31 vulnerabilities across 15 products scored HIGH or above on May 30, 2026.

  • CRITICAL: 2
  • HIGH: 29

[CRITICAL] yhirose/cpp-httplib

2 CVEs | CVSS 9.9 | AAS 11.3

cpp-httplib before version 0.44.0 contains multiple critical vulnerabilities in request header processing that allow attackers to inject arbitrary HTTP headers by exploiting improper percent-decoding of special characters. Developers and teams using cpp-httplib should immediately upgrade to version 0.44.0 or later. Complete technical details and affected versions are available in the vendor security advisory at https://github.com/yhirose/cpp-httplib/security/advisories/GHSA-xjxg-64p4-vj4m.

Vendor Advisory

[HIGH] deltasql/delta_sql

1 CVE | CVSS 9.3 | AAS 9.2

Delta SQL version 1.8.2 contains an unauthenticated arbitrary file upload vulnerability in the docs_upload.php endpoint that allows attackers to upload malicious PHP files and execute them on the server, leading to remote code execution. Organizations running Delta SQL should upgrade immediately and restrict access to the upload functionality. Complete technical details are available in the vendor advisory at http://deltasql.sourceforge.net/.

Vendor Advisory

[HIGH] freerdp/freerdp

4 CVEs | CVSS 8.8 | AAS 8.9

FreeRDP prior to version 3.26.0 contains multiple vulnerabilities in the server-side clipboard channel, including at least one heap buffer overflow that can be triggered by a malicious RDP client through specially crafted PDU messages, potentially causing server denial of service or code execution. System administrators running FreeRDP should upgrade to version 3.26.0 or later immediately. For complete technical details and affected versions, see the vendor security advisory at https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvpx-xj7r-3p3r.

Vendor Advisory

[HIGH] labring/fastgpt

2 CVEs | CVSS 7.7 | AAS 8.7

FastGPT prior to version 4.15.0-beta1 contains multiple vulnerabilities, including at least one Server-Side Request Forgery (SSRF) flaw that allows authenticated attackers to bypass network protection controls and make arbitrary requests to internal services through the dataset preview endpoint. Organizations deploying FastGPT should upgrade to version 4.15.0-beta1 or later immediately to remediate this network exposure. Complete technical details and affected versions are available in the vendor security advisory at https://github.com/labring/FastGPT/security/advisories/GHSA-c65v-7vx6-f8m3.

Vendor Advisory

[HIGH] aiopmsd/aiopmsd_final

8 CVEs | CVSS 8.8 | AAS 8.7

AiOPMSD Final version 1.0.0 contains multiple high-severity vulnerabilities, including at least one SQL injection flaw that allows unauthenticated attackers to execute arbitrary SQL queries through the actor parameter and extract sensitive database information such as usernames and version details. Organizations running AiOPMSD Final should immediately discontinue use of this product or upgrade to a patched version if available. For detailed technical information and remediation guidance, consult the vendor advisory at https://aiopmsd.sourceforge.io/.

Vendor Advisory

[HIGH] spider312/mogg_web_simulator_script

1 CVE | CVSS 8.8 | AAS 8.7

MOGG web simulator Script contains a high-severity SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL commands through the id parameter in play.php, enabling extraction of sensitive database information including usernames and other data. Organizations deploying this application should apply available patches or upgrade to a secure version immediately. For technical details and remediation guidance, consult the vendor advisory at https://github.com/spider312/mtgas.

Vendor Advisory

[HIGH] livebms/gate_pass_management_system

1 CVE | CVSS 8.8 | AAS 8.7

Gate Pass Management System version 2.1 contains a high-severity SQL injection vulnerability in the login authentication mechanism that allows unauthenticated attackers to bypass credentials and gain unauthorized access by submitting crafted SQL payloads through the login and password parameters. Organizations operating this system should immediately apply security patches or upgrade to a remediated version to prevent unauthorized access. For patching information and additional technical details, consult the vendor advisory at http://www.livebms.com.

Vendor Advisory

[HIGH] brainstormforce/spectra_gutenberg_blocks_–_website_builder_for_the_block_editor

1 CVE | CVSS 8.8 | AAS 8.7

The Spectra Gutenberg Blocks – Website Builder for the Block Editor WordPress plugin through version 2.19.25 contains a high-severity remote code execution vulnerability that allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server by embedding specially crafted block payloads in post content. WordPress site administrators should immediately update the plugin to a patched version to prevent unauthorized code execution. For patch availability and additional technical details, consult the vendor advisory at https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.25/classes/class-uagb-init-blocks.php#L330.

