|
3041
|
4.2 |
MEDIUM
Network
|
pyjwt_project
|
pyjwt
|
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registe…
|
CWE-441
CWE-918
Confused Deputy
Server-Side Request Forgery (SSRF)
|
CVE-2026-48522
|
2026-06-3 02:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3042
|
8.5 |
HIGH
Network
|
oracle
|
financials_common_modules
|
Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable v…
|
NVD-CWE-noinfo
CWE-284
Improper Access Control
|
CVE-2026-46820
|
2026-06-3 02:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3043
|
4.3 |
MEDIUM
Network
|
apache
|
airflow
|
The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the colle…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-46764
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3044
|
8.8 |
HIGH
Network
|
-
|
-
|
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fie…
|
CWE-290
CWE-639
CWE-862
Authentication Bypass by Spoofing
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-46414
|
2026-06-3 02:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3045
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, up…
|
CWE-78
CWE-269
CWE-862
OS Command
Improper Privilege Management
Missing Authorization
|
CVE-2026-45632
|
2026-06-3 02:16 |
2026-05-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3046
|
6.1 |
MEDIUM
Network
|
authlib
|
authlib
|
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authoriza…
|
CWE-601
CWE-863
Open Redirect
Incorrect Authorization
|
CVE-2026-44681
|
2026-06-3 02:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3047
|
6.5 |
MEDIUM
Network
|
apache
|
airflow
|
A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON valu…
|
CWE-200
Information Exposure
|
CVE-2026-42358
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3048
|
5.9 |
MEDIUM
Network
|
apache
|
airflow
|
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy …
|
CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
|
CVE-2026-41017
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3049
|
- |
|
-
|
-
|
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlle…
|
CWE-285
Improper Authorization
|
CVE-2026-33398
|
2026-06-3 02:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3050
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When…
|
CWE-89
CWE-94
SQL Injection
Code Injection
|
CVE-2026-25879
|
2026-06-3 02:16 |
2026-06-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
