|
201
|
6.3 |
MEDIUM
Network
|
-
|
-
|
Koel is a free, open-source music streaming solution. Prior to version 9.7.1, Koel contains a Server-Side Request Forgery (SSRF) vulnerability in the radio station creation endpoint (POST /api/radio/…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-50552
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
202
|
- |
|
-
|
-
|
AgenticMail gives AI agents real email addresses and phone numbers. Prior to version 0.9.27, @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCP_HTTP=1. In that mode,…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-50287
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
203
|
- |
|
-
|
-
|
Actual is an open-source personal finance application. Prior to version 26.5.0, several endpoints are affected by a path traversal vulnerability. Version 26.5.0 fixes the issue.
New
|
CWE-22
Path Traversal
|
CVE-2026-43872
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
204
|
- |
|
-
|
-
|
Actual is an open-source personal finance application. In the macOS desktop application version 25.x (built on Electron 39.2.7), the ELECTRON_RUN_AS_NODE fuse is not disabled, allowing an attacker wh…
New
|
CWE-94
Code Injection
|
CVE-2026-42890
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
205
|
7.8 |
HIGH
Local
|
-
|
-
|
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, a program able to write bytes to a kitty terminal — a remote SSH peer, a downloaded file viewed with `cat`, a log line, an e…
New
|
CWE-94
CWE-862
Code Injection
Missing Authorization
|
CVE-2026-42851
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
206
|
- |
|
-
|
-
|
Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an e…
New
|
CWE-77
Command Injection
|
CVE-2026-42850
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
207
|
- |
|
-
|
-
|
Actual is a local-first personal finance tool. The `POST /openid/config` endpoint in Actual Budget's sync-server versions <= 26.4.0 exposes the full OpenID Connect configuration—including the OAuth2 …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42604
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
208
|
7.5 |
HIGH
Network
|
-
|
-
|
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into…
New
|
CWE-93
CRLF Injection
|
CVE-2026-12143
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
209
|
8.8 |
HIGH
Network
|
-
|
-
|
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting clie…
New
|
CWE-415
Double Free
|
CVE-2026-12043
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210
|
- |
|
-
|
-
|
Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post…
New
|
CWE-862
Missing Authorization
|
CVE-2026-10715
|
2026-06-13 05:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
