|
3521
|
7.5 |
HIGH
Network
|
jenkins
|
credentials_binding
|
Jenkins Credentials Binding Plugin 719.v80e905ef14eb_ and earlier does not sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write file…
|
CWE-22
Path Traversal
|
CVE-2026-42520
|
2026-05-7 01:32 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3522
|
6.5 |
MEDIUM
Network
|
jenkins
|
matrix_authorization_strategy
|
Jenkins Matrix Authorization Strategy Plugin 2.0-beta-1 through 3.2.9 (both inclusive) invokes parameterless constructors of classes specified in configuration when deserializing inheritance strategi…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-42521
|
2026-05-7 01:21 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3523
|
4.3 |
MEDIUM
Network
|
jenkins
|
github_branch_source
|
A missing permission check in Jenkins GitHub Branch Source Plugin 1967.vdea_d580c1a_b_a_ and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacke…
|
CWE-862
Missing Authorization
|
CVE-2026-42522
|
2026-05-7 01:18 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3524
|
8.4 |
HIGH
Local
|
hmbrand
|
text\
|
Text::CSV_XS versions before 1.62 for Perl have a use-after-free when registered callbacks extend the Perl argument stack, which may enable type confusion or memory corruption.
The Parse, print, get…
|
CWE-416
CWE-825
Use After Free
Expired Pointer Dereference
|
CVE-2026-7111
|
2026-05-7 01:16 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3525
|
8.8 |
HIGH
Network
|
redis
|
redis
|
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to exe…
|
CWE-122
Heap-based Buffer Overflow
|
CVE-2026-25243
|
2026-05-7 01:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3526
|
8.6 |
HIGH
Network
|
-
|
-
|
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-7412
|
2026-05-7 01:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3527
|
10.0 |
CRITICAL
Network
|
-
|
-
|
In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal att…
|
CWE-22
Path Traversal
|
CVE-2026-7411
|
2026-05-7 01:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3528
|
7.5 |
HIGH
Network
|
wireshark
|
wireshark
|
Crash in sharkd 4.6.0 to 4.6.4 and 4.4.0 to 4.4.14 allows denial of service
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-7376
|
2026-05-7 01:16 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3529
|
6.1 |
MEDIUM
Network
|
-
|
-
|
FluentCMS 1.2.3 is vulnerable to Cross Site Scripting (XSS) in TextHTML plugin.
|
CWE-79
Cross-site Scripting
|
CVE-2026-38947
|
2026-05-7 01:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3530
|
- |
|
-
|
-
|
Twenty is an open source CRM built with NestJS (Node.js). In versions 1.18.0 and earlier, the SSRF protection in twenty-server's SecureHttpClientService can be bypassed using IPv4-mapped IPv6 address…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-33975
|
2026-05-7 01:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
