|
251
|
- |
|
-
|
-
|
An authenticated ERPNext user with Item record edit permissions can persist arbitrary HTML/JavaScript in the item_name, description, or image fields of an Item and trigger unescaped rendering in the …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42839
|
2026-06-5 00:23 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
252
|
- |
|
-
|
-
|
An authenticated user can persist arbitrary HTML/JavaScript in the email_id or mobile_no fields of a Customer record and trigger unescaped rendering in the Point of Sale (POS) interface for every ope…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42840
|
2026-06-5 00:23 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
253
|
- |
|
-
|
-
|
Fixed a VM panic caused by unbounded recursion in the grpcfuse kernel module when a container created deeply nested directories on a bind-mounted host folder and triggered a dentry invalidation event…
New
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-8936
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
254
|
7.3 |
HIGH
Network
|
-
|
-
|
Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled.
decode_hv() collapses duplicate object keys into an array reference…
New
|
CWE-843
Type Confusion
|
CVE-2026-9334
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
255
|
7.5 |
HIGH
Network
|
-
|
-
|
Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws.
To skip a leading 3-byte UTF-8 BOM, decode_json() advances t…
New
|
CWE-755
CWE-763
Improper Handling of Exceptional Conditions
Release of Invalid Pointer or Reference
|
CVE-2026-9516
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
256
|
3.1 |
LOW
Network
|
-
|
-
|
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.middleware.cache.UpdateCacheMiddleware` in Django does not add `Authorization` to the `Vary` response header for requ…
New
|
CWE-524
Use of Cache Containing Sensitive Information
|
CVE-2026-35193
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
257
|
5.3 |
MEDIUM
Network
|
-
|
-
|
daphne before 4.2.2 did not pass maxFramePayloadSize or maxMessagePayloadSize to Autobahn's WebSocketServerFactory. Because Autobahn defaults both values to 0 (unlimited), an unauthenticated remote a…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-44545
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
258
|
3.7 |
LOW
Network
|
-
|
-
|
daphne before 4.2.2 reconstructs a raw HTTP request from Twisted's parsed headers and feeds it to autobahn for WebSocket handshake processing. Twisted does not treat \x0b, \x0c, \x1c, \x1d, \x1e, or …
New
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-44546
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
259
|
3.1 |
LOW
Network
|
-
|
-
|
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6.
`django.utils.cache.has_vary_header()` in Django does not strip leading or trailing whitespace from `Vary` response header va…
New
|
CWE-1023
Incomplete Comparison with Missing Factors
|
CVE-2026-48587
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
260
|
3.1 |
LOW
Network
|
-
|
-
|
An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15.
`django.http.HttpRequest.get_signed_cookie` in Django uses a non-injective salt derivation (concatenating the cookie name and…
New
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-6873
|
2026-06-5 00:21 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
