|
221
|
7.5 |
HIGH
Network
|
-
|
-
|
Automad is a flat-file content management system and template engine. From 2.0.0-alpha.1 to 2.0.0-beta.27, a Broken Access Control vulnerability allows an unauthenticated attacker to retrieve the bcr…
New
|
CWE-200
CWE-306
Information Exposure
Missing Authentication for Critical Function
|
CVE-2026-45332
|
2026-05-30 13:17 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
222
|
7.4 |
HIGH
Network
|
-
|
-
|
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to …
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45310
|
2026-05-30 13:17 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
223
|
7.5 |
HIGH
Network
|
-
|
-
|
Usagi-org ai-goofish-monitor contains an unauthenticated arbitrary file read vulnerability in the GET /api/prompts/{filename} endpoint on Windows deployments that allows unauthenticated remote attack…
New
|
CWE-36
Absolute Path Traversal
|
CVE-2026-10044
|
2026-05-30 13:17 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224
|
8.1 |
HIGH
Network
|
-
|
-
|
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO uses the user-controlled task_name value directly when constructing se…
Update
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-46402
|
2026-05-30 11:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
225
|
9.9 |
CRITICAL
Network
|
-
|
-
|
OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm module as an isolation primitive. This API was not designed for that and can be esc…
Update
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-45102
|
2026-05-30 11:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
226
|
7.8 |
HIGH
Local
|
-
|
-
|
systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces() when an active Netwo…
Update
|
CWE-78
OS Command
|
CVE-2026-44724
|
2026-05-30 11:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
227
|
- |
|
-
|
-
|
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.12.1, when ujson.dump() writes to a file-like object and the write operation raises an excepti…
Update
|
CWE-401
Missing Release of Memory after Effective Lifetime
|
CVE-2026-44660
|
2026-05-30 11:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
228
|
8.8 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without…
Update
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-35671
|
2026-05-30 11:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
229
|
6.3 |
MEDIUM
Network
|
-
|
-
|
A race condition in the shared Extreme Platform
ONE IAM Gateway API-key authentication path could, under specific
high-concurrency traffic conditions, intermittently allow requests
authenticated with…
New
|
CWE-362
CWE-488
Race Condition
Exposure of Data Element to Wrong Session
|
CVE-2026-9831
|
2026-05-30 07:16 |
2026-05-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
230
|
4.5 |
MEDIUM
Local
|
-
|
-
|
NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This …
New
|
CWE-843
Type Confusion
|
CVE-2026-44640
|
2026-05-30 07:16 |
2026-05-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
