22 vulnerabilities across 15 products scored HIGH or above on May 22, 2026.
- CRITICAL: 5
- HIGH: 17
[CRITICAL] linux/linux_kernel
1 CVE | CVSS 9.2 | AAS 12.0
The Linux kernel contains a critical vulnerability (CVE-2026-9054, CVSS 9.2) that triggers a kernel panic when systems receive TCP, IL, RUDP, or GRE packets with header lengths shorter than expected. This affects all vulnerable kernel versions and can be exploited remotely by unauthenticated attackers. System administrators should apply available kernel patches from their distribution vendor immediately.
- CVE-2026-9054 (CVSS 9.2)
[CRITICAL] nginx/nginx
1 CVE | CVSS 9.2 | AAS 10.9
NGINX Plus and NGINX Open Source contain a critical vulnerability (CVE-2026-9256, CVSS 9.2) in the ngx_http_rewrite_module that can be triggered when rewrite directives use overlapping PCRE regex captures combined with replacement strings referencing multiple captures. Affected versions include NGINX Plus below 37.0.1.1, R36 P5, and R32 P7, as well as NGINX Open Source below 1.31.1, 1.30.2, and earlier versions. Organizations running vulnerable NGINX versions should upgrade immediately to the patched releases identified in the vendor advisory.
- CVE-2026-9256 (CVSS 9.2)
[CRITICAL] iina/iina
1 CVE | CVSS 8.6 | AAS 10.4
IINA before version 1.4.3 is vulnerable to user-assisted command execution (CVE-2026-47114, CVSS 8.6) through the iina://open custom URL scheme handler when processing malicious mpv_-prefixed query parameters. An attacker can deliver a crafted URL via a browser that, upon user approval of the protocol prompt, executes arbitrary commands with the privileges of the current macOS user. macOS users running IINA versions prior to 1.4.3 should upgrade immediately and avoid approving protocol handler requests from untrusted sources.
- CVE-2026-47114 (CVSS 8.6)
[CRITICAL] berriai/litellm
2 CVEs | CVSS 8.7 | AAS 10.3
LiteLLM prior to version 1.83.14 contains multiple critical vulnerabilities (CVE-2026-47101 and CVE-2026-47102, CVSS 8.7) that allow authenticated internal users to create API keys with access to routes beyond their assigned role permissions, including admin-only routes, thereby bypassing role-based access controls. An attacker with internal user privileges can generate overprivileged API keys and use them to escalate access across the system. Organizations running LiteLLM versions prior to 1.83.14 should upgrade immediately and audit existing API keys for unauthorized scope escalation.
- CVE-2026-47101 (CVSS 8.7)
- CVE-2026-47102 (CVSS 8.7)
[HIGH] microsoft/microsoft_planetary_computer_pro_(geocatalog)
1 CVE | CVSS 10.0 | AAS 9.9
Microsoft Planetary Computer Pro (GeoCatalog) is vulnerable to an exploitable critical vulnerability (CVE-2026-41104, CVSS 10.0) that requires immediate attention. Users and administrators should review the Microsoft Security Response Center advisory for detailed technical information and patch guidance. Organizations should prioritize patching affected systems and check for any unauthorized access or activity related to this vulnerability.
- CVE-2026-41104 (CVSS 10.0)
[HIGH] microsoft/microsoft_power_pages
1 CVE | CVSS 10.0 | AAS 9.9
Microsoft Power Pages is vulnerable to an exploitable critical vulnerability (CVE-2026-23652, CVSS 10.0) that requires immediate remediation. Organizations using Power Pages should consult the Microsoft Security Response Center advisory for detailed information and patch availability. Affected users should apply available security updates as soon as possible and monitor for signs of exploitation.
- CVE-2026-23652 (CVSS 10.0)
[HIGH] microsoft/azure_orbital_spatio
1 CVE | CVSS 10.0 | AAS 9.9
Azure Orbital Spatio is vulnerable to an exploitable critical vulnerability (CVE-2026-40412, CVSS 10.0) that requires urgent attention. Organizations using Azure Orbital Spatio should review the Microsoft Security Response Center advisory for detailed information and patch guidance. Affected users should apply available security updates immediately and assess their environment for potential exposure or compromise.
- CVE-2026-40412 (CVSS 10.0)
[HIGH] ubiquiti/unifi_os
5 CVEs | CVSS 10.0 | AAS 9.9
Ubiquiti UniFi OS devices are affected by multiple critical vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-34911, CVE-2026-33000; CVSS 10.0) including improper access control flaws that allow network-connected attackers to make unauthorized system changes. These vulnerabilities are actively exploitable and pose immediate risk to UniFi OS deployments. Organizations should immediately consult the Ubiquiti security advisory for affected versions and apply patches without delay.
