|
7551
|
- |
-
|
-
|
-
|
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the admin router explicitly whitelists /profile/cpu and /profile/memory from the authentication layer, allowing any…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-45044
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7552
|
- |
-
|
-
|
-
|
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, when RUSTFS_CORS_ALLOWED_ORIGINS is unset, the RustFS S3 listener's ConditionalCorsLayer reflects any request Origi…
|
CWE-306 CWE-346 CWE-942
Missing Authentication for Critical Function Origin Validation Error Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-46685
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7553
|
- |
-
|
-
|
-
|
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the RustFS console endpoint GET /rustfs/console/license returns parsed license metadata without requiring authentic…
|
CWE-200 CWE-306
Information Exposure Missing Authentication for Critical Function
|
CVE-2026-47136
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7554
|
- |
-
|
-
|
-
|
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.0.0 to 2.28.1, lack of validation of filter_target parameter on return_dynamic_filters.php (normally used as an AJAX in View Issu…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41897
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7555
|
- |
-
|
-
|
-
|
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, the mc_issue_update() function in MantisBT allows users having update_bug_threshold access (UPDATER, with default setti…
|
CWE-863
Incorrect Authorization
|
CVE-2026-42070
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7556
|
- |
-
|
-
|
-
|
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user (REPORTER+) to…
|
CWE-862
Missing Authorization
|
CVE-2026-42071
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7557
|
- |
-
|
-
|
-
|
Mantis Bug Tracker (MantisBT) is an open source issue tracker. From 1.3.0 to 2.28.1, unescaped Project Name allows an attacker that can set it (which typically requires manager or administrator acces…
|
CWE-79
Cross-site Scripting
|
CVE-2026-44655
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7558
|
- |
-
|
-
|
-
|
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Prior to 2.28.2, using show_inline=1 parameter and a valid file_show_inline_token CSRF token on file_download.php, an attacker can execu…
|
CWE-79
Cross-site Scripting
|
CVE-2026-44657
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7559
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Service Center developed by BankPro E-Service Technology has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify the parameter of a specific query fun…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-9493
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7560
|
4.8 |
MEDIUM
Network
|
-
|
-
|
ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed …
|
CWE-79
Cross-site Scripting
|
CVE-2026-10057
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7561
|
4.8 |
MEDIUM
Network
|
-
|
-
|
ITS Intelligent SCADA System developed by ITP Technology has a Stored Cross-Site Scripting vulnerability, allowing privileged remote attackers to inject persistent JavaScript codes that are executed …
|
CWE-79
Cross-site Scripting
|
CVE-2026-10058
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7562
|
9.8 |
CRITICAL
Network
|
-
|
-
|
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code exec…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-10071
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7563
|
7.2 |
HIGH
Network
|
-
|
-
|
DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-10072
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7564
|
7.5 |
HIGH
Network
|
-
|
-
|
DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files.
|
CWE-23
Relative Path Traversal
|
CVE-2026-10073
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7565
|
4.9 |
MEDIUM
Network
|
-
|
-
|
DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files.
