|
4141
|
4.3 |
MEDIUM
Network
|
hono
|
hono
|
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted inpu…
|
CWE-74
CWE-116
Injection
Improper Encoding or Escaping of Output
|
CVE-2026-44458
|
2026-05-14 03:32 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4142
|
5.7 |
MEDIUM
Network
|
-
|
-
|
Taiga is a project management platform for startups and agile developers. Prior 6.9.1, Taiga front is vulnerable to stored XSS. This vulnerability is fixed in 6.9.1.
|
CWE-79
Cross-site Scripting
|
CVE-2026-41250
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4143
|
- |
|
-
|
-
|
Tookie is a advanced OSINT information gathering tool. Prior to 4.1fix, modules/modules.py's write_txt, write_csv, write_json, and (commented-but-shipping) scan_file helpers open their output as open…
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-42866
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4144
|
10.0 |
CRITICAL
Network
|
-
|
-
|
SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value i…
|
CWE-287
CWE-522
CWE-798
Improper Authentication
Insufficiently Protected Credentials
Use of Hard-coded Credentials
|
CVE-2026-42869
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4145
|
3.7 |
LOW
Network
|
-
|
-
|
Microdot is a minimalistic Python web framework. Prior to 2.6.1, the Response.set_cookie() method does not sanitize its string arguments, and in particular will not detect the presence of the \r\n se…
|
CWE-113
HTTP Response Splitting
|
CVE-2026-42874
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4146
|
9.4 |
CRITICAL
Network
|
-
|
-
|
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware a…
|
CWE-22
CWE-863
Path Traversal
Incorrect Authorization
|
CVE-2026-42882
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4147
|
7.8 |
HIGH
Local
|
-
|
-
|
libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-boun…
|
CWE-122
CWE-190
CWE-787
Heap-based Buffer Overflow
Integer Overflow or Wraparound
Out-of-bounds Write
|
CVE-2026-42046
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4148
|
7.1 |
HIGH
Network
|
-
|
-
|
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an …
|
CWE-345
CWE-863
CWE-1188
Insufficient Verification of Data Authenticity
Incorrect Authorization
Insecure Default Initialization of Resource
|
CVE-2026-41432
|
2026-05-14 03:29 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4149
|
- |
|
-
|
-
|
Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal I…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43897
|
2026-05-14 03:27 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4150
|
8.2 |
HIGH
Network
|
-
|
-
|
exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per lin…
|
CWE-88
Argument Injection
|
CVE-2026-43893
|
2026-05-14 03:27 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
