Security Vulnerabilities - CVEs Published In May 2026
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.26.0, FreeRDP's RDPEAR NDR parser accepts one non-null NDR pointer ref-id for multiple logical pointer fields without tracking the pointed object's expected NDR type or ownership. When the same ref-id is reused across two pointer fields, the parser assigns the same heap object to both output fields. The generic destructor later walks each field independently and destroys/frees both pointers. This causes a malicious-server-triggerable heap use-after-free / double-free in the FreeRDP client's RDPEAR authentication-redirection path. This vulnerability is fixed in 3.26.0.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-05-29
A stored
cross-site scripting (XSS) vulnerability has been identified in the web
management interface of TP-Link's TL-SG108PE v5 switch due to improper sanitation of the SYSNAM
configuration parameter during configuration file import. An attacker with
administrator access can inject malicious script into the device configuration,
which may be stored and executed in the administrator’s browser when the
affected interface is viewed.
Successful
exploitation may allow session cookie theft, unauthorized configuration
changes, or access to sensitive information exposed through the management
interface.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-05-29
In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible
CVSS Score
3.4
EPSS Score
0.0
Published
2026-05-29
In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin
CVSS Score
4.5
EPSS Score
0.0
Published
2026-05-29
In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
CVSS Score
3.3
EPSS Score
0.0
Published
2026-05-29
In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible
CVSS Score
6.1
EPSS Score
0.001
Published
2026-05-29
In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
CVSS Score
6.5
EPSS Score
0.0
Published
2026-05-29
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
CVSS Score
6.5
EPSS Score
0.0
Published
2026-05-29
In JetBrains TeamCity before 2026.1,
2025.11.5 unauthenticated SSRF via build status was possible
CVSS Score
7.5
EPSS Score
0.0
Published
2026-05-29
In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings
CVSS Score
7.1
EPSS Score
0.0
Published
2026-05-29