Published threat advisories for May 21, 2026

The BookingPress Pro WordPress plugin has a flaw allowing attackers to upload any file, potentially giving them control of your website's server. This is a critical risk for sites using booking forms with a signature field.

NVD published: May 21, 2026

Concrete CMS installations are affected by a vulnerability where an attacker can trigger core system updates. This matters because it could allow an attacker to force the system to update to a version they specify, posing a business risk to organizations if exploited.

NVD published: May 21, 2026

Concrete CMS versions prior to 9.5.1 have a vulnerability that could allow an attacker to execute arbitrary code on the affected system. This occurs when an attacker manipulates a remote package update request. The potential impact includes unauthorized code execution on the web server, which could compromise data and

NVD published: May 21, 2026

A security flaw in Concrete CMS could let someone trick an administrator into installing harmful code, giving them control of your website. This requires an admin to visit a malicious link.

NVD published: May 21, 2026

Concrete CMS versions before 9.5.1 have a flaw that lets attackers trick administrators into upgrading software with just a link, potentially impacting site security.

NVD published: May 21, 2026

A vulnerability in Concrete CMS allows authenticated users to gain administrative privileges by manipulating user group assignments. This could disrupt operations and impact data access controls. Organizations should identify affected systems and limit dashboard access.

NVD published: May 21, 2026

Concrete CMS has a flaw that lets editors inject harmful code, potentially stealing user information or hijacking sessions on websites.

NVD published: May 21, 2026

Concrete CMS versions 9.5.0 and below have a security flaw in their OAuth integration that could let an administrator see sensitive login information from users.

NVD published: May 21, 2026

Concrete CMS installations are affected by a vulnerability that allows an attacker to trick an authenticated administrator into downloading arbitrary marketplace packages, potentially leading to unauthorized software installation. The risk involves an unauthenticated attacker leveraging a CSRF flaw and an administrator

NVD published: May 21, 2026

A vulnerability in Concrete CMS versions prior to 9.5.1 could allow unauthorized code execution. An authenticated administrator could exploit this flaw via the REST API, potentially leading to complete server takeover. This poses a significant business risk to organizations using affected versions.

NVD published: May 21, 2026

Concrete CMS has a critical flaw allowing administrators to execute malicious code on your server by uploading specially crafted files. This impacts internet-facing applications and deserves immediate attention.

NVD published: May 21, 2026

A LiteLLM vulnerability allows any user to gain full administrative control, accessing all data and user information. This needs immediate attention as it could lead to significant compromise.

NVD published: May 21, 2026

LiteLLM allows authenticated users to create API keys granting admin access, bypassing security controls and enabling unauthorized control of your systems.

NVD published: May 21, 2026

An internal attacker with basic website access can use the GSheet For Woo Importer plugin to delete API tokens and configuration settings. This unauthorized access disrupts product data synchronization, causing a loss of functionality in automated import and export workflows.

NVD published: May 21, 2026

A vulnerability in the IINA media player allows remote attackers to execute commands via a crafted URL. This could impact user systems by allowing arbitrary command execution upon user interaction with a malicious link and browser prompt. The business risk involves potential system compromise and unauthorized control.

NVD published: May 21, 2026

Organizations using the Authen::TOTP Perl library may be affected by predictable secret generation. This predictability poses a business risk by potentially allowing attackers to derive secrets, compromising security systems.

NVD published: May 21, 2026

A vulnerability in Open ISES Tickets may allow an attacker to intercept sensitive data during mobile login. This could expose API keys or session information. The business risk involves potential unauthorized access and data manipulation.

NVD published: May 21, 2026

A flaw in Open ISES Tickets allows attackers to intercept sensitive data during login by bypassing security certificate checks. This impacts organizations using affected versions, risking exposure of API keys or session data. The realistic business risk involves potential data compromise during transit.

NVD published: May 21, 2026

Organizations using Open ISES Tickets may face risk from a TLS certificate verification flaw. An attacker on the network path could present a forged certificate to intercept or modify sensitive data in transit. This affects outbound HTTPS requests.

NVD published: May 21, 2026

Open ISES Tickets improperly disables security checks when making external requests, potentially exposing sensitive API keys or session data to attackers who can intercept network traffic.

NVD published: May 21, 2026

Open ISES Tickets exposes hardcoded database passwords in its code, potentially allowing unauthorized access to sensitive data if the code is publicly accessible. This issue warrants immediate attention for any organization using this software.

NVD published: May 21, 2026

Open ISES Tickets has a critical flaw where database login details are exposed in a public file, allowing anyone to potentially access sensitive customer data.

