|
681
|
6.5 |
MEDIUM
Network
|
-
|
-
|
FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC meta…
New
|
CWE-200
CWE-212
Information Exposure
Improper Removal of Sensitive Information Before Storage or Transfer
|
CVE-2026-27892
|
2026-05-19 23:44 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
682
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, outdated cached AI summaries can leak removed content to anonymous and unpriv…
New
|
CWE-200
CWE-524
CWE-672
Information Exposure
Use of Cache Containing Sensitive Information
Operation on a Resource after Expiration or Release
|
CVE-2026-32244
|
2026-05-19 23:44 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
683
|
- |
|
-
|
-
|
Discourse is an open-source discussion platform. In versions prior to 2026.1.4, 2026.3.1, 2026.4.1 and 2026.5.0-latest.1, an authenticated user on a Discourse instance with the form templates feature…
New
|
CWE-862
Missing Authorization
|
CVE-2026-33514
|
2026-05-19 23:44 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
684
|
10.0 |
CRITICAL
Network
|
-
|
-
|
HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a session format mismatch between PHP and Node.js that allows unauthenticated rem…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-43633
|
2026-05-19 23:43 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
685
|
6.5 |
MEDIUM
Network
|
vercel
|
turborepo
|
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the l…
Update
|
CWE-352
CWE-384
Origin Validation Error
Session Fixation
|
CVE-2026-45773
|
2026-05-19 23:41 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
686
|
9.8 |
CRITICAL
Network
|
vercel
|
turborepo
|
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted reposi…
Update
|
CWE-426
Untrusted Search Path
|
CVE-2026-45772
|
2026-05-19 23:41 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
687
|
7.5 |
HIGH
Network
|
ws_project
|
ws
|
ws is an open source WebSocket client and server for Node.js. Prior to 8.20.1, the websocket.close() implementation is vulnerable to uninitialized memory disclosure when a TypedArray is passed as the…
Update
|
CWE-908
Use of Uninitialized Resource
|
CVE-2026-45736
|
2026-05-19 23:39 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
688
|
7.5 |
HIGH
Network
|
-
|
-
|
The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API and retrieve sensitive customer information, like…
New
|
-
|
CVE-2025-15609
|
2026-05-19 23:38 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
689
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafe_ajax_form_builder' function in all versions up to, an…
New
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-4885
|
2026-05-19 23:38 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
690
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function in all versions up to, and including…
New
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-4883
|
2026-05-19 23:38 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
