|
131
|
- |
|
-
|
-
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML thro…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42841
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42610
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
- |
|
-
|
-
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, there is a Path Traversal vulnerability within the FormFlash core component. By manipulating the session_id (passed as __form-flash-id in POS…
New
|
CWE-22
Path Traversal
|
CVE-2026-42608
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
4.3 |
MEDIUM
Network
|
-
|
-
|
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLL…
New
|
CWE-200
CWE-639
Information Exposure
Authorization Bypass Through User-Controlled Key
|
CVE-2026-42456
|
2026-05-12 02:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
- |
|
-
|
-
|
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other…
New
|
CWE-754
CWE-863
Improper Check for Unusual or Exceptional Conditions
Incorrect Authorization
|
CVE-2026-42349
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
- |
|
-
|
-
|
New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. In versions 0.11.9-alpha.1 and prior, the SSRF protection introduced in v0.9.0.5 (CVE-2025-591…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42339
|
2026-05-12 02:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
- |
|
-
|
-
|
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, the Webhook Interceptor loads the entire request b…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42294
|
2026-05-12 02:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
6.5 |
MEDIUM
Network
|
-
|
-
|
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.26.1, a remote client with retained publish permission can crash the FlashMQ broker when both set_retained_mes…
New
|
CWE-369
Divide By Zero
|
CVE-2026-42209
|
2026-05-12 02:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
6.2 |
MEDIUM
Local
|
-
|
-
|
Grid is a data structure grid for rust. From version 0.17.0 to before version 1.0.1, an integer overflow in Grid::expand_rows() can corrupt the relationship between the grid’s logical dimensions and …
New
|
CWE-190
Integer Overflow or Wraparound
|
CVE-2026-42199
|
2026-05-12 02:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42181
|
2026-05-12 02:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
