Published threat advisories for May 19, 2026

Drupal's Date iCal module has a critical flaw allowing unauthorized access to sensitive calendar data. This affects public-facing websites and requires immediate attention.

NVD published: May 19, 2026

CtrlPanel billing software for hosting providers has a critical flaw allowing attackers to remotely execute commands on your server. This means attackers can take full control of your system if it's running an older version.

NVD published: May 19, 2026

A memory vulnerability in the Kitty terminal emulator allows an internal attacker to run unauthorized code by sending malicious data to an active terminal window. This could grant the attacker full control over the terminal session and lead to complete compromise of the host system.

NVD published: May 19, 2026

An internal attacker can exploit a configuration flaw in Windmill to modify system files during script execution. This enables them to intercept user credentials and gain unauthorized administrative access to workspaces, potentially compromising sensitive tenant data.

NVD published: May 19, 2026

Tenable's Terrascan, now archived, has a critical flaw allowing unauthenticated attackers to read local files or access internal systems if it's running in server mode. Since no fix is planned, immediate attention is needed to isolate or disable these instances.

NVD published: May 19, 2026

An external attacker can exploit Terrascan to read sensitive local files and steal stored credentials. This could allow unauthorized access to connected cloud services and infrastructure, potentially compromising critical business systems.

NVD published: May 19, 2026

Panabit PAP-XM320 devices have a critical flaw that allows attackers to bypass logins remotely, potentially exposing sensitive network traffic and services.

NVD published: May 19, 2026

An external attacker could exploit a security flaw in hitarth-gg Zenshin to execute unauthorized commands on our server. This could grant them full control over the host, potentially exposing sensitive data and enabling persistent access.

NVD published: May 19, 2026

An external attacker can exploit a flaw in APScheduler to gain full control of affected servers. This allows them to steal sensitive data or hijack systems, creating a significant risk to critical business information.

NVD published: May 19, 2026

A critical flaw in the LalanaChami Pharmacy system allows anyone on the internet to steal customer data, including passwords and private medical records, and alter inventory. This needs immediate attention to protect sensitive information.

NVD published: May 19, 2026

A critical flaw in the LalanaChami Pharmacy Management System lets anyone register as an administrator, potentially exposing sensitive patient data and system control to unauthorized individuals.

NVD published: May 19, 2026

Scalar Proxy has a critical flaw letting attackers steal credentials and control systems by tricking it into visiting malicious links, potentially exposing sensitive data.

NVD published: May 19, 2026

Scalar Proxy has a critical flaw allowing attackers to upload malicious files and run unauthorized code on your systems remotely, potentially impacting internet-facing systems.

NVD published: May 19, 2026

A critical flaw in NGINX JavaScript allows unauthenticated attackers to crash or potentially take control of internet-facing servers through crafted requests, impacting service availability and data security.

NVD published: May 19, 2026

Tyler Identity Local uses default passwords that can allow an internal attacker to gain full administrative control of the application. This could enable them to modify identity records, change system settings, or export sensitive user data, resulting in a total compromise of the identity management system.

NVD published: May 19, 2026

A critical vulnerability in Glassfish allows attackers to take complete control of your systems by sending malicious files, potentially leading to data theft. This is a serious risk because the affected system is often exposed to the internet.

NVD published: May 19, 2026

An internal attacker with valid credentials can misuse the GlassFish administration console to run unauthorized system commands. This could allow them to gain full control over the server, leading to compromised data and potential long-term access to critical business systems.

NVD published: May 19, 2026

An external attacker could exploit a flaw in Thunderbird by sending a malicious email that, when opened, allows them to run unauthorized code on the computer. This could grant the attacker access to sensitive communications, private attachments, and login credentials, putting the entire system at risk.

NVD published: May 19, 2026

An external attacker can exploit memory flaws in Thunderbird by sending malicious emails. This allows them to take control of the user's computer, enabling them to steal sensitive data or install persistent malware.

