|
4261
|
9.4 |
CRITICAL
Network
|
-
|
-
|
oxyno-zeta/s3-proxy is an aws s3 proxy written in go. Prior to 5.0.0, s3-proxy contains an authentication bypass caused by inconsistent URL path interpretation between the authentication middleware a…
|
CWE-22
CWE-863
Path Traversal
Incorrect Authorization
|
CVE-2026-42882
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4262
|
7.8 |
HIGH
Local
|
-
|
-
|
libcaca is a colour ASCII art library. In 0.99.beta20 and earlier, an integer overflow vulnerability in libcaca's canvas import functionality allows an attacker to cause a controlled heap out-of-boun…
|
CWE-122
CWE-190
CWE-787
Heap-based Buffer Overflow
Integer Overflow or Wraparound
Out-of-bounds Write
|
CVE-2026-42046
|
2026-05-14 03:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4263
|
7.1 |
HIGH
Network
|
-
|
-
|
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an …
|
CWE-345
CWE-863
CWE-1188
Insufficient Verification of Data Authenticity
Incorrect Authorization
Insecure Default Initialization of Resource
|
CVE-2026-41432
|
2026-05-14 03:29 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4264
|
- |
|
-
|
-
|
Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal I…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43897
|
2026-05-14 03:27 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4265
|
8.2 |
HIGH
Network
|
-
|
-
|
exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read from stdin one per lin…
|
CWE-88
Argument Injection
|
CVE-2026-43893
|
2026-05-14 03:27 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4266
|
- |
|
-
|
-
|
pam_authnft is a PAM session module binding nftables firewall rules to authenticated sessions via cgroupv2 inodes. Prior to 0.2.0-alpha, a heap buffer over-read in peer_lookup_tcp (src/peer_lookup.c:…
|
CWE-125
CWE-191
Out-of-bounds Read
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-43916
|
2026-05-14 03:27 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4267
|
9.1 |
CRITICAL
Network
|
-
|
-
|
sealed-env is a cross-stack, zero-trust secret management library for Node.js and Java/Spring Boot. In sealed-env enterprise mode, versions 0.1.0-alpha.1 through 0.1.0-alpha.3 embedded the operator's…
|
CWE-200
CWE-522
Information Exposure
Insufficiently Protected Credentials
|
CVE-2026-45091
|
2026-05-14 03:27 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4268
|
- |
|
-
|
-
|
MinIO is a high-performance object storage system. From RELEASE.2022-07-24T01-54-52Z to before RELEASE.2026-04-14T21-32-45Z, A path traversal vulnerability in MinIO's ReadMultiple internode storage-R…
|
CWE-22
Path Traversal
|
CVE-2026-42600
|
2026-05-14 03:26 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4269
|
- |
|
-
|
-
|
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) logi…
|
CWE-362
Race Condition
|
CVE-2026-43930
|
2026-05-14 03:26 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4270
|
8.8 |
HIGH
Network
|
-
|
-
|
YetAnotherForum.NET (YAF.NET) is a C# ASP.NET forum. Prior to 4.0.5, Any admin OnPost… handler executes its side effects before the ResultFilterAttribute rewrites the response to a 302 to /Info/4. Th…
|
CWE-89
CWE-841
SQL Injection
Improper Enforcement of Behavioral Workflow
|
CVE-2026-43937
|
2026-05-14 03:24 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
