|
921
|
9.8 |
CRITICAL
Network
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.6, 2026.2.4, and 2026.5.1, the Source stage can be bypassed by sending an empty POST. This issue has been patched in versions …
|
CWE-287
Improper Authentication
|
CVE-2026-49448
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
922
|
8.0 |
HIGH
Network
|
-
|
-
|
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script en…
|
CWE-863
Incorrect Authorization
|
CVE-2026-35482
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
923
|
7.1 |
HIGH
Network
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the API keys mana…
|
CWE-862
Missing Authorization
|
CVE-2026-31942
|
2026-06-5 00:48 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
924
|
9.6 |
CRITICAL
Network
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol (MCP) server integration resolves ${VAR} placeholders aga…
|
CWE-200
Information Exposure
|
CVE-2026-32625
|
2026-06-5 00:48 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
925
|
6.5 |
MEDIUM
Network
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted a…
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-44653
|
2026-06-5 00:48 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
926
|
- |
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, a shared-agent editor can delete file records through `DELETE /api/files` that the o…
|
CWE-863
Incorrect Authorization
|
CVE-2026-44654
|
2026-06-5 00:48 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
927
|
- |
|
-
|
-
|
Active IQ Config Advisor version 6.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.
|
CWE-259
Use of Hard-coded Password
|
CVE-2026-22054
|
2026-06-5 00:48 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
928
|
- |
|
-
|
-
|
Active IQ OneCollect version 2.7.3 contains hard-coded credentials that could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations.
|
CWE-259
Use of Hard-coded Password
|
CVE-2026-22055
|
2026-06-5 00:48 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
929
|
- |
|
-
|
-
|
In affected versions of Octopus Server, permissions were not checked correctly resulting in any authenticated user being able to make server level changes using a certain API endpoint despite receivi…
|
CWE-862
Missing Authorization
|
CVE-2026-4881
|
2026-06-5 00:48 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
930
|
7.5 |
HIGH
Network
|
-
|
-
|
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportio…
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-42342
|
2026-06-5 00:43 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
