|
271
|
6.1 |
MEDIUM
Network
|
microsoft
|
exchange_server
|
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42897
|
2026-05-16 04:35 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
272
|
8.3 |
HIGH
Network
|
argoproj
|
argo_workflows
|
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provid…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-42297
|
2026-05-16 04:26 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
273
|
7.5 |
HIGH
Network
|
getarcane
|
arcane
|
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-42461
|
2026-05-16 04:18 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
274
|
7.5 |
HIGH
Network
|
-
|
-
|
Missing bounds validation in the MQTT v5.0 property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service by sending a crafted packet.
To remediate this issue, users s…
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-8686
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
275
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13, 11.4.x <= 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG fi…
New
|
CWE-754
Improper Check for Unusual or Exceptional Conditions
|
CVE-2026-4054
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
276
|
3.1 |
LOW
Network
|
-
|
-
|
Mattermost versions 11.5.x <= 11.5.1, 10.11.x <= 10.11.13 fail to enforce the PostEditTimeLimit on non-message post fields which allows an authenticated user to modify post file attachments, props, a…
New
|
CWE-672
Operation on a Resource after Expiration or Release
|
CVE-2026-4053
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
277
|
8.1 |
HIGH
Network
|
-
|
-
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the backend admin/auth-token endpoint allows an authenticated administrator t…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-46407
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
278
|
5.5 |
MEDIUM
Local
|
-
|
-
|
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure in the legacy-bundle…
New
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-46383
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
279
|
9.8 |
CRITICAL
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() methods that interpolate unsanitized User-Agent h…
New
|
CWE-89
SQL Injection
|
CVE-2026-46364
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
280
|
6.5 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains an authorization bypass vulnerability in AbstractAdministrationController::userHasPermission() that fails to terminate execution after sending a forbidden response. Att…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-46362
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
