|
2211
|
- |
|
-
|
-
|
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
|
-
|
CVE-2026-50891
|
2026-06-17 00:49 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2212
|
- |
|
-
|
-
|
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without ded…
|
CWE-94
CWE-829
Code Injection
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-48124
|
2026-06-17 00:49 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2213
|
4.3 |
MEDIUM
Network
|
-
|
-
|
MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-ju…
|
CWE-352
Origin Validation Error
|
CVE-2026-48518
|
2026-06-17 00:49 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2214
|
7.5 |
HIGH
Network
|
-
|
-
|
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level va…
|
CWE-362
CWE-567
Race Condition
Unsynchronized Access to Shared Data in a Multithreaded Context
|
CVE-2026-48708
|
2026-06-17 00:49 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2215
|
3.7 |
LOW
Network
|
-
|
-
|
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any auth…
|
CWE-862
Missing Authorization
|
CVE-2026-48709
|
2026-06-17 00:49 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2216
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to…
|
CWE-79
Cross-site Scripting
|
CVE-2026-48157
|
2026-06-17 00:49 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2217
|
7.8 |
HIGH
Local
|
-
|
-
|
The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file…
|
CWE-78
OS Command
|
CVE-2026-48723
|
2026-06-17 00:46 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2218
|
7.7 |
HIGH
Network
|
-
|
-
|
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does no…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-47684
|
2026-06-17 00:46 |
2026-06-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2219
|
8.2 |
HIGH
Network
|
-
|
-
|
Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and ga…
|
CWE-287
Improper Authentication
|
CVE-2026-48780
|
2026-06-17 00:46 |
2026-06-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2220
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler expos…
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-48713
|
2026-06-17 00:46 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
