|
201
|
6.5 |
MEDIUM
Network
|
-
|
-
|
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicio…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-27737
|
2026-05-20 00:04 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
202
|
- |
|
-
|
-
|
FreePBX is an open source IP PBX. In versions below 16.0.71 and 17.0.6, the backup module does not properly sanitize data during restore operations, potentially leading to compromise if the backup co…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-26978
|
2026-05-20 00:04 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
203
|
- |
|
-
|
-
|
Mantis Bug Tracker (MantisBT) is an open source issue tracker. Versions 2.28.0 and 2.28.1 allow a low-privileged authenticated user assigned the "add_profile_threshold" permission to create a global …
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-33052
|
2026-05-20 00:04 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
204
|
7.5 |
HIGH
Network
|
-
|
-
|
AutoGPT is a workflow automation platform for creating, deploying, and managing continuous artificial intelligence agents. Versions 0.4.2 through 0.6.51 are vulnerable to an unauthenticated Denial of…
New
|
CWE-400
CWE-459
CWE-770
Uncontrolled Resource Consumption
Incomplete Cleanup
Allocation of Resources Without Limits or Throttling
|
CVE-2026-33232
|
2026-05-20 00:04 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
205
|
8.2 |
HIGH
Local
|
-
|
-
|
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions prior to 3.5.7 contain a path traversal vulnerability in the importer which allows o…
New
|
CWE-24
Path Traversal: '../filedir'
|
CVE-2026-22810
|
2026-05-20 00:03 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
206
|
9.8 |
CRITICAL
Network
|
-
|
-
|
WebdriverIO is a test automation framework for unit, e2e and component testing using WebDriver, WebDriver BiDi and Appium. Versions below 9.24.0 contain a command injection vulnerability leading to r…
New
|
CWE-78
OS Command
|
CVE-2026-25244
|
2026-05-20 00:03 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
207
|
7.0 |
HIGH
Local
|
-
|
-
|
In mlflow/mlflow versions prior to 3.11.0, the `get_or_create_nfs_tmp_dir()` function in `mlflow/utils/file_utils.py` creates temporary directories with world-writable permissions (0o777), and the `_…
New
|
CWE-378
Creation of Temporary File With Insecure Permissions
|
CVE-2026-4137
|
2026-05-20 00:03 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
208
|
- |
|
-
|
-
|
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, an authenticated user with forms READ permission can export the structure of unauthorized forms. This issue…
New
|
CWE-862
Missing Authorization
|
CVE-2026-32312
|
2026-05-20 00:03 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
209
|
7.3 |
HIGH
Local
|
-
|
-
|
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer…
New
|
CWE-269
CWE-345
CWE-427
Improper Privilege Management
Insufficient Verification of Data Authenticity
Uncontrolled Search Path Element
|
CVE-2026-32323
|
2026-05-20 00:03 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
210
|
9.6 |
CRITICAL
Network
|
-
|
-
|
In MLflow version 3.9.0, the MLflow Assistant feature introduced improper origin validation in its /ajax-api endpoints. This vulnerability allows a remote attacker to exploit cross-origin requests fr…
New
|
CWE-346
Origin Validation Error
|
CVE-2026-2611
|
2026-05-20 00:03 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
