| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-47761 | TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection | tinymce | tinymce | High | 8.7 | 2026-05-28 15:20:58 | Deep Dive |
| CVE-2026-47759 | TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes | tinymce | tinymce | High | 8.7 | 2026-05-28 15:20:11 | Deep Dive |
| CVE-2026-47760 | TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs | tinymce | tinymce | High | 8.7 | 2026-05-28 15:18:23 | Deep Dive |
| CVE-2026-48525 | PyJWT: Unauthenticated DoS via unbounded Base64URL decoding of unused payload segment in b64=false detached JWS | jpadilla | pyjwt | Medium | 5.3 | 2026-05-28 15:11:12 | Deep Dive |
| CVE-2026-48523 | PyJWT: Algorithm allow-list bypass when decoding with `PyJWK` / `PyJWKClient` keys | jpadilla | pyjwt | Medium | 5.4 | 2026-05-28 15:10:19 | Deep Dive |
| CVE-2026-48526 | PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed | jpadilla | pyjwt | High | 7.4 | 2026-05-28 15:09:09 | Deep Dive |
| CVE-2026-48524 | PyJWT: PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS) | jpadilla | pyjwt | Low | 3.7 | 2026-05-28 15:07:35 | Deep Dive |
| CVE-2026-48522 | PyJWKClient: missing scheme allowlist enables SSRF + token forgery via file://, ftp://, data: schemes | jpadilla | pyjwt | Medium | 4.2 | 2026-05-28 15:00:30 | Deep Dive |
| CVE-2026-48155 | pypdf: Possible large memory usage for large offsets for layout mode text | py-pdf | pypdf | - | - | 2026-05-28 14:51:49 | Deep Dive |
| CVE-2026-48156 | pypdf: Possible long runtimes for zero-only width values in cross-reference streams | py-pdf | pypdf | - | - | 2026-05-28 14:50:42 | Deep Dive |
| CVE-2026-48735 | pypdf: Manipulated XMP metadata streams can exhaust RAM | py-pdf | pypdf | - | - | 2026-05-28 14:49:12 | Deep Dive |
| CVE-2026-44594 | esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files | esm-dev | esm.sh | High | 7.5 | 2026-05-28 14:45:05 | Deep Dive |
| CVE-2026-44593 | esm.sh: Legacy Route Path Traversal Can Lead to RCE | esm-dev | esm.sh | - | - | 2026-05-28 14:44:21 | Deep Dive |
| CVE-2026-44672 | mapfish-print: Remote Code Injection (RCE) in Dynamic table | mapfish | mapfish-print | - | - | 2026-05-28 14:35:29 | Deep Dive |
| CVE-2026-44358 | Espressif Shared GitHub DangerJS: Untrusted Search Path in DangerJS Action Entrypoint | espressif | shared-github-dangerjs | High | 8.2 | 2026-05-28 14:28:43 | Deep Dive |
| CVE-2026-45017 | Python Liquid: Absolute paths escape filesystem loader search path | jg-rp | liquid | - | - | 2026-05-28 14:24:28 | Deep Dive |
| CVE-2026-41565 | CryptX versions before 0.088_001 for Perl have a stack buffer overflow in four AEAD decrypt_verify helpers | MIK | CryptX | - | - | 2026-05-28 14:13:19 | Deep Dive |
| CVE-2026-35676 | phpMyFAQ - Unauthenticated Password Reset via User Password Update Endpoint | thorsten | phpMyFAQ | High | 8.2 | 2026-05-28 14:13:15 | Deep Dive |
| CVE-2026-35672 | phpMyFAQ - Authentication Bypass via Empty API Token | thorsten | phpMyFAQ | High | 7.5 | 2026-05-28 14:13:14 | Deep Dive |
| CVE-2026-35675 | phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update | thorsten | phpMyFAQ | High | 8.2 | 2026-05-28 14:13:14 | Deep Dive |