|
1921
|
8.8 |
HIGH
Network
|
pi-hole
|
ftldns
|
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline charac…
|
CWE-93
CRLF Injection
|
CVE-2026-39849
|
2026-05-13 01:27 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1922
|
8.8 |
HIGH
Network
|
anthropic
|
claude_code
|
In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious reposi…
|
CWE-20
CWE-77
NVD-CWE-noinfo
Improper Input Validation
Command Injection
|
CVE-2026-40068
|
2026-05-13 01:21 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1923
|
6.5 |
MEDIUM
Network
|
langgenius
|
dify
|
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplyin…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-41950
|
2026-05-13 01:20 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1924
|
7.5 |
HIGH
Network
|
openmrs
|
openmrs
|
OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnera…
|
CWE-22
Path Traversal
|
CVE-2026-40075
|
2026-05-13 01:18 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1925
|
6.5 |
MEDIUM
Network
|
getgrav
|
grav
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged user (EX: Content Editor with only pages.update permissions) can bypass the existing Twig sandbox restrictions by utilizing …
|
CWE-863
Incorrect Authorization
|
CVE-2026-42610
|
2026-05-13 01:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1926
|
8.9 |
HIGH
Network
|
getgrav
|
grav
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged (with the ability to create a page) user can cause XSS with the injection of svg element. The XSS can further be escalated t…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42611
|
2026-05-13 01:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1927
|
5.4 |
MEDIUM
Network
|
getgrav
|
grav
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a stored Cross-Site Scripting (XSS) vulnerability in getgrav/grav allows publisher-level accounts to execute arbitrary JavaScript. The issue …
|
CWE-79
Cross-site Scripting
|
CVE-2026-42612
|
2026-05-13 01:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1928
|
4.8 |
MEDIUM
Network
|
getgrav
|
grav
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with page editing permissions can inject an executable JavaScript event-handler attribute into rendered image HTML thro…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42841
|
2026-05-13 01:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1929
|
6.5 |
MEDIUM
Local
|
linuxcontainers
|
lxc
|
lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network …
|
CWE-863
Incorrect Authorization
|
CVE-2026-39402
|
2026-05-13 01:12 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1930
|
5.3 |
MEDIUM
Network
|
torchbox
|
wagtail
|
Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, the Documents and Images API incorrectly listed items in private collections. A user with access t…
|
CWE-280
Improper Handling of Insufficient Permissions or Privileges
|
CVE-2026-44201
|
2026-05-13 00:59 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
