|
41
|
8.8 |
HIGH
Network
|
-
|
-
|
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trust_remote_code bypass in DiffusionPipeline.from_pretrained allows arbitrary remote code execution despite the user p…
New
|
CWE-94
Code Injection
|
CVE-2026-44513
|
2026-05-15 03:30 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
42
|
8.8 |
HIGH
Network
|
-
|
-
|
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trust_remote_code=True safeguard when loading pipelines from Hu…
New
|
CWE-94
Code Injection
|
CVE-2026-44827
|
2026-05-15 03:30 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
43
|
4.7 |
MEDIUM
Network
|
vercel
|
next.js
|
Next.js is a React framework for building full-stack web applications. From 13.4.0 to before 15.5.16 and 16.2.5, App Router applications that rely on CSP nonces can be vulnerable to stored cross-site…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-44581
|
2026-05-15 03:30 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
44
|
- |
|
-
|
-
|
Pode is a Cross-Platform PowerShell web framework for creating REST APIs, Web Sites, and TCP/SMTP servers. From 2.4.0, to before 2.13.0, when requesting content from a Static Route, it was possible t…
New
|
CWE-22
Path Traversal
|
CVE-2026-42598
|
2026-05-15 03:27 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
45
|
5.7 |
MEDIUM
Network
|
-
|
-
|
Docling-Graph turns documents into validated Pydantic objects, then builds a directed knowledge graph with explicit semantic relationships. Prior to 1.5.1, the URLInputHandler class in docling_graph/…
New
|
CWE-601
CWE-918
Open Redirect
Server-Side Request Forgery (SSRF)
|
CVE-2026-44520
|
2026-05-15 03:27 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
46
|
- |
|
-
|
-
|
gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted …
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-44544
|
2026-05-15 03:27 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
47
|
- |
|
-
|
-
|
Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.1, tag deletion via the DELETE /v2/<name>/manifests/<tag> endpoint bypasses the storage.delete.enabled: fal…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41888
|
2026-05-15 03:26 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
48
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Hatchet is a platform for orchestrating background tasks, AI agents, and durable workflows at scale. Prior to 0.83.39, a missing authorization directive on the GET /api/v1/stable/dags/tasks endpoint …
New
|
CWE-639
CWE-863
Authorization Bypass Through User-Controlled Key
Incorrect Authorization
|
CVE-2026-42572
|
2026-05-15 03:26 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
49
|
0.0 |
NONE
Network
|
-
|
-
|
etcd is a distributed key-value store for the data of a distributed system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd allows read access via PrevKv, or lease attachment in Put requ…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-44283
|
2026-05-15 03:26 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
50
|
7.5 |
HIGH
Network
|
-
|
-
|
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query…
New
|
CWE-74
Injection
|
CVE-2026-42334
|
2026-05-15 03:26 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
