|
71
|
9.6 |
CRITICAL
Network
|
-
|
-
|
MeshCore Card provides MeshCore Lovelace card for Home Assistant. Prior to 0.3.3, Meshcore node names are rendered without HTML escaping in meshcore-card, allowing any node within direct or indirect …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-45323
|
2026-05-29 03:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
72
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urlj…
New
|
CWE-601
Open Redirect
|
CVE-2026-45307
|
2026-05-29 03:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
73
|
6.5 |
MEDIUM
Network
|
-
|
-
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect…
New
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-45306
|
2026-05-29 03:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
74
|
- |
|
-
|
-
|
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync…
New
|
CWE-94
CWE-345
CWE-494
CWE-915
Code Injection
Insufficient Verification of Data Authenticity
Download of Code Without Integrity Check
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-45058
|
2026-05-29 03:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
75
|
- |
|
-
|
-
|
bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corru…
New
|
CWE-787
Out-of-bounds Write
|
CVE-2026-42250
|
2026-05-29 03:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
76
|
7.8 |
HIGH
Local
|
-
|
-
|
gix-submodule before 0.29.0 (gitoxide before 0.5.21, gix before 0.84.0) incorrectly validates the update field in .gitmodules, allowing attackers to bypass the CommandForbiddenInModulesConfiguration …
New
|
CWE-77
Command Injection
|
CVE-2026-40034
|
2026-05-29 03:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
77
|
4.2 |
MEDIUM
Network
|
-
|
-
|
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registe…
New
|
CWE-441
CWE-918
Confused Deputy
Server-Side Request Forgery (SSRF)
|
CVE-2026-48522
|
2026-05-29 03:03 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
78
|
7.4 |
HIGH
Network
|
-
|
-
|
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, when the verifier is decoding JSON Web Tokens, while supporting both asymmetric and HMAC algorithms, the library does not validate…
New
|
CWE-287
CWE-347
Improper Authentication
Improper Verification of Cryptographic Signature
|
CVE-2026-48526
|
2026-05-29 03:03 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
79
|
5.4 |
MEDIUM
Network
|
-
|
-
|
PyJWT is a JSON Web Token implementation in Python. From 2.9.0 to 2.12.1, there is a verifier-side algorithm allow-list bypass when jwt.decode() or jwt.decode_complete() are called with a PyJWK key. …
New
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-48523
|
2026-05-29 03:03 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
80
|
3.7 |
LOW
Network
|
-
|
-
|
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient.get_signing_key() forces a fresh HTTP request to the JWKS endpoint for every JWT with an unknown kid value, with no ra…
New
|
CWE-460
CWE-755
Improper Cleanup on Thrown Exception
Improper Handling of Exceptional Conditions
|
CVE-2026-48524
|
2026-05-29 03:03 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
