|
531
|
7.5 |
HIGH
Network
|
rubyconcurrency
|
concurrent_ruby
|
concurrent-ruby is a modern concurrency tools for Ruby. Prior to 1.3.7, Concurrent::AtomicReference#update can enter a permanent busy retry loop when the current value is Float::NAN. The issue is cau…
New
|
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
|
CVE-2026-54904
|
2026-06-27 04:26 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
532
|
5.3 |
MEDIUM
Network
|
encode
|
starlette
|
Starlette is a lightweight ASGI framework/toolkit. Prior to 1.3.0, the HTTP request path is not validated before being used to reconstruct request.url. Because request.url is rebuilt by concatenating…
New
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-54282
|
2026-06-27 04:18 |
2026-06-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
533
|
7.5 |
HIGH
Network
|
encode
|
starlette
|
Starlette is a lightweight ASGI framework/toolkit. From 0.4.1 until 1.3.1, request.form() accepts max_fields and max_part_size to bound resource consumption while parsing form data. These limits are …
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-54283
|
2026-06-27 04:16 |
2026-06-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
534
|
- |
|
-
|
-
|
Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the requi…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-54573
|
2026-06-27 04:16 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
535
|
2.2 |
LOW
Local
|
-
|
-
|
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this …
New
|
CWE-367
CWE-732
Time-of-check Time-of-use (TOCTOU) Race Condition
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-54327
|
2026-06-27 04:16 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
536
|
5.8 |
MEDIUM
Local
|
-
|
-
|
K3s is a fully conformant production-ready Kubernetes distribution. Prior to 1.35.3+k3s1, 1.34.6+k3s1, v1.33.10+k3s1, a path traversal vulnerability exists in K3s's etcd snapshot decompression functi…
New
|
CWE-22
Path Traversal
|
CVE-2026-54250
|
2026-06-27 04:16 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
537
|
7.5 |
HIGH
Network
|
-
|
-
|
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, File Browser's public share handlers rebase t…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-54091
|
2026-06-27 04:16 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
538
|
7.1 |
HIGH
Network
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engin…
New
|
CWE-79
CWE-184
Cross-site Scripting
Incomplete Blacklist
|
CVE-2026-54070
|
2026-06-27 04:16 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
539
|
5.5 |
MEDIUM
Network
|
snipeitapp
|
snipe-it
|
Snipe-IT is an IT asset/license management system. In versions prior to 8.6.0, a user with only users.edit can send a PATCH to /api/v1/users/{their_own_id} and grant themselves any permission except …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-48493
|
2026-06-27 04:16 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
540
|
5.3 |
MEDIUM
Network
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete an…
New
|
CWE-862
Missing Authorization
|
CVE-2026-54029
|
2026-06-27 04:16 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
