|
641
|
6.1 |
MEDIUM
Network
|
shopify
|
react-router
|
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to p…
New
|
CWE-601
Open Redirect
|
CVE-2026-40181
|
2026-06-5 03:46 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
642
|
7.5 |
HIGH
Network
|
shopify
turbo-stream
|
react-router
turbo_stream
|
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-34077
|
2026-06-5 03:45 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
643
|
4.7 |
MEDIUM
Network
|
shopify
|
react-router
|
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-33245
|
2026-06-5 03:43 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
644
|
7.3 |
HIGH
Network
|
securly
|
securly
|
Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.
New
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-8876
|
2026-06-5 03:42 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
645
|
7.5 |
HIGH
Network
|
securly
|
securly
|
Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that…
New
|
CWE-326
Inadequate Encryption Strength
|
CVE-2026-8878
|
2026-06-5 03:42 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
646
|
7.5 |
HIGH
Network
|
securly
|
securly
|
Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manif…
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8879
|
2026-06-5 03:41 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
647
|
6.5 |
MEDIUM
Network
|
libxls_project
|
libxls
|
libxls through version 1.6.3 contains a use of uninitialized memory vulnerability in the OLE container parser. Memory allocated for the Master Sector Allocation Table (MSAT) in read_MSAT() is not ful…
New
|
CWE-457
Use of Uninitialized Variable
|
CVE-2026-26824
|
2026-06-5 03:41 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
648
|
5.3 |
MEDIUM
Network
|
libxls_project
|
libxls
|
A use-of-uninitialized memory vulnerability exists in libxls 1.6.3 when parsing malformed XLS files. The issue is reachable via xls_parseWorkBook() and is triggered by uninitialized heap memory origi…
New
|
CWE-908
Use of Uninitialized Resource
|
CVE-2026-26825
|
2026-06-5 03:41 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
649
|
7.7 |
HIGH
Network
|
openstack
|
ironic
|
OpenStack Ironic before 35.0.2 allows Boot Script Injection of an iPXE script if the attacker can set node.driver_info or node.instance_info.
New
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-46447
|
2026-06-5 03:41 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
650
|
4.9 |
MEDIUM
Network
|
openstack
|
ironic
|
OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxe_template.
New
|
CWE-669
Incorrect Resource Transfer Between Spheres
|
CVE-2026-44917
|
2026-06-5 03:40 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
