31 vulnerabilities across 15 products scored HIGH or above on May 30, 2026.
- CRITICAL: 2
- HIGH: 29
[CRITICAL] yhirose/cpp-httplib
2 CVEs | CVSS 9.9 | AAS 11.3
yhirose cpp-httplib versions prior to 0.44.0 contain multiple critical vulnerabilities with a maximum CVSS score of 9.9 affecting HTTP/HTTPS server request parsing. The library improperly applies percent-decoding to header values, allowing encoded carriage return and line feed sequences to bypass validation checks and be stored as literal bytes within headers, which can enable header injection attacks. Organizations using cpp-httplib should immediately update to version 0.44.0 or later.
- CVE-2026-45372 (CVSS 9.9)
- CVE-2026-46527 (CVSS 8.7)
[HIGH] brainstormforce/spectra_gutenberg_blocks_–_website_builder_for_the_block_editor
1 CVE | CVSS 8.8 | AAS 9.2
The Spectra Gutenberg Blocks – Website Builder for the Block Editor WordPress plugin versions up to and including 2.19.25 contain a remote code execution vulnerability with a CVSS score of 8.8. Authenticated attackers with Contributor-level access or above can execute arbitrary code by embedding a malicious two-block payload in post content, and proof of concept code is available. WordPress administrators using this plugin should update immediately to a patched version.
- CVE-2026-7465 (CVSS 8.8)
[HIGH] deltasql/delta_sql
1 CVE | CVSS 9.3 | AAS 9.2
Delta Sql version 1.8.2 contains an arbitrary file upload vulnerability with a CVSS score of 9.3 that allows unauthenticated attackers to upload malicious files. Attackers can exploit the docs_upload.php endpoint to upload PHP files with arbitrary code to the server, enabling remote code execution. Organizations using Delta Sql should immediately update to a patched version or disable the file upload functionality.
- CVE-2018-25412 (CVSS 9.3)
[HIGH] freerdp/freerdp
4 CVEs | CVSS 8.8 | AAS 8.9
FreeRDP prior to version 3.26.0 contains multiple vulnerabilities with a maximum CVSS score of 8.8, including at least one heap-buffer-overflow flaw. A malicious RDP server can trigger buffer overflows in the gdi_CacheToSurface function by sending crafted RDPGFX protocol messages, potentially causing client crashes or remote code execution. Organizations using FreeRDP should update to version 3.26.0 or later immediately.
- CVE-2026-44421 (CVSS 8.8)
- CVE-2026-44420 (CVSS 8.8)
- CVE-2026-45700 (CVSS 7.7)
- CVE-2026-44422 (CVSS 7.5)
[HIGH] labring/fastgpt
2 CVEs | CVSS 7.7 | AAS 8.7
FastGPT prior to version 4.15.0-beta1 contains multiple vulnerabilities, including at least one Server-Side Request Forgery flaw with a maximum CVSS score of 7.7. Authenticated attackers can exploit the dataset preview endpoint to bypass network protection controls and make arbitrary HTTP requests to internal network services by leveraging incomplete validation in the externalFile data import type. Organizations running FastGPT should update to version 4.15.0-beta1 or later immediately.
- CVE-2026-44285 (CVSS 7.7)
- CVE-2026-44287 (CVSS 6.3)
[HIGH] aiopmsd/aiopmsd_final
8 CVEs | CVSS 8.8 | AAS 8.7
AiOPMSD Final version 1.0.0 contains multiple vulnerabilities, including at least one SQL injection flaw with a maximum CVSS score of 8.8. Unauthenticated attackers can execute arbitrary SQL queries by sending crafted requests to the country.php endpoint with malicious payloads in the country parameter, allowing extraction of sensitive database information such as usernames, database names, and version details. Organizations using AiOPMSD Final should immediately discontinue use or update to a patched version if available.
- CVE-2018-25416 (CVSS 8.8)
- CVE-2018-25417 (CVSS 8.8)
- CVE-2018-25419 (CVSS 8.8)
- CVE-2018-25420 (CVSS 8.8)
- CVE-2018-25418 (CVSS 8.8)
- CVE-2018-25415 (CVSS 8.8)
- CVE-2018-25413 (CVSS 8.8)
- CVE-2018-25414 (CVSS 8.8)
[HIGH] spider312/mogg_web_simulator_script
1 CVE | CVSS 8.8 | AAS 8.7
The MOGG web simulator Script contains an SQL injection vulnerability with a CVSS score of 8.8 that allows unauthenticated attackers to execute arbitrary SQL commands. Attackers can send crafted GET requests to play.php with malicious payloads in the id parameter to extract sensitive database information including usernames and other sensitive data. Organizations using this script should immediately update to a patched version or remove it from production systems.
