|
41
|
- |
|
-
|
-
|
OpenReplay is a self-hosted session replay suite. Prior to 1.26.0, there is a cross-tenant IDOR on feature-flag and assist-stats routes via {project_id} case mismatch. ProjectAuthorizer.__call__ (OSS…
New
|
CWE-285
CWE-639
CWE-863
Improper Authorization
Authorization Bypass Through User-Controlled Key
Incorrect Authorization
|
CVE-2026-45297
|
2026-05-29 03:40 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
42
|
7.4 |
HIGH
Network
|
-
|
-
|
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45310
|
2026-05-29 03:40 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
43
|
9.6 |
CRITICAL
Network
|
-
|
-
|
CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user…
New
|
CWE-94
Code Injection
|
CVE-2026-45311
|
2026-05-29 03:40 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
44
|
7.4 |
HIGH
Network
|
-
|
-
|
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in URL as htt…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45373
|
2026-05-29 03:40 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
45
|
9.6 |
CRITICAL
Network
|
-
|
-
|
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:14…
New
|
CWE-94
Code Injection
|
CVE-2026-45374
|
2026-05-29 03:40 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
46
|
2.7 |
LOW
Network
|
synology
|
surveillance_station
|
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows …
New
|
CWE-22
Path Traversal
|
CVE-2024-47267
|
2026-05-29 03:39 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
47
|
4.9 |
MEDIUM
Network
|
synology
|
surveillance_station
|
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtai…
New
|
CWE-862
Missing Authorization
|
CVE-2024-47268
|
2026-05-29 03:38 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
48
|
- |
|
-
|
-
|
Due to improper enforcement of authentication rate-limiting on a debug SSH service in Archer C64 v1, the SSH service allows unlimited authentication attempts and uses the same credentials as the web …
New
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-8697
|
2026-05-29 03:38 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
49
|
- |
|
-
|
-
|
TP-Link has identified a vulnerability in Tapo L535E v1.0 and v3.0, Tapo P300 v1.0, and Tapo D100C v1.0, where Bluetooth communication during the initial setup phase is transmitted in cleartext witho…
New
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-34126
|
2026-05-29 03:38 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
50
|
10.0 |
CRITICAL
Network
|
-
|
-
|
SandboxJS is a JavaScript sandboxing library. Prior to 0.9.6, sandbox-defined functions expose Function.caller, allowing sandboxed code to recover the internal LispType.Call runtime callback. That ca…
New
|
CWE-94
Code Injection
|
CVE-2026-43898
|
2026-05-29 03:38 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
