|
11
|
8.8 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an insecure direct object reference vulnerability in the admin API user password endpoint that allows authenticated administrators to change any user's password without…
New
|
CWE-266
Incorrect Privilege Assignment
|
CVE-2026-35671
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
12
|
7.5 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers c…
New
|
CWE-1188
Insecure Default Initialization of Resource
|
CVE-2026-35672
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
13
|
8.2 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verificatio…
New
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-35675
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
14
|
8.2 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.3 contains an unauthenticated password reset vulnerability in the user password update API endpoint that allows attackers to change account passwords without token validation. Att…
New
|
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
|
CVE-2026-35676
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
15
|
6.5 |
MEDIUM
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning e…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-41141
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
16
|
4.3 |
MEDIUM
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, a business logic flaw (Broken Access Control) in EspoCRM 9.3.3 allows low-privileged users to pin arbitrary not…
New
|
CWE-284
CWE-639
CWE-862
Improper Access Control
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-41160
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
17
|
- |
|
-
|
-
|
Kuma is a modern Envoy-based service mesh that can run on every cloud across both Kubernetes and VMs. Prior to 2.7.25, 2.9.15, 2.11.13, 2.12.10, and 2.13.5, the default kuma-cp config leaks the admin…
New
|
CWE-346
CWE-942
Origin Validation Error
Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-45021
|
2026-05-29 03:56 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
18
|
- |
|
-
|
-
|
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepti…
New
|
CWE-346
Origin Validation Error
|
CVE-2026-44985
|
2026-05-29 03:55 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
19
|
8.6 |
HIGH
Network
|
-
|
-
|
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is re…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45298
|
2026-05-29 03:55 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
20
|
- |
|
-
|
-
|
Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search pa…
New
|
CWE-22
Path Traversal
|
CVE-2026-45017
|
2026-05-29 03:55 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
