|
1301
|
6.1 |
MEDIUM
Network
|
microsoft
|
exchange_server
|
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
|
CWE-79
Cross-site Scripting
|
CVE-2026-42897
|
2026-05-16 04:35 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1302
|
8.3 |
HIGH
Network
|
argoproj
|
argo_workflows
|
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the Sync Service's ConfigMap-backed provid…
|
CWE-862
Missing Authorization
|
CVE-2026-42297
|
2026-05-16 04:26 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1303
|
7.5 |
HIGH
Network
|
getarcane
|
arcane
|
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.18.0, four GET endpoints under /api/templates* in Arcane's Huma backend are registered without…
|
CWE-862
Missing Authorization
|
CVE-2026-42461
|
2026-05-16 04:18 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1304
|
- |
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/g…
|
CWE-285
CWE-862
Improper Authorization
Missing Authorization
|
CVE-2026-45371
|
2026-05-16 04:17 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1305
|
7.5 |
HIGH
Network
|
-
|
-
|
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingComplete…
|
CWE-284
CWE-287
Improper Access Control
Improper Authentication
|
CVE-2026-44478
|
2026-05-16 04:17 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1306
|
4.0 |
MEDIUM
Network
|
lfprojects
|
mcp_registry
|
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification (POST /v0/auth/http, POST /v0.1/a…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-44430
|
2026-05-16 04:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1307
|
5.8 |
MEDIUM
Network
|
-
|
-
|
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when s…
|
CWE-295
CWE-829
Improper Certificate Validation
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-44312
|
2026-05-16 04:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1308
|
7.3 |
HIGH
Network
|
-
|
-
|
Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.6.1, the Outline comment section permits users to mention other users; however, the backend does not validate or san…
|
CWE-79
Cross-site Scripting
|
CVE-2026-43887
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1309
|
- |
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an unauthenticated user can read APISecret from objects/plugins.json.php and use it to call protected API endpoints…
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-43885
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1310
|
5.4 |
MEDIUM
Network
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, an authenticated user can configure their own donation-notification webhook URL to point at internal/loopback/metad…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43879
|
2026-05-16 04:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
