|
1591
|
7.5 |
HIGH
Network
|
-
|
-
|
apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target poi…
|
CWE-22
CWE-59
Path Traversal
Link Following
|
CVE-2026-42574
|
2026-05-14 00:23 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1592
|
7.5 |
HIGH
Network
|
-
|
-
|
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded …
|
CWE-345
CWE-494
Insufficient Verification of Data Authenticity
Download of Code Without Integrity Check
|
CVE-2026-42575
|
2026-05-14 00:23 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1593
|
6.5 |
MEDIUM
Network
|
-
|
-
|
apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *r…
|
CWE-704
Incorrect Type Conversion or Cast
|
CVE-2026-42576
|
2026-05-14 00:23 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1594
|
7.5 |
HIGH
Network
|
golang
|
go
|
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-39836
|
2026-05-14 00:11 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1595
|
7.5 |
HIGH
Network
|
golang
|
go
|
Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-39820
|
2026-05-14 00:10 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1596
|
5.3 |
MEDIUM
Local
|
golang
|
go
|
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one…
|
CWE-59
Link Following
|
CVE-2026-39819
|
2026-05-14 00:05 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1597
|
5.9 |
MEDIUM
Local
|
golang
|
go
|
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" su…
|
CWE-787
Out-of-bounds Write
|
CVE-2026-39817
|
2026-05-13 23:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1598
|
10.0 |
CRITICAL
Network
|
peerigon
|
angular-expressions
|
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox t…
|
CWE-95
Eval Injection
|
CVE-2026-44643
|
2026-05-13 23:54 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1599
|
9.4 |
CRITICAL
Network
|
-
|
-
|
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been p…
|
CWE-284
CWE-306
CWE-862
Improper Access Control
Missing Authentication for Critical Function
Missing Authorization
|
CVE-2026-42569
|
2026-05-13 23:54 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1600
|
8.5 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved t…
|
CWE-20
CWE-22
CWE-59
CWE-73
Improper Input Validation
Path Traversal
Link Following
External Control of File Name or Path
|
CVE-2026-43989
|
2026-05-13 23:54 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
