|
81
|
5.3 |
MEDIUM
Network
|
-
|
-
|
PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option ("b64": false, RFC 7797), PyJWT performs Base64URL deco…
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-48525
|
2026-05-29 03:03 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
82
|
- |
|
-
|
-
|
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, in federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full h…
New
|
CWE-20
Improper Input Validation
|
CVE-2026-45076
|
2026-05-29 03:03 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
83
|
- |
|
-
|
-
|
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing o…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-45078
|
2026-05-29 03:03 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
84
|
7.5 |
HIGH
Network
|
free5gc
|
free5gc
|
free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. The POST /upi/v1/upNodesLinks c…
New
|
CWE-306
CWE-617
CWE-862
Missing Authentication for Critical Function
Reachable Assertion
Missing Authorization
|
CVE-2026-44321
|
2026-05-29 03:01 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
85
|
- |
|
-
|
-
|
Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the defaul…
New
|
CWE-1391
Use of Weak Credentials
|
CVE-2026-4377
|
2026-05-29 03:00 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
86
|
7.8 |
HIGH
Local
|
-
|
-
|
An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199. While the patch in version 1.16.0 updated the ownership of the multipassd da…
New
|
CWE-276
Incorrect Default Permissions
|
CVE-2026-49237
|
2026-05-29 03:00 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
87
|
8.4 |
HIGH
Local
|
-
|
-
|
An issue was discovered in Canonical Multipass before version 1.16.3. The host-side SFTP server component (sshfs_server), which executes with root privileges on the host, contains a path containment …
New
|
CWE-22
Path Traversal
|
CVE-2026-49238
|
2026-05-29 03:00 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
88
|
- |
|
-
|
-
|
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full access to the device owner's account by interacting with applicat…
New
|
CWE-288
CWE-359
Authentication Bypass Using an Alternate Path or Channel
Exposure of Private Personal Information to an Unauthorized Actor
|
CVE-2026-8990
|
2026-05-29 03:00 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
89
|
- |
|
-
|
-
|
Casdoor versions 2.362.0 and earlier contain a vulnerability that allows an attacker to bypass authentication by supplying an arbitrary signing certificate. The buildSpCertificateStore function extra…
New
|
-
|
CVE-2026-9090
|
2026-05-29 03:00 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
90
|
- |
|
-
|
-
|
Casdoor versions 2.362.0 and earlier contain a logic flaw in the social‑login binding flow that allows users to bypass configured MFA requirements. The binding‑rule code path in controllers/auth.go c…
New
|
-
|
CVE-2026-9091
|
2026-05-29 03:00 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
