|
231
|
7.1 |
HIGH
Local
|
-
|
-
|
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.jso…
New
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-44641
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
232
|
7.5 |
HIGH
Network
|
-
|
-
|
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingComplete…
New
|
CWE-284
CWE-287
Improper Access Control
Improper Authentication
|
CVE-2026-44478
|
2026-05-16 04:17 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
233
|
4.0 |
MEDIUM
Network
|
lfprojects
|
mcp_registry
|
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification (POST /v0/auth/http, POST /v0.1/a…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-44430
|
2026-05-16 04:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
234
|
5.8 |
MEDIUM
Network
|
-
|
-
|
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when s…
New
|
CWE-295
CWE-829
Improper Certificate Validation
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-44312
|
2026-05-16 04:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
235
|
7.3 |
HIGH
Network
|
-
|
-
|
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or san…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-43887
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
236
|
- |
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints…
Update
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-43885
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
237
|
5.4 |
MEDIUM
Network
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metad…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43879
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
238
|
- |
|
-
|
-
|
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-42554
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
239
|
7.5 |
HIGH
Network
|
-
|
-
|
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and stack trace (including absolute fil…
New
|
CWE-209
Information Exposure Through an Error Message
|
CVE-2026-42552
|
2026-05-16 04:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
240
|
- |
|
-
|
-
|
Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Pr…
New
|
CWE-87
Improper Neutralization of Alternate XSS Syntax
|
CVE-2026-42458
|
2026-05-16 04:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