NVD published: May 21, 2026

Open ISES Tickets has a critical security flaw that lets attackers steal or alter your company's data through a common web portal. Update now to protect sensitive information.

NVD published: May 21, 2026

Open ISES Tickets has a SQL injection flaw that lets attackers steal or alter customer data by manipulating reports. Update to version 3.44.2 to protect sensitive information.

NVD published: May 21, 2026

Open ISES Tickets has a SQL injection flaw allowing authenticated users to steal or change customer data by exploiting the mobile interface. This could lead to sensitive information compromise.

NVD published: May 21, 2026

Open ISES Tickets has a flaw allowing authenticated users to corrupt or steal data from the system's database. Update now to prevent unauthorized access to sensitive information.

NVD published: May 21, 2026

Open ISES Tickets has a critical flaw allowing authenticated users to tamper with sensitive database information. Update now to protect your customer data from unauthorized access and modification.

NVD published: May 21, 2026

This vulnerability in Open ISES Tickets affects how external GPS data is processed, potentially allowing attackers to manipulate location and assignment records. The risk involves unauthorized data alteration impacting operational visibility.

NVD published: May 21, 2026

A flaw in Open ISES Tickets could let someone with an account read or change your company's data by manipulating database requests. This is important because ticketing systems often hold sensitive customer information.

NVD published: May 21, 2026

A vulnerability in Open ISES Tickets allows authenticated attackers to access, modify, or delete database contents. This risk arises from unescaped input that can alter query logic, potentially compromising data integrity and confidentiality. Organizations using this software should address this to protect sensitive in

NVD published: May 21, 2026

An authenticated user can exploit a flaw in Open ISES Tickets to read, modify, or delete your sensitive database information. This vulnerability requires a patch to prevent unauthorized access.

NVD published: May 21, 2026

Open ISES Tickets has a vulnerability that lets authenticated users steal or change your company's important data. This is a serious risk that needs immediate attention.

NVD published: May 21, 2026

Open ISES Tickets has a vulnerability allowing authenticated users to inject harmful code, potentially leading to session hijacking or stolen credentials if viewed by another user.

NVD published: May 21, 2026

Apache Fory has a critical flaw allowing attackers to bypass security checks when processing data, potentially leading to system control. Update now.

NVD published: May 21, 2026

ConnectWise Automate™ Agent component authenticity may not be fully verified, potentially allowing unauthorized modifications. This could impact affected systems and data. Organizations should update to a version that addresses this vulnerability to mitigate business risk.

NVD published: May 21, 2026

A critical flaw in the WP Directory Kit WordPress plugin could let unauthorized individuals steal sensitive customer data from your website's database without needing a password.

NVD published: May 21, 2026

A vulnerability in Trend Micro Apex One agents may allow a local attacker to gain elevated privileges. This requires the attacker to first execute low-privileged code on the system. The business risk includes unauthorized access to and modification of system data and operations.

NVD published: May 21, 2026

A vulnerability in the Apex One/SEP agent allows local attackers with low-privileged code execution to escalate privileges. This impacts system confidentiality, integrity, and availability, posing a business risk. Exploitation requires prior access to the target system.

NVD published: May 21, 2026

An origin validation vulnerability in the Apex One/SEP agent allows a local attacker with low-privileged code execution to escalate privileges. This impacts affected installations, potentially leading to data compromise and system compromise. Business risk is associated with unauthorized access and control over systems

NVD published: May 21, 2026

A vulnerability in Trend Micro Apex One allows a local attacker with low-privileged code execution to escalate privileges. This impacts affected systems by potentially compromising data and system integrity, posing a business risk if exploited. Remediation is advised.

NVD published: May 21, 2026

This vulnerability in Trend Micro Apex One allows a local attacker with low-privileged code execution to escalate privileges. Exploitation could lead to unauthorized access and disruption of business operations. The risk to organizations involves potential compromise of sensitive data and system control if the vulnerab

NVD published: May 21, 2026

A vulnerability in Trend Micro Apex One could allow a local attacker with low-privileged code execution to escalate privileges on affected systems. This presents a business risk of unauthorized access and modification of data.

NVD published: May 21, 2026

A local attacker with low-privileged code execution could escalate privileges on affected Trend Micro Apex One installations. This presents a business risk by potentially compromising protected systems, impacting data confidentiality, integrity, and availability. The risk is considered high due to the potential for pri

NVD published: May 21, 2026

ManageEngine ADSelfService Plus, DataSecurity Plus, and RecoveryManager Plus have a vulnerability allowing attackers with access to run malicious code on your systems, potentially leading to data compromise. This needs immediate attention.

