May 2026 Security Advisory Ivanti Secure Access Client (CVE-2026-7431, CVE-2026-7432)

Update 22 May: CVE-2026-8992 has been added to Vulnerability Details Summary Ivanti has released updates for the Ivanti Secure Access Client which addresses one medium severity vulnerability and two High severity vulnerabilities. We are not aware of any customers being exploited by these...

IServ Schoolserver User Enumeration

IServ Schoolserver suffers from a user enumeration vulnerability. The vendor does not feel this is an issue...

Exploit for Improper Encoding or Escaping of Output in Cisco Catalyst_Sd-Wan_Manager

🚨 CVE-2026-20245 - Cisco Catalyst SD-WAN Manager Privilege Esc...

Exploit for CVE-2026-5513

CVE-2026-5513 — Bookly ≤ 27.2 Stored XSS via Cookie...

Malicious code in npm-sandbox-research-8b2f (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 916280d3906e0f04caa7f46135039e4a42b03a5c96091c1555ad2ab0e86b923b On install, package.json runs postinstall: node run.js, which loads beacon scripts beacon8.js, beaconlinux.js that import childprocess, os, and http,...

MAL-2026-5758 Malicious code in npm-sandbox-research-8b2f (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 916280d3906e0f04caa7f46135039e4a42b03a5c96091c1555ad2ab0e86b923b On install, package.json runs postinstall: node run.js, which loads beacon scripts beacon8.js, beaconlinux.js that import childprocess, os, and http,...

CVE-2026-54421

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials. The PATCH outcome is a security issue; the POST outcome is not a security issue...

CVE-2026-54420

LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...

CVE-2026-54421

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials. The PATCH outcome is a security issue; the POST outcome is not a security issue...

CVE-2026-54421

CVE-2026-54421 affects OpenStack Ironic (through 35.0.1). A PATCH to update fields in volume properties, restricted to the user’s permissions, can disclose unredacted sensitive information (e.g., iSCSI credentials). The PATCH outcome is identified as a security issue; the POST outcome is not. Thi...

EUVD-2026-36658

In OpenStack Ironic through 35.0.1, when applying a PATCH to update fields in volume properties the user is authorized for, Ironic can return unredacted sensitive information such as iSCSI credentials. The PATCH outcome is a security issue; the POST outcome is not a security issue...

CVE-2026-54420

The CVE-2026-54420 entry concerns LiteSpeed cPanel plugin versions prior to 2.4.8 (as packaged in LiteSpeed WHM Plugin prior to 5.3.2.0). The root cause is mishandling of user-provided symlinks on shared hosting environments running CloudLinux/CageFS, allowing abuse through FTP or web shell acces...

EUVD-2026-36657

LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...

CVE-2026-54420

LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...

123Solar 1.8.4.5 - Cross-Site Scripting

123Solar 1.8.4.5 is vulnerable to reflected cross-site scripting XSS via the date1 parameter in detailed.php. Unsanitized user input is reflected in the response, allowing arbitrary JavaScript execution. id: CVE-2024-9007 info: name: 123Solar 1.8.4.5 - Cross-Site Scripting author: ritikchaddha...

Moodle LMS Jmol Plugin <= 6.1 - Cross-Site Scripting

A reflected cross-site scripting XSS vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript...

MailEnable Mail Service < v10 - Cross-Site Scripting

Cross Site Scripting XSS vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component. id: CVE-2025-44148 info: name: MailEnable Mail Service v10 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Cross Site...

CRM Perks Forms <= 1.1.4 - SQL Injection

CRM Perks CRM Perks Forms affected versions 1.1.4 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction. id: CVE-2024-30498 info: name: CRM Perks Forms ...

MyStyle Custom Product Designer <= 3.21.1 - SQL Injection

The MyStyle Custom Product Designer plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.21.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated...

Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection

Cryptocurrency Widgets Pack Plugin =1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication. id: CVE-2022-44588 info: name: Cryptocurrency Widgets Pack ...