|
491
|
7.5 |
HIGH
Network
|
nestjs
|
nest
|
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.19, when an attacker sends many small, valid JSON messages in one TCP frame, handleData() recurses once per m…
New
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-40879
|
2026-04-24 22:46 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
492
|
5.0 |
MEDIUM
Network
|
openfga
|
helm_charts
openfga
|
OpenFGA is an authorization/permission engine built for developers. Prior to version 1.14.1, in specific scenarios, models using conditions with caching enabled can result in two different check requ…
New
|
CWE-706
CWE-863
Use of Incorrectly-Resolved Name or Reference
Incorrect Authorization
|
CVE-2026-41131
|
2026-04-24 22:44 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
493
|
8.8 |
HIGH
Local
|
packagekit_project
|
packagekit
|
PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-41651
|
2026-04-24 22:43 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
494
|
7.5 |
HIGH
Network
|
coturn_project
|
coturn
|
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.10.0, the STUN/TURN attribute parsing functions in coturn perform unsafe pointer casts from uint8_t * to uint16_t * wit…
New
|
CWE-704
Incorrect Type Conversion or Cast
|
CVE-2026-40613
|
2026-04-24 22:41 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
495
|
4.8 |
MEDIUM
Network
|
mitmproxy
|
mitmproxy
|
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the b…
New
|
CWE-90
LDAP Injection
|
CVE-2026-40606
|
2026-04-24 22:33 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
496
|
2.7 |
LOW
Network
|
openbao
|
openbao
|
OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can have their tok…
New
|
CWE-1259
Improper Restriction of Security Token Assignment
|
CVE-2026-40264
|
2026-04-24 22:29 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
497
|
4.9 |
MEDIUM
Network
|
openbao
|
openbao
|
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets engine, OpenBao failed to use …
New
|
CWE-89
SQL Injection
|
CVE-2026-39946
|
2026-04-24 22:28 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
498
|
3.1 |
LOW
Network
|
openbao
|
openbao
|
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and `disable_binding=true` i…
New
|
CWE-295
Improper Certificate Validation
|
CVE-2026-39388
|
2026-04-24 22:27 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
499
|
7.6 |
HIGH
Network
|
openremote
|
openremote
|
OpenRemote is an open-source internet-of-things platform. Prior to version 1.22.0, the Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user wh…
New
|
CWE-611
XXE
|
CVE-2026-40882
|
2026-04-24 22:24 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
500
|
8.3 |
HIGH
Network
|
rustfs
|
rustfs
|
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions…
New
|
CWE-862
Missing Authorization
|
CVE-2026-40937
|
2026-04-24 22:12 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
