|
1651
|
8.1 |
HIGH
Network
|
-
|
-
|
picklescan before 0.0.29 fails to detect malicious pickle files using idlelib.autocomplete.AutoComplete.fetch_completions in reduce methods. Attackers can embed undetected code in pickle files that e…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2025-71376
|
2026-06-24 01:16 |
2026-06-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1652
|
8.1 |
HIGH
Network
|
-
|
-
|
Picklescan before 0.0.33 fails to detect the numpy.f2py.crackfortran._eval_length gadget in pickle __reduce__ methods, allowing arbitrary code execution. Attackers can craft malicious pickle files th…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2025-71339
|
2026-06-24 01:16 |
2026-06-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1653
|
6.9 |
MEDIUM
Local
|
libexpat_project
|
libexpat
|
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations.
|
CWE-190
Integer Overflow or Wraparound
|
CVE-2026-56411
|
2026-06-24 01:16 |
2026-06-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1654
|
7.6 |
HIGH
Network
|
-
|
-
|
conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.61.0, a vulnerability in the conda-forge …
|
CWE-284
Improper Access Control
|
CVE-2026-46699
|
2026-06-24 01:06 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1655
|
10.0 |
CRITICAL
Network
|
-
|
-
|
mcp-pinot is a Python-based Model Context Protocol (MCP) server for interacting with Apache Pinot. In versions 3.0.1 and below, mcp-pinot defaults to running an HTTP MCP server bound to 0.0.0.0:8080 …
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-49257
|
2026-06-24 01:06 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1656
|
6.5 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ is an open source FAQ web application. Versions prior to 4.1.4 have Missing Authorization in the API CategoryController. CVE-2026-24421 addressed this in the BackupController by adding: $th…
|
CWE-862
Missing Authorization
|
CVE-2026-49205
|
2026-06-24 01:06 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1657
|
- |
|
-
|
-
|
Slopsmith is a self-contained web application for browsing, playing, and practicing Rocksmith 2014 Custom DLC (CDLC). Prior to 0.2.9-alpha.5, a path-traversal vulnerability in Slopsmith's archive ext…
|
CWE-22
CWE-23
CWE-36
Path Traversal
Relative Path Traversal
Absolute Path Traversal
|
CVE-2026-49290
|
2026-06-24 01:06 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1658
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.23 and 6.20.0, an authenticated Control Panel user could view metadata and content for resources they don't have p…
|
CWE-200
CWE-862
CWE-863
Information Exposure
Missing Authorization
Incorrect Authorization
|
CVE-2026-49288
|
2026-06-24 01:06 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1659
|
- |
|
-
|
-
|
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.4.2, on a DevGuard API instance with one or more public assets, any authenticated user — including users from…
|
CWE-285
CWE-863
Improper Authorization
Incorrect Authorization
|
CVE-2026-48089
|
2026-06-24 01:06 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1660
|
5.3 |
MEDIUM
Network
|
-
|
-
|
YARD is a documentation generation tool for the Ruby programming language. Prior to version 0.9.44, YARD's static cache lookup reads a request path before the router's path cleanup runs. When a serve…
|
CWE-22
Path Traversal
|
CVE-2026-49342
|
2026-06-24 01:06 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
