CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2026-42881 – STIGQter: Arbitrary File Write leading to Local Code Execution via Export HTML
https://notcve.org/view.php?id=CVE-2026-42881
14 May 2026 — From 0.1.2 to before 1.2.7, an attacker can achieve local code execution (LCE) with the privileges of the user running STIGQter. • https://github.com/squinky86/STIGQter/security/advisories/GHSA-mcv5-5j7p-vqh7 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-44482 – soundcloud-rpc: Remote Code Execution via XSS in Track Title
https://notcve.org/view.php?id=CVE-2026-44482
14 May 2026 — This means attacker-controlled SoundCloud track metadata can lead to local command execution on the user's machine. • https://github.com/richardhbtz/soundcloud-rpc/security/advisories/GHSA-p37x-32p8-445f • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-862: Missing Authorization •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-41937 – Vvveb < 1.0.8.3 Unrestricted File Upload RCE via Plugin Upload
https://notcve.org/view.php?id=CVE-2026-41937
14 May 2026 — Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows super_admin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a public/index.php file with arbitrary PHP code, which executes as the web server user when accessed via unauthenticated HTTP requests to the plugin's public path. • https://www.vulncheck.com/advisories/vvveb-unrestricted-file-upload-rce-via-plugin-upload • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-62628
https://notcve.org/view.php?id=CVE-2025-62628
14 May 2026 — Unsafe OpenSSL initialization within some AMD optional tools may allow a local user-privileged attacker to inject a malicious DLL, potentially resulting in arbitrary code execution. • https://www.amd.com/en/resources/product-security/bulletin/AMD-SB-9024.html • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-6637 – PostgreSQL refint allows stack buffer overflow and SQL injection
https://notcve.org/view.php?id=CVE-2026-6637
14 May 2026 — Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. ... In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. • https://www.postgresql.org/support/security/CVE-2026-6637 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-121: Stack-based Buffer Overflow •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2026-6473 – PostgreSQL server undersizes allocations, via integer wraparound
https://notcve.org/view.php?id=CVE-2026-6473
14 May 2026 — This may execute arbitrary code as the operating system user running the database. • https://www.postgresql.org/support/security/CVE-2026-6473 • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-6271 – Career Section <= 1.7 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-6271
14 May 2026 — The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV upload handler. ... This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3507785/career-section • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2025-12669 – Improper Control of Generation of Code ('Code Injection') in GitLab
https://notcve.org/view.php?id=CVE-2025-12669
14 May 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.11 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user to inject HTML and JavaScript into email notifications sent to other users due to improper input sanitization. • https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2026-6335 – Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
https://notcve.org/view.php?id=CVE-2026-6335
14 May 2026 — GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user to execute arbitrary code in another user's browser session due to improper sanitization. • https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: -EXPL: 0CVE-2025-69443
https://notcve.org/view.php?id=CVE-2025-69443
14 May 2026 — Remote Code Execution in coleam00 Archon 0.1.0. • https://www.ox.security/blog/archon-remote-code-execution • CWE-94: Improper Control of Generation of Code ('Code Injection') •