|
51
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns the…
New
|
CWE-200
Information Exposure
|
CVE-2026-42223
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
52
|
8.1 |
HIGH
Network
|
-
|
-
|
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-42221
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
53
|
6.5 |
MEDIUM
Network
|
-
|
-
|
goshs is a SimpleHTTPServer written in Go. Prior to version 2.0.2, the PUT upload handler (httpserver/updown.go) lacks the CSRF token validation that was added to the POST upload handler during the C…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-42091
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
54
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell comma…
New
|
CWE-78
OS Command
|
CVE-2026-42076
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
55
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Arbitrary Class Instantiation via Model Manifest in Apache OpenNLP ExtensionLoader
Versions Affected: before 2.5.9, before 3.0.0-M3
Description:
The ExtensionLoader.instantiateExtension(C…
New
|
CWE-470
Unsafe Reflection
|
CVE-2026-42027
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
56
|
9.1 |
CRITICAL
Network
|
-
|
-
|
XML External Entity (XXE) via Unsanitized Dictionary Parsing in Apache OpenNLP DictionaryEntryPersistor
Versions Affected: before 2.5.9, before 3.0.0-M3
Description: The DictionaryEntryPersistor …
New
|
CWE-611
XXE
|
CVE-2026-40682
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
57
|
- |
|
-
|
-
|
Buffer Overflow vulnerability in GPAC before commit v391dc7f4d234988ea0bc3cc294eb725eddf8f702 allows an attacker to cause a denial of service via the src/scenegraph/svg_attributes.c, svg_parse_string…
New
|
-
|
CVE-2026-39103
|
2026-05-6 01:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
58
|
7.5 |
HIGH
Network
|
-
|
-
|
An out-of-bounds read in the ParseIP6Extended function (/bgp/bgp.go) of gobgp v4.3.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted BGP UPDATE message.
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-37461
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
59
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Missing input validation in the MP_REACH_NLRI component of FRRouting (FRR) stable/10.0 to stable/10.6 allows authenticated attackers to cause a Denial of Service (DoS) via supplying a crafted UPDATE …
New
|
CWE-20
Improper Input Validation
|
CVE-2026-37458
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
60
|
7.8 |
HIGH
Local
|
-
|
-
|
An issue in Lymphatus caesium-image-compressor All versions up to and including commit 02da2c6 allows a local attacker to execute arbitrary code via the shutdownMachine and putMachineToSleep function…
New
|
CWE-77
CWE-94
Command Injection
Code Injection
|
CVE-2026-36365
|
2026-05-6 01:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