|
CWE-23
Relative Path Traversal
|
CVE-2026-10074
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7566
|
5.3 |
MEDIUM
Network
|
-
|
-
|
DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulner…
|
CWE-36
Absolute Path Traversal
|
CVE-2026-10075
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7567
|
4.6 |
MEDIUM
Physics
|
-
|
-
|
Expected behavior violation in the in-vehicle network of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the motorcycle's anti-theft shutdown b…
|
CWE-440 CWE-693 CWE-754
Expected Behavior Violation Protection Mechanism Failure Improper Check for Unusual or Exceptional Conditions
|
CVE-2026-49316
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7568
|
2.4 |
LOW
Physics
|
-
|
-
|
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T…
|
CWE-636 CWE-696 CWE-754
Not Failing Securely ('Failing Open') Incorrect Behavior Order Improper Check for Unusual or Exceptional Conditions
|
CVE-2026-49317
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7569
|
2.4 |
LOW
Physics
|
-
|
-
|
Incorrect behavior order in the Infotainment / Digital Round display of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows an adjacent-network attacker to bypass the PIN entry screen. T…
|
CWE-636 CWE-696 CWE-754
Not Failing Securely ('Failing Open') Incorrect Behavior Order Improper Check for Unusual or Exceptional Conditions
|
CVE-2026-49318
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7570
|
4.6 |
MEDIUM
Physics
|
-
|
-
|
Improper handling of physical conditions in the bike-shutdown control of the Indian Motorcycle Scout Bobber + Tech 2025 model year allows a physical attacker with access to the Wireless Control Modul…
|
CWE-693 CWE-754 CWE-1384
Protection Mechanism Failure Improper Check for Unusual or Exceptional Conditions
|
CVE-2026-49325
|
2026-05-30 00:11 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7571
|
- |
-
|
-
|
-
|
RabbitMQ is a messaging and streaming broker. From 4.2.0 to before 4.2.4, RabbitMQ's MQTT plugin allows for topic-level authorization using regular expressions with variable substitution. Administrat…
|
CWE-863
Incorrect Authorization
|
CVE-2026-44838
|
2026-05-30 00:06 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7572
|
- |
-
|
-
|
-
|
RabbitMQ is a messaging and streaming broker. From 3.7.0 to before 4.1.2 and 4.0.13, This vulnerability is fixed in 4.1.2 and 4.0.13.
|
CWE-80
Basic XSS
|
CVE-2026-44839
|
2026-05-30 00:06 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7573
|
- |
-
|
-
|
-
|
Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level code execution. An authenticated non-administrative user with end…
|
CWE-276
Incorrect Default Permissions
|
CVE-2026-33590
|
2026-05-30 00:06 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7574
|
- |
-
|
-
|
-
|
A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert …
|
CWE-79
Cross-site Scripting
|
CVE-2026-9806
|
2026-05-29 23:46 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7575
|
4.6 |
MEDIUM
Network
|
-
|
-
|
A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifi…
|
CWE-22
Path Traversal
|
CVE-2026-33462
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7576
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Operation on a Resource after Expiration or Termination (CWE-672) in Kibana can lead to unauthorized information disclosure. A logic error in how expiration timestamps were validated allowed a time-b…
|
CWE-672
Operation on a Resource after Expiration or Release
|
CVE-2026-33463
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7577
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to a denial of service via Excessive Allocation (CAPEC-130). An authenticated user holding a low-privileged role can submit a specially …
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-33464
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7578
|
4.1 |
MEDIUM
Network
|
-
|
-
|
Improper Neutralization of Input During Web Page Generation (CWE-79) in Kibana can lead to stored HTML injection. A user with write access to an Elasticsearch index could persist crafted markup which…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42401
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7579
|
5.0 |
MEDIUM
Local
|
-
|
-
|
Improper handling of symbolic links in the installer of My Image Garden for macOS Version 3.6.8 or earlier may allow a local attacker with login privileges to exploit a specially crafted symbolic lin…
|
CWE-59
Link Following
|
CVE-2026-6891
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7580
|
5.0 |
MEDIUM
Local
|
-
|
-
|
Improper handling of symbolic links in the installer of CUPS Printer Driver for macOS(*) may allow a local attacker with login privileges to exploit a specially crafted symbolic link during installat…
|
CWE-59
Link Following
|
CVE-2026-6892
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7581
|
- |
-
|
-
|
-
|
An Incorrect Permission Assignment for Critical Resource vulnerability in ASUS System Control Interface allows a local user to elevate privileges to SYSTEM and execute arbitrary code via a crafted RP…
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-7480
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7582
|
- |
-
|
-
|
-
|
Incorrect permission assignment for a critical resource in Armoury Crate allows a local user to bypass the driver’s validation mechanism, resulting in unauthorized read and write access to physical m…
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-8070
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7583
|
- |
-
|
-
|
-
|
Unauthenticated Debug Service. The /sbin/mtk_dut binary is exposed on TCP port 9000 without authentication, allowing any LAN-based attacker to execute arbitrary UCC commands.
