|
2551
|
- |
|
-
|
-
|
http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the gen…
|
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
|
CVE-2026-6019
|
2026-04-30 01:16 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2552
|
8.8 |
HIGH
Network
|
-
|
-
|
Improper Privilege Management, Improper Access Control, Incorrect privilege assignment vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center allows Hijacking…
|
CWE-266
CWE-269
CWE-284
Incorrect Privilege Assignment
Improper Privilege Management
Improper Access Control
|
CVE-2026-5141
|
2026-04-30 01:16 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2553
|
- |
|
-
|
-
|
If `shutil.unpack_archive()` is given a ZIP archive with an absolute Windows path containing a drive (`C:\\...`) then the archive will be extracted outside the target directory which is different tha…
|
CWE-22
Path Traversal
|
CVE-2026-3087
|
2026-04-30 01:16 |
2026-04-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2554
|
- |
|
-
|
-
|
Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads d…
|
-
|
CVE-2026-38993
|
2026-04-30 01:16 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2555
|
- |
|
-
|
-
|
Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an au…
|
-
|
CVE-2026-38991
|
2026-04-30 01:16 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2556
|
- |
|
-
|
-
|
Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user i…
|
-
|
CVE-2026-38949
|
2026-04-30 01:16 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2557
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim's browsers via the uns…
|
CWE-79
Cross-site Scripting
|
CVE-2026-37750
|
2026-04-30 01:16 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2558
|
7.5 |
HIGH
Network
|
-
|
-
|
TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function.
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-36837
|
2026-04-30 01:16 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2559
|
3.3 |
LOW
Local
|
uutils
|
coreutils
|
A logic error in the tr utility of uutils coreutils causes the program to incorrectly define the [:graph:] and [:print:] character classes. The implementation mistakenly includes the ASCII space char…
|
CWE-684
Incorrect Provision of Specified Functionality
|
CVE-2026-35379
|
2026-04-30 00:59 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2560
|
5.5 |
MEDIUM
Local
|
uutils
|
coreutils
|
A logic error in the cut utility of uutils coreutils causes the program to incorrectly interpret the literal two-byte string '' (two single quotes) as an empty delimiter. The implementation mistakenl…
|
CWE-20
NVD-CWE-noinfo
Improper Input Validation
|
CVE-2026-35380
|
2026-04-30 00:57 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
