|
1
|
9.9 |
CRITICAL
Network
|
dokku
|
dokku
|
Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special she…
New
|
CWE-78
OS Command
|
CVE-2026-54636
|
2026-06-27 04:01 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2
|
8.8 |
HIGH
Network
|
dokku
|
dokku
|
Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filen…
New
|
CWE-95
Eval Injection
|
CVE-2026-45406
|
2026-06-27 04:01 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3
|
5.4 |
MEDIUM
Network
|
getgrav
|
grav
|
Grav before 1.6.30 contains a cross-site scripting vulnerability in the Admin plugin page editor default security configuration. Privileged users with page editing capabilities can inject malicious s…
New
|
CWE-79
Cross-site Scripting
|
CVE-2020-37256
|
2026-06-27 03:58 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4
|
5.5 |
MEDIUM
Local
|
freebsd
|
freebsd
|
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The …
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-45256
|
2026-06-27 03:58 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5
|
7.5 |
HIGH
Network
|
apache
|
apache-airflow-providers-ftp
|
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was tran…
New
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-49486
|
2026-06-27 03:58 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
6
|
5.4 |
MEDIUM
Network
|
jupyter
|
jupyter_server
|
Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox …
New
|
CWE-79
CWE-1021
Cross-site Scripting
Improper Restriction of Rendered UI Layers or Frames
|
CVE-2026-44727
|
2026-06-27 03:57 |
2026-06-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7
|
7.8 |
HIGH
Local
|
freebsd
|
freebsd
|
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by se…
New
|
CWE-123
Write-what-where Condition
|
CVE-2026-45257
|
2026-06-27 03:56 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
8
|
8.8 |
HIGH
Network
|
dokku
|
dokku
|
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preve…
New
|
CWE-59
Link Following
|
CVE-2026-45405
|
2026-06-27 03:56 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
9
|
5.5 |
MEDIUM
Local
|
dokku
|
dokku
|
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the net…
New
|
CWE-522
Insufficiently Protected Credentials
|
CVE-2026-45407
|
2026-06-27 03:55 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
10
|
9.0 |
CRITICAL
Network
|
dokku
|
dokku
|
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted ap…
New
|
CWE-78
OS Command
|
CVE-2026-45408
|
2026-06-27 03:55 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
