|
471
|
9.1 |
CRITICAL
Network
|
-
|
-
|
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt p…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-31071
|
2026-05-20 23:16 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
472
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/…
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-31070
|
2026-05-20 23:16 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
473
|
8.8 |
HIGH
Network
|
-
|
-
|
BillaBear (all versions prior to Jan 2026) contains a SQL Injection vulnerability in the EventRepository. User-controlled input from metric filter names and aggregation properties is directly interpo…
New
|
CWE-89
SQL Injection
|
CVE-2026-31069
|
2026-05-20 23:16 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
474
|
9.8 |
CRITICAL
Network
|
-
|
-
|
scalar/astro v0.1.13 was discovered to contain a Server-Side Request Forgery (SSRF) in the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows unauthenticated attackers…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-30118
|
2026-05-20 23:16 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
475
|
9.8 |
CRITICAL
Network
|
-
|
-
|
scalar/astro v0.1.13 was discovered to contain an arbitrary file upload vulnerability in the the scalar_url query parameter of the Scalar Proxy endpoint. This vulnerability allows attackers to execut…
New
|
CWE-94
Code Injection
|
CVE-2026-30117
|
2026-05-20 23:16 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
476
|
4.6 |
MEDIUM
Physics
|
-
|
-
|
Ledger Nano X, Flex, and Stax devices contain a denial of service vulnerability in the MCU firmware update process due to missing validation of the reset_handler parameter during firmware flashing. A…
New
|
CWE-1284
Improper Validation of Specified Quantity in Input
|
CVE-2025-15645
|
2026-05-20 23:16 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
477
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Ledger Live with vulnerable versions of ledgerhq/hw-app-eth prior to 6.34.7 contains an integer parsing vulnerability that allows attackers to manipulate EIP-712 typed data messages by exploiting inc…
New
|
CWE-704
Incorrect Type Conversion or Cast
|
CVE-2023-7345
|
2026-05-20 23:16 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
478
|
- |
|
-
|
-
|
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.1 and prior contain a Stored XSS vulnerability. When cloning an issue originating from a Project other than the current on…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-34463
|
2026-05-20 23:06 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
479
|
6.6 |
MEDIUM
Network
|
-
|
-
|
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied requ…
New
|
CWE-470
Unsafe Reflection
|
CVE-2026-34216
|
2026-05-20 23:06 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
480
|
6.5 |
MEDIUM
Network
|
-
|
-
|
CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenti…
New
|
CWE-284
CWE-862
Improper Access Control
Missing Authorization
|
CVE-2026-34233
|
2026-05-20 23:06 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
