|
91
|
7.8 |
HIGH
Local
|
-
|
-
|
External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via loca…
New
|
CWE-73
External Control of File Name or Path
|
CVE-2026-30905
|
2026-05-15 03:15 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
92
|
7.8 |
HIGH
Local
|
-
|
-
|
Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.
New
|
CWE-426
Untrusted Search Path
|
CVE-2026-30906
|
2026-05-15 03:15 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
93
|
5.4 |
MEDIUM
Network
|
-
|
-
|
podinfo through 6.11.2 contains a reflected cross-site scripting vulnerability in the /echo and /api/echo endpoints where the echoHandler writes request body content directly to the response without …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-43644
|
2026-05-15 03:15 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
94
|
3.7 |
LOW
Network
|
vercel
|
next.js
|
Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments t…
New
|
CWE-328
Use of Weak Hash
|
CVE-2026-44582
|
2026-05-15 03:15 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
95
|
7.6 |
HIGH
Network
|
-
|
-
|
Valtimo is an open-source business process automation platform. From 12.4.0 to 12.33.0 and 13.26.0, the LoggingRestClientCustomizer in the web module automatically intercepts all outgoing HTTP calls …
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-44516
|
2026-05-15 03:14 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
96
|
9.1 |
CRITICAL
Network
|
-
|
-
|
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell scrip…
New
|
CWE-88
Argument Injection
|
CVE-2026-45158
|
2026-05-15 03:14 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
97
|
9.1 |
CRITICAL
Network
|
-
|
-
|
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. T…
New
|
CWE-88
Argument Injection
|
CVE-2026-44193
|
2026-05-15 03:13 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
98
|
- |
|
-
|
-
|
The RedirectHandler middleware in microsoft/kiota-java (com.microsoft.kiota:microsoft-kiota-http-okHttp v1.9.0) and other Kiota libraries fails to strip sensitive HTTP headers when following 3xx redi…
New
|
CWE-601
Open Redirect
|
CVE-2026-44503
|
2026-05-15 03:13 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
99
|
- |
|
-
|
-
|
Aegra is a drop-in replacement for LangSmith Deployments. Prior to 0.9.7, with multiple authenticated users on a shared instance are vulnerable to a cross-tenant IDOR. Any authenticated attacker, giv…
New
|
CWE-285
CWE-639
Improper Authorization
Authorization Bypass Through User-Controlled Key
|
CVE-2026-44504
|
2026-05-15 03:13 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
100
|
5.8 |
MEDIUM
Network
|
-
|
-
|
css_parser is a Ruby CSS parser. Prior to 2.1.0 and 1.22.0, the CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle (MITM) attacker to inject or modify CSS content when s…
New
|
CWE-295
CWE-829
Improper Certificate Validation
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-44312
|
2026-05-15 03:13 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
