flaw in the InfusedWoo Pro WordPress plugin allows unauthenticated attackers to steal admin access and gain full control of your website. This issue is urgent due to the ease of exploitation and potential for complete site takeover.

NVD published: May 14, 2026

A flaw in the Career Section WordPress plugin lets attackers upload harmful files to take control of your website, as it doesn't properly check file types. This affects job application forms, which are often public.

NVD published: May 14, 2026

A security flaw in the Burst Statistics WordPress plugin allows anyone to take over an administrator account by simply knowing the admin's username. This could let them control your entire website.

NVD published: May 14, 2026