|
471
|
8.2 |
HIGH
Network
|
-
|
-
|
Open-WebSearch is a multi-engine MCP server, CLI, and local daemon for agent web search and content retrieval. Prior to 2.1.7, isPublicHttpUrl / assertPublicHttpUrl in src/utils/urlSafety.ts do not r…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42260
|
2026-05-13 00:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
472
|
7.3 |
HIGH
Network
|
-
|
-
|
D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
New
|
CWE-77
Command Injection
|
CVE-2026-36983
|
2026-05-13 00:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
473
|
- |
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in elixir-ecto postgrex ('Elixir.Postgrex.Notifications' module) allows SQL Injection.
The channel …
New
|
CWE-89
SQL Injection
|
CVE-2026-32687
|
2026-05-13 00:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
474
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Wireshark MCP is an MCP Server that turns tshark into a structured analysis interface, then layers in optional Wireshark suite utilities. In 1.1.5 and earlier, wireshark-mcp exposes a wireshark_expor…
New
|
CWE-22
Path Traversal
|
CVE-2026-43901
|
2026-05-13 00:15 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
475
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a …
New
|
CWE-22
Path Traversal
|
CVE-2026-42885
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
476
|
- |
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without suf…
New
|
CWE-22
Path Traversal
|
CVE-2026-42888
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
477
|
6.4 |
MEDIUM
Network
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail(), which s…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-43876
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
478
|
5.4 |
MEDIUM
Network
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metad…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43879
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
479
|
4.3 |
MEDIUM
Network
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and jo…
New
|
CWE-93
CRLF Injection
|
CVE-2026-43882
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
480
|
- |
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints…
New
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-43885
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