- CVE-2018-25422 (CVSS 8.8)
[HIGH] livebms/gate_pass_management_system
1 CVE | CVSS 8.8 | AAS 8.7
Gate Pass Management System version 2.1 contains an SQL injection vulnerability with a CVSS score of 8.8 that allows unauthenticated attackers to bypass authentication. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in the login and password parameters to gain unauthorized access to the application without valid credentials. Organizations using Gate Pass Management System should immediately update to a patched version or restrict access to the application.
- CVE-2018-25424 (CVSS 8.8)
[HIGH] endonesia/endonesia_portal
3 CVEs | CVSS 8.8 | AAS 8.7
eNdonesia Portal version 8.7 contains multiple vulnerabilities, including at least one SQL injection flaw, with a maximum CVSS score of 8.8. Unauthenticated attackers can execute arbitrary SQL queries by injecting malicious code through multiple parameters including artid, cid, did, contid, and aboutid in the mod.php endpoint to extract sensitive database information such as usernames, database names, and version details. Organizations using eNdonesia Portal should immediately update to a patched version or disable the vulnerable application.
- CVE-2018-25405 (CVSS 8.8)
- CVE-2018-25406 (CVSS 8.8)
- CVE-2018-25407 (CVSS 8.8)
[HIGH] yot/yot_cms
1 CVE | CVSS 8.8 | AAS 8.7
Yot CMS version 3.3.1 contains an SQL injection vulnerability with a CVSS score of 8.8 that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can send crafted GET requests to index.php with malicious SQL payloads in the aid or cid parameters to extract sensitive database information including table and column names. Organizations using Yot CMS should immediately update to a patched version or disable the vulnerable application.
- CVE-2018-25425 (CVSS 8.8)
[HIGH] m-gb/mgb_opensource_guestbook
1 CVE | CVSS 8.8 | AAS 8.7
MGB OpenSource Guestbook version 0.7.0.2 contains an SQL injection vulnerability with a CVSS score of 8.8 that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can send crafted GET requests to email.php with malicious SQL payloads in the id parameter to extract sensitive database information including table and column names. Organizations using MGB OpenSource Guestbook should immediately update to a patched version or disable the vulnerable application.
- CVE-2018-25411 (CVSS 8.8)
[HIGH] spatie/laravel-medialibrary
1 CVE | CVSS 8.7 | AAS 8.6
Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass vulnerability with a CVSS score of 8.7 in the FileAdder::defaultSanitizer() function. The sanitizer insufficiently validates uploaded filenames, allowing attackers to bypass the blocklist using double-extension filenames such as shell.php.jpg, and the blocklist also omits executable extensions including .php6, .shtml, and .htaccess. Organizations using Laravel Media Library should update to version 11.23.0 or later immediately.
- CVE-2026-48557 (CVSS 8.7)
[HIGH] simpkh/sim-pkh
2 CVEs | CVSS 8.7 | AAS 8.6
SIM-PKH version 2.4.1 contains multiple vulnerabilities, including at least one arbitrary file upload flaw with a CVSS score of 8.7. Authenticated attackers can upload malicious PHP files via the aksi_pengurus.php endpoint using the fupload parameter, which are stored in the foto directory and executed as web scripts, enabling remote code execution. Organizations using SIM-PKH should immediately update to a patched version or restrict access to the vulnerable application.
- CVE-2018-25409 (CVSS 8.7)
- CVE-2018-25410 (CVSS 7.1)
[HIGH] openises/open_ises_project
1 CVE | CVSS 8.7 | AAS 8.6
The Open ISES Project version 3.30A contains a path traversal vulnerability with a CVSS score of 8.7 in the ajax/download.php endpoint that allows unauthenticated attackers to download arbitrary files. Attackers can manipulate the filename parameter with directory traversal sequences such as ../ to access files outside the intended directory, including sensitive configuration files and system files. Organizations using Open ISES Project should immediately update to a patched version or disable the vulnerable download functionality.
- CVE-2018-25408 (CVSS 8.7)
[HIGH] iskorotkov/avro
2 CVEs | CVSS 8.7 | AAS 8.6
iskorotkov/avro prior to version 2.33.0 contains multiple vulnerabilities, including at least one denial of service flaw with a maximum CVSS score of 8.7, in the Avro array and map decoders. The decoders fail to validate the reader’s error state and do not check attacker-controlled block-count values, allowing attackers to provide payloads declaring extremely large block counts followed by truncated data, causing the decoder to attempt excessive iterations and consume system resources. Organizations using avro should update to version 2.33.0 or later immediately.
- CVE-2026-46385 (CVSS 8.7)
- CVE-2026-46384 (CVSS 8.7)