- CVE-2026-34908 (CVSS 10.0)
- CVE-2026-34909 (CVSS 10.0)
- CVE-2026-34910 (CVSS 10.0)
- CVE-2026-34911 (CVSS 7.7)
- CVE-2026-33000 (CVSS 9.1)
[HIGH] repute_infosystems/bookingpress_appointment_booking_pro
1 CVE | CVSS 9.8 | AAS 9.7
The BookingPress Pro WordPress plugin through version 5.6 contains an arbitrary file upload vulnerability (CVE-2026-6960, CVSS 9.8) due to missing file type validation in the booking form submission function, allowing unauthenticated attackers to upload malicious files and potentially execute arbitrary code if a signature field is configured. This vulnerability is actively exploitable and affects all WordPress sites running vulnerable versions with signature custom fields enabled. Website administrators should immediately update BookingPress Pro to the latest patched version and review their booking forms to remove unnecessary signature fields.
- CVE-2026-6960 (CVSS 9.8)
[HIGH] 7-zip/7-zip
1 CVE | CVSS 7.8 | AAS 9.2
7-Zip version 26.00 is vulnerable to a heap buffer overflow (CVE-2026-48095, CVSS 7.8) that can be exploited by processing specially crafted archive files. This vulnerability was patched in version 26.01 released in April 2026. Users should upgrade to 7-Zip version 26.01 or later immediately and avoid opening untrusted archive files until patched.
- CVE-2026-48095 (CVSS 7.8)
[HIGH] microsoft/microsoft_365_copilot_for_ios
1 CVE | CVSS 9.3 | AAS 9.2
Microsoft 365 Copilot for iOS is vulnerable to an exploitable critical vulnerability (CVE-2026-41090, CVSS 9.3) that requires immediate attention. iOS users and organizations deploying Copilot should consult the Microsoft Security Response Center advisory for detailed information and patch guidance. Affected users should update the application to the latest available version as soon as possible and monitor for any suspicious activity on their accounts.
- CVE-2026-41090 (CVSS 9.3)
[HIGH] microsoft/microsoft_entra
2 CVEs | CVSS 10.0 | AAS 9.0
Microsoft Entra is affected by multiple critical vulnerabilities (CVE-2026-33843, CVE-2026-42901; CVSS 10.0) that are actively exploitable and require urgent remediation. Organizations relying on Entra for identity and access management should immediately consult the Microsoft Security Response Center advisory for detailed information and patch availability. Administrators should apply available security updates without delay and review access logs for signs of unauthorized activity.
- CVE-2026-33843 (CVSS 9.1)
- CVE-2026-42901 (CVSS 10.0)
[HIGH] easyelements/easy_elements_for_elementor
1 CVE | CVSS 8.8 | AAS 8.7
The Easy Elements for Elementor WordPress plugin through version 1.4.5 contains a privilege escalation vulnerability (CVE-2026-9018, CVSS 8.8) in the user registration AJAX handler that allows unauthenticated attackers to set arbitrary user metadata including administrative capabilities during account creation. This vulnerability is actively exploitable and affects all WordPress sites running vulnerable versions of the plugin. Website administrators should immediately update Easy Elements for Elementor to the latest patched version and review newly created user accounts for unauthorized privilege assignments.
- CVE-2026-9018 (CVSS 8.8)
[HIGH] bestpractical/rt
2 CVEs | CVSS 8.8 | AAS 8.7
RT (Request Tracker) versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 are vulnerable to multiple SQL injection vulnerabilities (CVE-2026-41075, CVE-2026-41076; CVSS 8.8) that allow authenticated users to craft malicious input to read or modify data in the RT database. This vulnerability is actively exploitable and affects organizations running vulnerable versions of the open source ticket tracking system. Organizations should immediately upgrade to RT versions 5.0.10 or 6.0.3 and review database access logs for signs of unauthorized queries or data manipulation.
- CVE-2026-41075 (CVSS 8.8)
- CVE-2026-41076 (CVSS 8.1)
[HIGH] microsoft/microsoft_sharepoint_enterprise_server_2016
1 CVE | CVSS 8.8 | AAS 8.7
Microsoft SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition are vulnerable to an exploitable critical vulnerability (CVE-2026-45659, CVSS 8.8) affecting multiple versions. Organizations using affected SharePoint versions should consult the Microsoft Security Response Center advisory for specific version requirements and patch availability. Administrators should apply available security updates immediately to the affected versions and monitor SharePoint environments for signs of exploitation.
- CVE-2026-45659 (CVSS 8.8)