Published threat advisories for May 15, 2026

An internal attacker can manipulate file uploads in Open WebUI to save malicious files to restricted system locations. This could allow them to override critical settings or run unauthorized code, leading to a complete compromise of the platform.

NVD published: May 15, 2026

An external attacker can bypass login on the Open WebUI platform by submitting an empty password. This allows unauthorized access to user accounts, which could expose sensitive chat history and internal system settings.

NVD published: May 15, 2026

phpMyFAQ's public API is vulnerable to SQL injection, potentially exposing sensitive customer data like credentials to unauthenticated attackers. This advisory deserves attention now due to the direct exposure of customer data and ease of exploitation.

NVD published: May 15, 2026

phpMyFAQ's admin login can be bypassed by guessing a six-digit code, giving anyone full control of your knowledge base. Update to version 4.1.2 or later immediately.

NVD published: May 15, 2026

WordPress plugin WP Super Edit has a critical flaw allowing attackers to upload harmful files, potentially giving them full control of your website. This issue is accessible from the internet and needs immediate attention.

NVD published: May 15, 2026

Tabby contains a flaw that allows an external attacker to compromise a user’s computer through a malicious link. If clicked, the attacker can run unauthorized commands, potentially leading to the theft of sensitive local files or complete control of the workstation.

NVD published: May 15, 2026

MCP Calculate Server contains a vulnerability that allows an external attacker to run malicious commands on the server by sending crafted mathematical queries. This could lead to a full system compromise, granting the attacker control over the server and unauthorized access to business data.

NVD published: May 15, 2026

LibJWT can be tricked into accepting fake tokens, allowing attackers to bypass security on internet-facing applications without needing any secret keys.

NVD published: May 15, 2026

A security flaw in Magento LTS allows attackers to easily hijack active sessions, potentially accessing sensitive customer data or disrupting your online store. This is a critical vulnerability affecting internet-facing APIs.

NVD published: May 15, 2026

An internal attacker with specific administrative privileges could exploit a vulnerability in OpenMRS to run unauthorized code. This could allow them to gain full system control and access sensitive patient data, creating a severe risk to data privacy and platform integrity.

NVD published: May 15, 2026

Google Cloud Application Integration has a critical flaw allowing unauthenticated attackers to steal sensitive data and run code remotely by exploiting exposed internal APIs.

NVD published: May 15, 2026

Diagram's export feature allows anyone to access local server files by sending a specially crafted message. This could lead to sensitive information being included in generated PDFs.

NVD published: May 15, 2026

DHTMLX PDF Export Module flaws let anyone gain control of your servers by sending a malicious link. This critical issue impacts DHTMLX Gantt and Scheduler products.

NVD published: May 15, 2026

DHTMLX Gantt and Scheduler products have a flaw that lets anyone view local files from the server within exported PDFs. Update the PDF Export Module to 0.7.6 to fix this information leak.

NVD published: May 15, 2026

A critical flaw in the WordPress Form Notify plugin lets anyone steal any account, even administrator ones, by tricking the login process. This impacts widely used websites and requires immediate attention.

NVD published: May 15, 2026

An external attacker can modify GPU configurations in the AMD Device Metrics Exporter. This allows them to disable device features, which could cause outages for GPU-dependent applications and disrupt critical computing workloads.

NVD published: May 15, 2026