|
1491
|
- |
|
-
|
-
|
An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections …
Update
|
CWE-502
CWE-918
Deserialization of Untrusted Data
Server-Side Request Forgery (SSRF)
|
CVE-2026-3048
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1492
|
- |
|
-
|
-
|
An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via …
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-7308
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1493
|
- |
|
-
|
-
|
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploi…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-3319
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1494
|
- |
|
-
|
-
|
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /product/. Exploitat…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-3320
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1495
|
- |
|
-
|
-
|
Insecure generation of credentials in the local SAT (Technical Support) access functionality of the Ingecon Sun EMS Board. The vulnerability arose because the secret access credentials were not based…
Update
|
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
|
CVE-2026-8072
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1496
|
7.7 |
HIGH
Network
|
-
|
-
|
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. …
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-33356
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1497
|
7.5 |
HIGH
Network
|
-
|
-
|
In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearic…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-33357
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1498
|
7.5 |
HIGH
Network
|
-
|
-
|
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforce…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-33359
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1499
|
7.5 |
HIGH
Network
|
-
|
-
|
In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversi…
Update
|
CWE-326
Inadequate Encryption Strength
|
CVE-2026-33361
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1500
|
8.6 |
HIGH
Network
|
-
|
-
|
In Meari IoT SDK builds embedded in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and white-label Android apps <= 1.8.x (latest observed), multiple security-critical secrets are hardcoded an…
Update
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2026-33362
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