Vendor Advisory

[HIGH] endonesia/endonesia_portal

3 CVEs | CVSS 8.8 | AAS 8.7

eNdonesia Portal version 8.7 contains multiple high-severity SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries through various parameters in mod.php across multiple application modules, enabling extraction of sensitive database information including credentials and usernames. Organizations deploying eNdonesia Portal should immediately upgrade to a patched version or apply security updates to remediate these database access risks. For technical details and remediation guidance, consult the vendor advisory at http://www.endonesia.org/.

Vendor Advisory

[HIGH] m-gb/mgb_opensource_guestbook

1 CVE | CVSS 8.8 | AAS 8.7

MGB OpenSource Guestbook version 0.7.0.2 contains a high-severity SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries through the id parameter in email.php, enabling extraction of sensitive database information including table and column names. Organizations running this guestbook application should immediately upgrade to a patched version or discontinue use of the affected software. For technical details and remediation guidance, consult the vendor advisory at http://www.m-gb.org/.

Vendor Advisory

[HIGH] yot/yot_cms

1 CVE | CVSS 8.8 | AAS 8.7

Yot CMS version 3.3.1 contains a high-severity SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries through the aid and cid parameters in index.php, enabling extraction of sensitive database information including table and column names. Organizations deploying Yot CMS should immediately upgrade to a patched version or apply security updates to prevent unauthorized database access. For technical details and remediation guidance, consult the vendor advisory at https://ayera.dl.sourceforge.net/project/yot/Yot%203.3.1.zip.

Vendor Advisory

[HIGH] spatie/laravel-medialibrary

1 CVE | CVSS 8.7 | AAS 8.6

Spatie Laravel Media Library before version 11.23.0 contains a high-severity file upload restriction bypass vulnerability that allows attackers to upload executable files by exploiting insufficient filename validation in the sanitizer, which can be bypassed with double-extension filenames such as shell.php.jpg and incomplete blocklist entries. Applications using this library should immediately upgrade to version 11.23.0 or later to prevent unauthorized file uploads and potential remote code execution. For technical details and remediation guidance, consult the vendor advisory at https://github.com/spatie/laravel-medialibrary/commit/608ea03703d3887c46434f5dda6af56de6346aba.

Vendor Advisory

[HIGH] simpkh/sim-pkh

2 CVEs | CVSS 8.7 | AAS 8.6

SIM-PKH version 2.4.1 contains multiple high-severity vulnerabilities, including at least one arbitrary file upload flaw that allows authenticated attackers to upload and execute malicious PHP code through the aksi_pengurus.php endpoint, storing executable scripts in the foto directory. Organizations deploying SIM-PKH should immediately upgrade to a patched version or restrict access to the vulnerable endpoint to prevent unauthorized code execution. For technical details and remediation guidance, consult the vendor advisory at https://simpkh.sourceforge.io/.

Vendor Advisory

[HIGH] iskorotkov/avro

2 CVEs | CVSS 8.7 | AAS 8.6

The iskorotkov/avro Go Avro codec library before version 2.33.0 contains multiple high-severity vulnerabilities, including at least one denial of service flaw in the array and map decoders that allows attackers to trigger excessive iterations by providing an attacker-controlled block count without verifying the reader’s error state. Applications using this library should immediately upgrade to version 2.33.0 or later to prevent resource exhaustion and service disruption. For technical details and remediation guidance, consult the vendor advisory at https://github.com/iskorotkov/avro/security/advisories/GHSA-w8j3-pq8g-8m7w.

Vendor Advisory

[HIGH] openises/open_ises_project

1 CVE | CVSS 8.7 | AAS 8.6

The Open ISES Project version 3.30A contains a high-severity path traversal vulnerability in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files, including configuration and system files, by manipulating the filename parameter with directory traversal sequences. Organizations deploying Open ISES Project should immediately upgrade to a patched version or implement access controls to restrict downloads to intended directories. For technical details and remediation guidance, consult the vendor advisory at http://openises.sourceforge.net/.

Vendor Advisory