|
3141
|
5.9 |
MEDIUM
Network
|
elabftw
|
elabftw
|
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under…
|
CWE-302
Authentication Bypass by Assumed-Immutable Data
|
CVE-2026-28510
|
2026-05-12 22:58 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3142
|
9.1 |
CRITICAL
Network
|
librenms
|
librenms
|
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's in…
|
CWE-78
OS Command
|
CVE-2024-51092
|
2026-05-12 22:50 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3143
|
7.3 |
HIGH
Network
|
astrbot
|
astrbot
|
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2025-55449
|
2026-05-12 22:49 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3144
|
9.1 |
CRITICAL
Network
|
pfsense
|
pfsense
|
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes …
|
CWE-502
CWE-915
Deserialization of Untrusted Data
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2025-69690
|
2026-05-12 22:45 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3145
|
9.8 |
CRITICAL
Network
|
citeum
|
opencti
|
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploi…
|
CWE-287
Improper Authentication
|
CVE-2026-27960
|
2026-05-12 22:45 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3146
|
6.5 |
MEDIUM
Network
|
gofiber
|
fiber
|
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query str…
|
CWE-436
Interpretation Conflict
|
CVE-2026-30246
|
2026-05-12 22:44 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3147
|
5.3 |
MEDIUM
Network
|
eclipse
|
vert.x
|
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accep…
|
CWE-770
CWE-295
Allocation of Resources Without Limits or Throttling
Improper Certificate Validation
|
CVE-2026-6860
|
2026-05-12 22:42 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3148
|
6.5 |
MEDIUM
Network
|
apache
|
cloudstack
|
The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is e…
|
CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
|
CVE-2025-66171
|
2026-05-12 22:31 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3149
|
8.1 |
HIGH
Network
|
apache
|
cloudstack
|
The CloudStack Backup plugin has an improper access logic in versions 4.21.0.0 and 4.22.0.0. Anyone with authenticated user-account access in CloudStack 4.21.0.0+ environments, where this plugin is e…
|
CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
|
CVE-2025-66172
|
2026-05-12 22:30 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3150
|
4.3 |
MEDIUM
Network
|
google
|
chrome
|
Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)
|
NVD-CWE-noinfo
CWE-346
Origin Validation Error
|
CVE-2026-7979
|
2026-05-12 10:16 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
