|
2441
|
7.2 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 r…
|
CWE-183
CWE-441
CWE-918
Permissive List of Allowed Inputs
Confused Deputy
Server-Side Request Forgery (SSRF)
|
CVE-2026-42043
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2442
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype…
|
CWE-915
CWE-1321
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42044
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2443
|
- |
|
-
|
-
|
Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. From v3.4.0 to v3.28.0, an oversight in the CopyFil…
|
CWE-61
UNIX Symbolic Link (Symlink) Following
|
CVE-2026-41326
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2444
|
5.3 |
MEDIUM
Network
|
-
|
-
|
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, 4ga Boards is vulnerable to user enumeration via a timing side-channel in the login endpoint (POST /api/access-tokens). …
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2026-41418
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2445
|
7.6 |
HIGH
Network
|
-
|
-
|
4ga Boards is a boards system for realtime project management. Prior to 3.3.5, a path traversal vulnerability allows an authenticated user with board import privileges to make the server ingest arbit…
|
CWE-22
Path Traversal
|
CVE-2026-41419
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2446
|
- |
|
-
|
-
|
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This al…
|
CWE-787
CWE-823
Out-of-bounds Write
Use of Out-of-range Pointer Offset
|
CVE-2026-41907
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2447
|
- |
|
-
|
-
|
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.5, the clientPrivileges option documents a create action, but the OAuth client creation endpoints did not invok…
|
CWE-863
Incorrect Authorization
|
CVE-2026-41427
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2448
|
8.8 |
HIGH
Adjacent
|
-
|
-
|
arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Prior to 3.3.8, there is a remotely reachable memory corruption issue in the NBNS…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-41429
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2449
|
8.4 |
HIGH
Local
|
-
|
-
|
OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From 0.4.0 to before 0.8.0, a flaw in the Java agent injection path allows a local attacker contr…
|
CWE-22
CWE-59
Path Traversal
Link Following
|
CVE-2026-41433
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2450
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Improper verification of cryptographic signature uniqueness in delegated role validation in awslabs/tough before tough-v0.22.0 allows remote authenticated users to bypass the TUF signature threshold …
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-6966
|
2026-04-28 03:57 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
