|
221
|
5.5 |
MEDIUM
Local
|
-
|
-
|
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle…
New
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-46383
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
222
|
9.8 |
CRITICAL
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent h…
New
|
CWE-89
SQL Injection
|
CVE-2026-46364
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
223
|
6.5 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Att…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-46362
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224
|
3.5 |
LOW
Network
|
-
|
-
|
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users vie…
New
|
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
|
CVE-2026-45803
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
225
|
- |
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/g…
New
|
CWE-285
CWE-862
Improper Authorization
Missing Authorization
|
CVE-2026-45371
|
2026-05-16 04:17 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
226
|
- |
|
-
|
-
|
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code …
New
|
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
|
CVE-2026-45038
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
227
|
6.5 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit tr…
New
|
CWE-73
External Control of File Name or Path
|
CVE-2026-45008
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
228
|
- |
|
-
|
-
|
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and form…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44719
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
229
|
- |
|
-
|
-
|
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete opera…
New
|
CWE-639
CWE-862
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-44718
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
230
|
- |
|
-
|
-
|
LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL back…
New
|
CWE-327
CWE-347
Use of a Broken or Risky Cryptographic Algorithm
Improper Verification of Cryptographic Signature
|
CVE-2026-44699
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
