|
1231
|
8.2 |
HIGH
Network
|
-
|
-
|
Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not r…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42260
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1232
|
7.3 |
HIGH
Network
|
-
|
-
|
An arbitrary file upload vulnerability in the ShopOrderImportController.java component of qihang-wms commit 75c15a allows attackers to execute arbitrary code via uploading a crafted file.
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-37430
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1233
|
7.5 |
HIGH
Network
|
-
|
-
|
The mem0 1.0.0 server lacks authentication and authorization controls for its memory management API endpoints. Critical functions such as updating memory records (PUT /memories/{memory_id}) are expos…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-31240
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1234
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.from_pretrained() method u…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31239
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1235
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. When starting a model server with the ludwig serve command, the framework loads mo…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31238
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1236
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) through its predict() method. When a user provides a dataset file path to the predict() method, the framework auto…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31237
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1237
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function def…
|
CWE-94
Code Injection
|
CVE-2026-31236
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1238
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize …
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31235
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1239
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Horovod thru 0.28.1 contains an insecure deserialization vulnerability (CWE-502) in its KVStore HTTP server component. The KVStore server, used for distributed task coordination, lacks authentication…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-31234
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1240
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Guardrails AI thru 0.6.7 contains a code injection vulnerability (CWE-94) in its Hub package installation mechanism. When installing validator packages via guardrails hub install, the system retrieve…
|
CWE-94
Code Injection
|
CVE-2026-31233
|
2026-05-15 05:17 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
