|
111
|
7.3 |
HIGH
Network
|
-
|
-
|
Apache Airflow's scheduler-side deadline-reference decoder (`SerializedCustomReference.deserialize_reference`) imported and dispatched arbitrary class paths drawn from DAG-author-controlled serialize…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-45360
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
112
|
6.1 |
MEDIUM
Network
|
authlib
|
authlib
|
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authoriza…
Update
|
CWE-601
CWE-863
Open Redirect
Incorrect Authorization
|
CVE-2026-44681
|
2026-06-3 02:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
113
|
6.5 |
MEDIUM
Network
|
apache
|
airflow
|
A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON valu…
New
|
CWE-200
Information Exposure
|
CVE-2026-42358
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
114
|
4.3 |
MEDIUM
Network
|
-
|
-
|
An improper authorization vulnerability has been identified in Apache Kafka.
The implementation of the CONSUMER_GROUP_DESCRIBE (69) API validates the DESCRIBE operation on the GROUP resource instead…
New
|
CWE-285
Improper Authorization
|
CVE-2026-41115
|
2026-06-3 02:16 |
2026-06-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
115
|
5.9 |
MEDIUM
Network
|
apache
|
airflow
|
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy …
New
|
CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
|
CVE-2026-41017
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
116
|
7.5 |
HIGH
Network
|
-
|
-
|
FlexRIC v2.0.0 trusts the xapp_id field from E42 message payloads without binding it to the sender's SCTP association. The validation function valid_xapp_id() only checks that the value is within the…
New
|
CWE-284
Improper Access Control
|
CVE-2026-37235
|
2026-06-3 02:16 |
2026-06-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
117
|
- |
|
-
|
-
|
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlle…
New
|
CWE-285
Improper Authorization
|
CVE-2026-33398
|
2026-06-3 02:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
118
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When…
New
|
CWE-89
CWE-94
SQL Injection
Code Injection
|
CVE-2026-25879
|
2026-06-3 02:16 |
2026-06-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
119
|
4.3 |
MEDIUM
Network
|
-
|
-
|
A security vulnerability has been detected in Enderfga claw-orchestrator up to 3.7.0. The impacted element is the function validateRegex of the file claw-orchestrator/src/embedded-server.ts of the co…
New
|
CWE-400
CWE-1333
Uncontrolled Resource Consumption
Inefficient Regular Expression Complexity
|
CVE-2026-10291
|
2026-06-3 02:16 |
2026-06-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
120
|
7.8 |
HIGH
Local
|
-
|
-
|
In getCallingAppLabel of CertInstaller.java, there is a possible way to hide a sensitive security dialogue due to misleading or insufficient UI. This could lead to local escalation of privilege with …
New
|
CWE-451
User Interface (UI) Misrepresentation of Critical Information
|
CVE-2026-0088
|
2026-06-3 02:16 |
2026-06-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
