|
321
|
- |
|
-
|
-
|
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-enc…
New
|
CWE-178
CWE-436
Improper Handling of Case Sensitivity
Interpretation Conflict
|
CVE-2026-42272
|
2026-05-9 01:03 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
322
|
- |
|
-
|
-
|
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are cas…
New
|
CWE-178
CWE-436
Improper Handling of Case Sensitivity
Interpretation Conflict
|
CVE-2026-42273
|
2026-05-9 01:03 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
323
|
- |
|
-
|
-
|
Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstre…
New
|
CWE-35
CWE-436
Path Traversal: '.../...//'
Interpretation Conflict
|
CVE-2026-42274
|
2026-05-9 01:03 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
324
|
7.5 |
HIGH
Network
|
coredns.io
|
coredns
|
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-QUIC (DoQ) server can be driven into unbounded goroutine and memory growth by a remote client that opens many QU…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-32934
|
2026-05-9 01:03 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
325
|
7.5 |
HIGH
Network
|
coredns.io
|
coredns
|
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decodi…
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-32936
|
2026-05-9 01:02 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
326
|
3.3 |
LOW
Network
|
-
|
-
|
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to …
New
|
CWE-862
Missing Authorization
|
CVE-2026-41498
|
2026-05-9 01:02 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
327
|
7.4 |
HIGH
Network
|
-
|
-
|
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPPars…
New
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42264
|
2026-05-9 01:02 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
328
|
- |
|
-
|
-
|
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags…
New
|
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
|
CVE-2026-42267
|
2026-05-9 01:02 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
329
|
4.1 |
MEDIUM
Network
|
-
|
-
|
Kimai is an open-source time tracking application. From version 2.32.0 to before version 2.56.0, users with the role System-Admin (ROLE_SYSTE_ADMIN) and the permission upload_invoice_template can upl…
New
|
CWE-22
Path Traversal
|
CVE-2026-44298
|
2026-05-9 01:02 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
330
|
7.8 |
HIGH
Local
|
-
|
-
|
The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2022-26522
|
2026-05-9 01:02 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
