|
2381
|
4.8 |
MEDIUM
Network
|
weblate
|
wlc
|
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42150
|
2026-05-12 23:00 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2382
|
3.3 |
LOW
Network
|
kimai
|
kimai
|
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to …
|
CWE-862
Missing Authorization
|
CVE-2026-41498
|
2026-05-12 22:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2383
|
6.5 |
MEDIUM
Network
|
onyx
|
onyx
|
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by provi…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-42277
|
2026-05-12 22:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2384
|
5.9 |
MEDIUM
Network
|
elabftw
|
elabftw
|
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under…
|
CWE-302
Authentication Bypass by Assumed-Immutable Data
|
CVE-2026-28510
|
2026-05-12 22:58 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2385
|
9.1 |
CRITICAL
Network
|
librenms
|
librenms
|
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's in…
|
CWE-78
OS Command
|
CVE-2024-51092
|
2026-05-12 22:50 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2386
|
7.3 |
HIGH
Network
|
astrbot
|
astrbot
|
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2025-55449
|
2026-05-12 22:49 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2387
|
9.1 |
CRITICAL
Network
|
pfsense
|
pfsense
|
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes …
|
CWE-502
CWE-915
Deserialization of Untrusted Data
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2025-69690
|
2026-05-12 22:45 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2388
|
9.8 |
CRITICAL
Network
|
citeum
|
opencti
|
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploi…
|
CWE-287
Improper Authentication
|
CVE-2026-27960
|
2026-05-12 22:45 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2389
|
6.5 |
MEDIUM
Network
|
gofiber
|
fiber
|
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query str…
|
CWE-436
Interpretation Conflict
|
CVE-2026-30246
|
2026-05-12 22:44 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2390
|
5.3 |
MEDIUM
Network
|
eclipse
|
vert.x
|
A TCP client can perform a TLS handshake and present the server name extension with a server name that is accepted by a server wildcard name, e.g. if the server is configured with a certificate accep…
|
CWE-770
CWE-295
Allocation of Resources Without Limits or Throttling
Improper Certificate Validation
|
CVE-2026-6860
|
2026-05-12 22:42 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
