|
481
|
7.5 |
HIGH
Network
|
-
|
-
|
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in …
New
|
CWE-23
Relative Path Traversal
|
CVE-2026-8073
|
2026-05-20 06:00 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
482
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not p…
New
|
CWE-862
Missing Authorization
|
CVE-2026-8096
|
2026-05-20 06:00 |
2026-05-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
483
|
7.8 |
HIGH
Local
|
protobufjs_project
|
protobufjs-cli
|
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbts invoked JSDoc by building a shell command string from input file paths and executing it through child_process…
Update
|
CWE-78
OS Command
|
CVE-2026-42290
|
2026-05-20 05:56 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
484
|
5.3 |
MEDIUM
Network
|
protobufjs_project
|
protobufjs
|
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded …
Update
|
CWE-176
Improper Handling of Unicode Encoding
|
CVE-2026-44288
|
2026-05-20 05:46 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
485
|
8.7 |
HIGH
Network
|
protobufjs_project
|
protobufjs-cli
|
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When ge…
Update
|
CWE-94
Code Injection
|
CVE-2026-44295
|
2026-05-20 05:37 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
486
|
7.2 |
HIGH
Network
|
dkfz
|
nnu-net
|
nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable…
Update
|
CWE-74
Injection
|
CVE-2026-44246
|
2026-05-20 05:10 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
487
|
6.1 |
MEDIUM
Network
|
beaugunderson
|
ip-address
|
ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-42338
|
2026-05-20 05:04 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
488
|
8.8 |
HIGH
Network
|
tabby
|
tabby
|
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, Tabby registers itself as the handler for the tabby:// URL scheme on all platforms. The URL scheme handler supp…
Update
|
CWE-78
OS Command
|
CVE-2026-45035
|
2026-05-20 04:41 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
489
|
4.3 |
MEDIUM
Network
|
google
|
chrome
|
Integer overflow in ANGLE in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: …
Update
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2026-8567
|
2026-05-20 04:28 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
490
|
7.1 |
HIGH
Network
|
tabby
|
tabby
|
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating system's protocol handler without …
Update
|
CWE-184
CWE-601
Incomplete Blacklist
Open Redirect
|
CVE-2026-45037
|
2026-05-20 04:27 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
