|
31
|
5.3 |
MEDIUM
Network
|
-
|
-
|
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from _astro path with an incorrect/malformed if-match header returns a 500 er…
New
|
CWE-525
Use of Web Browser Cache Containing Sensitive Information
|
CVE-2026-41322
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
32
|
2.2 |
LOW
Network
|
-
|
-
|
@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch() call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transfo…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41321
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
33
|
- |
|
-
|
-
|
Poetry is a dependency manager for Python. Prior to 2.3.4, the extractall() function in src/poetry/utils/helpers.py:410-426 extracts sdist tarballs without path traversal protection on Python version…
New
|
CWE-22
Path Traversal
|
CVE-2026-41140
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
34
|
6.5 |
MEDIUM
Network
|
-
|
-
|
A Broken Access Control vulnerability exists in ClassroomIO v0.1.13 where an authenticated low-privileged "student" user can access unauthorized course-level information by modifying intercepted API …
New
|
CWE-284
CWE-285
Improper Access Control
Improper Authorization
|
CVE-2025-67259
|
2026-04-25 03:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
35
|
8.8 |
HIGH
Network
|
-
|
-
|
Math.js is an extensive math library for JavaScript and Node.js. From 13.1.1 to before 15.2.0, a vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be a…
New
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-40897
|
2026-04-25 02:56 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
36
|
7.5 |
HIGH
Network
|
-
|
-
|
lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML in…
New
|
CWE-611
XXE
|
CVE-2026-41066
|
2026-04-25 02:56 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
37
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Astro is a web framework. Prior to 6.1.6, the defineScriptVars function in Astro's server-side rendering pipeline uses a case-sensitive regex /<\/script>/g to sanitize values injected into inline <sc…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-41067
|
2026-04-25 02:56 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
38
|
4.3 |
MEDIUM
Adjacent
|
-
|
-
|
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP bac…
New
|
CWE-125
CWE-200
Out-of-bounds Read
Information Exposure
|
CVE-2026-41079
|
2026-04-25 02:56 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
39
|
6.6 |
MEDIUM
Local
|
-
|
-
|
Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file …
New
|
CWE-78
OS Command
|
CVE-2026-41411
|
2026-04-25 02:56 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
40
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, m…
New
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-6911
|
2026-04-25 02:56 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
