|
971
|
- |
|
-
|
-
|
MISP modules are autonomous modules that can be used to extend MISP for new services. Prior to 3.0.7, an unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The h…
|
CWE-295
CWE-918
Improper Certificate Validation
Server-Side Request Forgery (SSRF)
|
CVE-2026-44363
|
2026-05-15 01:54 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
972
|
- |
|
-
|
-
|
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Flight::jsonp() concatenates the ?jsonp= query parameter directly into an application/javascript response body without validating tha…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42548
|
2026-05-15 01:51 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
973
|
4.4 |
MEDIUM
Local
|
-
|
-
|
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the make:controller CLI command calls mkdir(..., recursive: true) on a path built from the user-supplied controller name, before Nett…
|
CWE-22
Path Traversal
|
CVE-2026-42549
|
2026-05-15 01:51 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
974
|
8.8 |
HIGH
Network
|
-
|
-
|
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, SimplePdo::insert(), SimplePdo::update(), and SimplePdo::delete() build SQL statements by concatenating the $table argument and the k…
|
CWE-89
SQL Injection
|
CVE-2026-42550
|
2026-05-15 01:51 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
975
|
7.5 |
HIGH
Network
|
-
|
-
|
Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP verb…
|
CWE-436
Interpretation Conflict
|
CVE-2026-42551
|
2026-05-15 01:51 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
976
|
7.2 |
HIGH
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters (sort[price], sort_activity, sort_ad…
|
CWE-89
SQL Injection
|
CVE-2026-39358
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
977
|
4.8 |
MEDIUM
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.6.0, a Stored Cross-Site Scripting (XSS) vulnerability exists in CubeCart v6.x. An attacker with administrative privileges can inject malicious …
|
CWE-79
Cross-site Scripting
|
CVE-2026-39428
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
978
|
9.1 |
CRITICAL
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates and …
|
CWE-94
CWE-1336
Code Injection
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-44377
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
979
|
4.9 |
MEDIUM
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-con…
|
CWE-89
SQL Injection
|
CVE-2026-45054
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
980
|
8.1 |
HIGH
Network
|
-
|
-
|
CubeCart is an ecommerce software solution. Prior to 6.7.2, CubeCart 6.6.x – 6.7.1 builds CC_STORE_URL directly from the Host request header at bootstrap, with no allowlist. The constant is embedded …
|
CWE-20
CWE-345
CWE-601
CWE-784
Improper Input Validation
Insufficient Verification of Data Authenticity
Open Redirect
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
|
CVE-2026-45055
|
2026-05-15 01:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
