|
2311
|
5.0 |
MEDIUM
Network
|
-
|
-
|
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-44441
|
2026-05-15 01:29 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2312
|
- |
|
-
|
-
|
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.12.0, an improper restriction of XML external entity (XXE) reference vulnerability in the EDI Module enab…
|
CWE-611
XXE
|
CVE-2026-44445
|
2026-05-15 01:29 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2313
|
8.8 |
HIGH
Network
|
-
|
-
|
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.104.3 and 16.14.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would all…
|
CWE-89
SQL Injection
|
CVE-2026-44446
|
2026-05-15 01:29 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2314
|
8.8 |
HIGH
Network
|
-
|
-
|
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 16.9.0, some endpoints were vulnerable to SQL injection through specially crafted requests, which would allow a malicious…
|
CWE-89
SQL Injection
|
CVE-2026-44447
|
2026-05-15 01:29 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2315
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Hermes WebUI prior to 0.51.44 - Release T contains a path traversal vulnerability in the session import endpoint that allows authenticated attackers to read arbitrary files by importing a crafted ses…
|
CWE-22
Path Traversal
|
CVE-2026-22677
|
2026-05-15 01:24 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2316
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without…
|
CWE-79
Cross-site Scripting
|
CVE-2026-45228
|
2026-05-15 01:24 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2317
|
8.8 |
HIGH
Network
|
-
|
-
|
Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui…
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-45229
|
2026-05-15 01:24 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2318
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser() controller copies raw POST username values into the display_name fiel…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41932
|
2026-05-15 01:24 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2319
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Vvveb before 1.0.8.3 contains a directory listing information disclosure vulnerability that allows unauthenticated attackers to enumerate files and directories by accessing multiple paths lacking pro…
|
CWE-548
Exposure of Information Through Directory Listing
|
CVE-2026-41933
|
2026-05-15 01:24 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2320
|
7.1 |
HIGH
Network
|
-
|
-
|
Vvveb before 1.0.8.3 contains an uncontrolled recursion vulnerability in the admin controller dispatch cycle where Base::init() repeatedly invokes permission() on error handlers, causing infinite rec…
|
CWE-209
CWE-674
Information Exposure Through an Error Message
Uncontrolled Recursion
|
CVE-2026-41935
|
2026-05-15 01:24 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
