|
21
|
- |
|
-
|
-
|
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/fi…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42138
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
22
|
6.5 |
MEDIUM
Network
|
-
|
-
|
titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscr…
New
|
CWE-200
Information Exposure
|
CVE-2026-42092
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
23
|
6.5 |
MEDIUM
Network
|
-
|
-
|
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the C…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-42091
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
24
|
9.6 |
CRITICAL
Network
|
-
|
-
|
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0-rc3, the Script Runner widget allows users to execute Py…
New
|
CWE-250
Execution with Unnecessary Privileges
|
CVE-2026-42088
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
25
|
9.6 |
CRITICAL
Network
|
-
|
-
|
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. From version 6.7.0 to before version 7.0.0-rc3, a SQL injection vulnerability e…
New
|
CWE-89
SQL Injection
|
CVE-2026-42087
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
26
|
4.6 |
MEDIUM
Network
|
-
|
-
|
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to version 7.0.0, the Command Sender UI uses an unsafe eval() function on…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42086
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
27
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, OpenC3 COSMOS contains a design flaw in…
New
|
CWE-23
Relative Path Traversal
|
CVE-2026-42085
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
28
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenC3 COSMOS provides the functionality needed to send commands to and receive data from one or more embedded systems. Prior to versions 6.10.5 and 7.0.0-rc3, the OpenC3 password change functionalit…
New
|
CWE-620
Unverified Password Change
|
CVE-2026-42084
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
29
|
8.1 |
HIGH
Network
|
-
|
-
|
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary…
New
|
CWE-22
Path Traversal
|
CVE-2026-42075
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
30
|
- |
|
-
|
-
|
Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode <%= ... %> for untrusted metadata fields. In this runtime, <%= ..…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42052
|
2026-05-5 03:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
