|
131
|
9.8 |
CRITICAL
Network
|
libexpat_project
|
libexpat
|
`xml.parsers.expat` and `xml.etree.ElementTree` use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this…
Update
|
CWE-331
Insufficient Entropy
|
CVE-2026-7210
|
2026-05-16 12:05 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
8.1 |
HIGH
Network
|
bitwarden
|
server
|
Bitwarden Server prior to v2026.4.1 does not require master-password re-authentication when retrieving or rotating an organization's SCIM API key, allowing an authenticated user with SCIM management …
Update
|
CWE-303
Incorrect Implementation of Authentication Algorithm
|
CVE-2026-43640
|
2026-05-16 12:04 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
9.1 |
CRITICAL
Network
|
bitwarden
|
server
|
Bitwarden Server prior to v2026.4.0 contains a missing authorization vulnerability that allows a provider service user to add an arbitrary organization to their provider via `POST /providers/{provide…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-43639
|
2026-05-16 12:04 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
5.4 |
MEDIUM
Network
|
bitwarden
|
server
|
Bitwarden Server prior to v2026.4.1 contains a missing authorization vulnerability that allows any authenticated user to write ciphers into an arbitrary organization via `POST /ciphers/import-organiz…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-43638
|
2026-05-16 11:55 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
5.6 |
MEDIUM
Network
|
dell
|
elastic_cloud_storage
objectscale
|
Dell ECS versions 3.8.1.0 through 3.8.1.7 and Dell ObjectScale versions prior to 4.3.0.0, contains an authentication bypass by assumed-immutable data vulnerability in Geo replication. An unauthentica…
Update
|
CWE-302
Authentication Bypass by Assumed-Immutable Data
|
CVE-2025-43992
|
2026-05-16 11:52 |
2026-05-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
8.8 |
HIGH
Network
|
google
|
chrome
|
Use after free in GPU in Google Chrome prior to 148.0.7778.168 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
New
|
CWE-416
Use After Free
|
CVE-2026-8581
|
2026-05-16 11:48 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
7.6 |
HIGH
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in Utils::parseUrl() that allows authenticated users to inject JavaScript via malformed URLs in comments. Attackers can craf…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-46367
|
2026-05-16 11:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
6.9 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a stored cross-site scripting vulnerability in search.twig where result.question and result.answerPreview are rendered with the raw filter, disabling autoescape protect…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-46361
|
2026-05-16 11:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
- |
|
-
|
-
|
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, there is an authenticated SQL injection issue in the frontend user order hist…
New
|
CWE-89
SQL Injection
|
CVE-2026-45800
|
2026-05-16 11:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
3.5 |
LOW
Network
|
-
|
-
|
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.9, OCI ownership validation skips label-match check when upstream OCI registry return…
New
|
CWE-636
Not Failing Securely ('Failing Open')
|
CVE-2026-45781
|
2026-05-16 11:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