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-49195
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7584
|
- |
-
|
-
|
-
|
The Wi-Fi device blocking feature fails to sanitize MAC address input, allowing injection and execution of arbitrary shell commands.
|
CWE-77
Command Injection
|
CVE-2026-49196
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7585
|
- |
-
|
-
|
-
|
Web endpoints intended for the Acer Connect app improperly validate the HTTP Authorization header, failing to block requests when Base64 decoding fails.
|
CWE-287
Improper Authentication
|
CVE-2026-49197
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7586
|
- |
-
|
-
|
-
|
Improper access control in the MQTT broker allows wildcard topic subscriptions, exposing all MQTT traffic to unauthorized actors.
|
CWE-284
Improper Access Control
|
CVE-2026-49198
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7587
|
- |
-
|
-
|
-
|
The acer_cgi.log file in the device firmware is accessible without authentication via the web interface. This file contains cleartext login credentials (for web and Telnet), leading to unauthorized s…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-49200
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7588
|
- |
-
|
-
|
-
|
The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating pers…
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-49201
|
2026-05-29 23:46 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7589
|
7.5 |
HIGH
Network
|
-
|
-
|
Music Player Daemon (MPD) before version 0.24.11 contains a path traversal vulnerability in LocalStorage::MapFSOrThrow and LocalStorage::MapUTF8 within the local storage plugin, where the on-disk pat…
|
CWE-22
Path Traversal
|
CVE-2026-49128
|
2026-05-29 23:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7590
|
8.2 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verificatio…
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-35675
|
2026-05-29 23:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7591
|
6.5 |
MEDIUM
Network
|
apache
|
ignite
|
Relative Path Traversal vulnerability in Apache Ignite REST API.
Authenticated REST API users can read any file on the server with "cmd=log" command and a log path crafted in a certain way.
This iss…
|
CWE-23
Relative Path Traversal
|
CVE-2025-48977
|
2026-05-29 23:11 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7592
|
9.8 |
CRITICAL
Network
|
inhandnetworks
|
ir315_firmware ir302_firmware ir615_firmware ir305_firmware
|
A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier…
|
CWE-77
Command Injection
|
CVE-2026-38702
|
2026-05-29 23:09 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7593
|
9.8 |
CRITICAL
Network
|
inhandnetworks
|
ir315_firmware ir302_firmware ir615_firmware ir305_firmware
|
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier…
|
CWE-77
Command Injection
|
CVE-2026-38703
|
2026-05-29 23:09 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7594
|
9.8 |
CRITICAL
Network
|
inhandnetworks
|
ir315_firmware ir302_firmware ir615_firmware ir305_firmware
|
A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier ve…
|
CWE-77
Command Injection
|
CVE-2026-38707
|
2026-05-29 23:08 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7595
|
9.8 |
CRITICAL
Network
|
inhandnetworks
|
ir315_firmware ir302_firmware ir615_firmware ir305_firmware
|
A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlie…
|
CWE-77
Command Injection
|
CVE-2026-38704
|
2026-05-29 23:08 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7596
|
8.6 |
HIGH
Network
|
-
|
-
|
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt st…
|
CWE-193
Off-by-one Error
|
CVE-2026-49127
|
2026-05-29 23:07 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7597
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Music Player Daemon (MPD) before version 0.24.11 contains a CRLF injection vulnerability in the xspf_char_data function within the XSPF playlist plugin that allows attackers to embed literal CR/LF by…
|
CWE-93
CRLF Injection
|
CVE-2026-49130
|
2026-05-29 23:07 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7598
|
5.8 |
MEDIUM
Network
|
-
|
-
|
Music Player Daemon (MPD) before version 0.24.11 contains a server-side request forgery vulnerability in CurlInputPlugin where CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR, allow…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-49129
|
2026-05-29 23:07 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7599
|
4.1 |
MEDIUM
Network
|
-
|
-
|
A flaw was found in the Quay config-tool's LDAP and SMTP validation functions. An attacker with config editor access can exploit these functions, which make outbound connections to user-supplied endp…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-10052
|
2026-05-29 23:06 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7600
|
2.7 |
LOW
Network
|
-
|
-
|
A flaw was found in the Quay config-tool's GitLab OAuth validator. This vulnerability causes sensitive credentials, specifically client_id and client_secret, to be transmitted as plaintext in URL que…
|
CWE-598
Information Exposure Through Query Strings in GET Request
|
CVE-2026-10078
|
2026-05-29 23:06 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|