|
2701
|
7.5 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers c…
|
CWE-1188
Insecure Default Initialization of Resource
|
CVE-2026-35672
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2702
|
8.2 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Att…
|
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
|
CVE-2026-35676
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2703
|
6.5 |
MEDIUM
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning e…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-41141
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2704
|
4.3 |
MEDIUM
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary not…
|
CWE-284
CWE-639
CWE-862
Improper Access Control
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-41160
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2705
|
- |
|
-
|
-
|
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin…
|
CWE-346
CWE-942
Origin Validation Error
Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-45021
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2706
|
8.7 |
HIGH
Network
|
-
|
-
|
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).…
|
CWE-79
Cross-site Scripting
|
CVE-2026-47759
|
2026-05-29 03:55 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2707
|
8.7 |
HIGH
Network
|
-
|
-
|
TinyMCE is an open source rich text editor. From 6.8.0 to before 7.1.0, TinyMCE contains an XSS vulnerability caused by improper SVG namespace scope handling in the sanitizer. A crafted payload using…
|
CWE-79
Cross-site Scripting
|
CVE-2026-47760
|
2026-05-29 03:55 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2708
|
8.7 |
HIGH
Network
|
-
|
-
|
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability in the media plugin. Attackers can inject malicious scripts via crafted data-mce-* a…
|
CWE-79
Cross-site Scripting
|
CVE-2026-47761
|
2026-05-29 03:55 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2709
|
8.7 |
HIGH
Network
|
-
|
-
|
TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and injec…
|
CWE-79
Cross-site Scripting
|
CVE-2026-47762
|
2026-05-29 03:55 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2710
|
- |
|
-
|
-
|
In Calico, the install-cni init container logs the rendered CNI configuration to standard output. When the configuration template uses the __SERVICEACCOUNT_TOKEN__ placeholder (Canal/Flannel-Calico d…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-41184
|
2026-05-29 03:55 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