NVD published: May 19, 2026

Thunderbird contains a flaw that an external attacker can trigger by sending a malicious email, allowing them to take control of the user's computer. This poses a significant risk to sensitive business data, as it could enable attackers to install harmful software or access private files.

NVD published: May 19, 2026

An external attacker can exploit a flaw in Firefox and Thunderbird by luring users to malicious websites or emails to bypass security safeguards. This allows them to run unauthorized code, giving them full control over your workstations and access to sensitive data.

NVD published: May 19, 2026

An external attacker can exploit Firefox and Thunderbird by luring users to malicious sites or opening crafted files to trigger a memory error. This allows them to seize control of the browser to steal sensitive credentials or potentially compromise the entire system.

NVD published: May 19, 2026

An external attacker can exploit a security weakness in Firefox and Thunderbird to bypass browser protections and take control of a user’s computer. This allows the attacker to steal sensitive information or install unauthorized software on the host system.

NVD published: May 19, 2026

An external attacker can exploit Firefox or Thunderbird to bypass security boundaries if a user visits a malicious website. This allows the attacker to steal sensitive session data or authentication tokens, potentially leading to unauthorized account takeover.

NVD published: May 19, 2026

An external attacker can exploit a flaw in Firefox and Thunderbird to steal sensitive data and session information when a user visits a malicious website, potentially leading to unauthorized account access or the theft of private business credentials.

NVD published: May 19, 2026

Apache Camel has a critical flaw allowing unauthenticated attackers to execute arbitrary code or write files on your systems through crafted HTTP requests. This needs immediate attention to protect your integrations.

NVD published: May 19, 2026

HestiaCP's web terminal has a flaw allowing unauthenticated attackers root access to your server by sending malicious HTTP headers, potentially exposing sensitive data.

NVD published: May 19, 2026

An external attacker can bypass security controls in Sparx Pro Cloud Server to run unauthorized database commands. This exposes sensitive project information and credentials, which could lead to the loss of proprietary intellectual property.

NVD published: May 19, 2026

The Piotnet Forms WordPress plugin has a critical flaw allowing anyone to upload dangerous files, potentially letting attackers take control of your website. This is a serious risk for any site using this plugin.

NVD published: May 19, 2026

An internal attacker with local access to the Linux kernel could exploit a flaw in cryptographic operations to crash the system. This could result in critical service outages and negatively impact business availability.

NVD published: May 19, 2026

A critical vulnerability in TYPO3 allows unauthenticated attackers to run malicious code on your server by sending a specially crafted cookie, potentially leading to full server compromise.

NVD published: May 19, 2026

An external attacker can take advantage of a flaw in the Apache OFBiz password-change process to gain full control of the server. This could allow unauthorized access to sensitive company data and compromise our critical ERP operations.

NVD published: May 19, 2026

Apache OFBiz has a critical flaw allowing attackers to steal data or control systems by manipulating search queries. This is a serious risk for any internet-facing OFBiz deployment.

NVD published: May 19, 2026

Apache OFBiz has a critical flaw allowing unauthenticated access to sensitive data or system control by exploiting hard-coded encryption keys. Upgrade immediately to version 24.09.06.

NVD published: May 19, 2026

A critical flaw in the Piotnet Addons for Elementor Pro WordPress plugin lets unauthenticated attackers upload dangerous files to your server, potentially allowing them to run any code they want.

NVD published: May 19, 2026

A flaw in Samsung Escargot allows for buffer overflows, potentially impacting system integrity and data confidentiality. Exploitation can occur over the network without authentication, posing a risk to affected organizations.

NVD published: May 19, 2026

A heap-based buffer overflow in Samsung Escargot allows attackers to overflow buffers. This can impact systems and data, presenting a business risk. Attackers could gain unauthorized access or disrupt services. Organizations should identify affected assets and reduce exposure.

NVD published: May 19, 2026

A use-after-free vulnerability in Samsung's Escargot component could permit pointer manipulation, potentially affecting system integrity and data availability. This presents a business risk due to possible data compromise and service disruption. Organizations using this component should address the vulnerability to mit

NVD published: May 19, 2026