NVD published: May 21, 2026

Trend Micro Apex One has a flaw that could let someone with limited access gain full control of your machine. This was fixed in late 2025, so ensure your software is updated.

NVD published: May 21, 2026

A local attacker with low-privileged code execution could escalate privileges on Trend Micro Apex One (mac) agents. This impacts affected installations by potentially compromising system integrity and data confidentiality. The realistic business risk involves unauthorized access and control on compromised systems.

NVD published: May 21, 2026

A vulnerability in Trend Micro Apex One allows a local attacker to escalate privileges. This could affect systems by enabling unauthorized access and control. The risk to organizations is associated with potential data compromise and system integrity if affected systems are not updated.

NVD published: May 21, 2026

A flaw in Trend Micro Apex One's iCore service may allow a local attacker with existing low-privileged access to escalate privileges, potentially impacting data and system control. This vulnerability requires an attacker to first gain limited code execution on the target system. Affected organizations should assess the

NVD published: May 21, 2026

Trend Micro Apex One has a serious flaw allowing a local attacker with basic access to gain full control of the system. This is critical because it escalates a minor intrusion into a major security breach on your network.

NVD published: May 21, 2026

A vulnerability in Trend Micro Apex One could let someone with limited system access gain administrative control, allowing them to make major changes to your computers.

NVD published: May 21, 2026

An external attacker could exploit a flaw in the Trend Micro Apex One management console to gain full control of the system. This would allow them to disable security defenses and take over the endpoints the software manages.

NVD published: May 21, 2026

Trend Micro Apex One has a security flaw in its management console that allows an external attacker to upload and execute malicious files. This could grant an attacker full administrative control over your security infrastructure, allowing them to disable endpoint defenses and compromise the network.

NVD published: May 21, 2026

PosCube's QR Menu has a critical flaw that lets anyone access sensitive data without logging in, and the vendor hasn't responded.

NVD published: May 21, 2026

WifiBurada has a flaw allowing unauthorized access to private customer information. This impacts internet-facing services and requires immediate attention due to the potential for data exposure.

NVD published: May 21, 2026

The Divi Form Builder plugin for WordPress has a critical vulnerability that allows attackers to create administrator accounts on your website without any authentication, potentially leading to a full site takeover.

NVD published: May 21, 2026

A vulnerability in FreeBSD's installation and configuration tools allows for code execution as root if a user initiates a Wi-Fi scan. An attacker within radio range could exploit this by creating a rogue access point with a specially crafted name, potentially impacting system integrity and data.

NVD published: May 21, 2026

A flaw in FreeBSD's kernel ptrace functionality allows local users to escalate privileges, potentially gaining full system control. This impacts organizations by exposing systems to unauthorized access and data compromise. The realistic business risk involves loss of system integrity and confidentiality.

NVD published: May 21, 2026

A use-after-free vulnerability in the operating system can be exploited by a local user to gain elevated privileges. This risk is internal, requiring local access to trigger the vulnerability. Organizations should identify affected assets and apply necessary fixes.

NVD published: May 21, 2026

A problem in PowerDNS Authoritative can let someone crash the service with specially crafted requests, potentially disrupting internet services. This issue is important now because it affects internet-facing systems.

NVD published: May 21, 2026

A vulnerability in FreeBSD's libcasper library could allow local privilege escalation. An attacker could trigger stack corruption by opening many file descriptors, potentially gaining elevated access if the affected application runs as root. This risk is associated with local access to the system.

NVD published: May 21, 2026

By targeting the web interface of the Honeywell Control Network Module, an external attacker can gain full administrative control of the system. This risk could enable them to disrupt critical industrial operations or access broader internal networks.

NVD published: May 21, 2026

Mattermost has a critical flaw allowing authenticated users to control any API using admin tokens via path traversal, potentially leading to unauthorized actions and data compromise.

NVD published: May 21, 2026

An internal attacker could gain administrative access to systems by exploiting a flaw in a core system function, potentially allowing them to execute code and take control. This matters as it threatens the integrity and security of business operations.

NVD published: May 21, 2026

Netatalk has a security flaw that allows an internal attacker with valid credentials to gain full control of the system or crash the service. This could lead to unauthorized access to sensitive files and persistent system compromise, putting business data and operations at risk.

NVD published: May 21, 2026

The Avada Builder plugin for WordPress has a critical flaw allowing anyone to run malicious code on your website without logging in, potentially leading to full site takeover.

NVD published: May 21, 2026

A vulnerability in Altium 365's SearchService allows unauthenticated network access to search index operations. This could expose sensitive workspace information and compromise search result integrity. The risk to affected organizations includes data disclosure and manipulation of search results, impacting business ope

NVD published: May 21, 2026