|
1211
|
5.8 |
MEDIUM
Network
|
-
|
-
|
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when s…
|
CWE-295
CWE-829
Improper Certificate Validation
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-44312
|
2026-05-16 04:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1212
|
7.3 |
HIGH
Network
|
-
|
-
|
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or san…
|
CWE-79
Cross-site Scripting
|
CVE-2026-43887
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1213
|
- |
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints…
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-43885
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1214
|
5.4 |
MEDIUM
Network
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metad…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43879
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1215
|
7.5 |
HIGH
Network
|
-
|
-
|
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute fil…
|
CWE-209
Information Exposure Through an Error Message
|
CVE-2026-42552
|
2026-05-16 04:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1216
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Cognee thru v0.4.0 contains a critical remote code execution vulnerability in its notebook cell execution API endpoint. The endpoint is designed to execute arbitrary Python code provided by the user,…
|
CWE-94
Code Injection
|
CVE-2026-31231
|
2026-05-16 04:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1217
|
8.8 |
HIGH
Network
|
snorkel
|
snorkel
|
The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler mo…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31223
|
2026-05-16 04:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1218
|
8.8 |
HIGH
Network
|
snorkel
|
snorkel
|
The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.lo…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31222
|
2026-05-16 04:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1219
|
8.8 |
HIGH
Network
|
lightningai
|
pytorch_lightning
|
PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which …
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31221
|
2026-05-16 04:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1220
|
9.8 |
CRITICAL
Network
|
-
|
-
|
PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged…
|
CWE-94
Code Injection
|
CVE-2026-31220
|
2026-05-16 04:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
