|
1181
|
7.5 |
HIGH
Network
|
-
|
-
|
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforce…
New
|
CWE-862
Missing Authorization
|
CVE-2026-33359
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1182
|
7.5 |
HIGH
Network
|
-
|
-
|
In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearic…
New
|
CWE-862
Missing Authorization
|
CVE-2026-33357
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1183
|
7.7 |
HIGH
Network
|
-
|
-
|
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. …
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-33356
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1184
|
- |
|
-
|
-
|
Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabli…
New
|
-
|
CVE-2026-31248
|
2026-05-12 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1185
|
6.1 |
MEDIUM
Network
|
github
|
enterprise_server
|
A reflected HTML injection vulnerability was identified in the GitHub Enterprise Server Management Console login page that could allow credential theft. The redirect_to query parameter on the /setup/…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-8106
|
2026-05-12 02:12 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1186
|
7.2 |
HIGH
Network
|
tenda
|
ac6_firmware
|
A vulnerability has been found in Tenda AC6 2.0/15.03.06.23. The affected element is an unknown function of the file /goform/telnet of the component httpd. The manipulation of the argument lan.ip lea…
New
|
CWE-77
CWE-78
Command Injection
OS Command
|
CVE-2026-8259
|
2026-05-12 02:07 |
2026-05-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1187
|
8.8 |
HIGH
Network
|
tenda
|
ac6_firmware
|
A weakness has been identified in Tenda AC6 15.03.06.23. Affected by this vulnerability is the function formWifiApScan of the file /goform/WifiApScan of the component httpd. Executing a manipulation …
New
|
CWE-77
CWE-78
Command Injection
OS Command
|
CVE-2026-8264
|
2026-05-12 02:04 |
2026-05-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1188
|
7.2 |
HIGH
Network
|
tenda
|
ac6_firmware
|
A security vulnerability has been detected in Tenda AC6 15.03.06.23. Affected by this issue is the function get_log_file of the file /goform/getLogFile of the component httpd. The manipulation of the…
New
|
CWE-77
CWE-78
Command Injection
OS Command
|
CVE-2026-8265
|
2026-05-12 02:03 |
2026-05-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1189
|
5.4 |
MEDIUM
Network
|
weblate
|
weblate
|
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_…
Update
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-41519
|
2026-05-12 02:00 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1190
|
5.4 |
MEDIUM
Network
|
dani-garcia
|
vaultwarden
|
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1…
Update
|
CWE-345
Insufficient Verification of Data Authenticity
|
CVE-2026-31835
|
2026-05-12 01:59 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
