|
491
|
3.3 |
LOW
Local
|
-
|
-
|
The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation fe…
New
|
CWE-22
Path Traversal
|
CVE-2026-41530
|
2026-05-13 00:10 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
492
|
7.4 |
HIGH
Network
|
-
|
-
|
"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notific…
New
|
CWE-295
Improper Certificate Validation
|
CVE-2026-41872
|
2026-05-13 00:10 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
493
|
- |
|
-
|
-
|
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox t…
New
|
CWE-95
Eval Injection
|
CVE-2026-44643
|
2026-05-13 00:09 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
494
|
- |
|
-
|
-
|
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited…
New
|
CWE-1392
Use of Default Credentials
|
CVE-2026-7428
|
2026-05-13 00:09 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
495
|
5.3 |
MEDIUM
Network
|
-
|
-
|
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix r…
New
|
CWE-749
Exposed Dangerous Method or Function
|
CVE-2026-6402
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
496
|
7.5 |
HIGH
Network
|
-
|
-
|
multiparty@4.2.3 and lower versions are vulnerable to denial of service via regular expression backtracking in the Content-Disposition filename parameter parser. A crafted multipart upload with a lon…
New
|
CWE-1333
Inefficient Regular Expression Complexity
|
CVE-2026-8159
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
497
|
7.5 |
HIGH
Network
|
-
|
-
|
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that collides with an inherited Object.proto…
New
|
CWE-248
CWE-1321
Uncaught Exception
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-8161
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
498
|
7.5 |
HIGH
Network
|
-
|
-
|
multiparty@4.2.3 and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition header whose filename* parameter co…
New
|
CWE-755
Improper Handling of Exceptional Conditions
|
CVE-2026-8162
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
499
|
7.4 |
HIGH
Network
|
-
|
-
|
When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP …
New
|
CWE-235
Improper Handling of Extra Parameters
|
CVE-2026-27851
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
500
|
6.8 |
MEDIUM
Adjacent
|
-
|
-
|
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the c…
New
|
CWE-99
Resource Injection
|
CVE-2026-33603
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
