|
281
|
3.5 |
LOW
Network
|
-
|
-
|
`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users vie…
New
|
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
|
CVE-2026-45803
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
282
|
- |
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/g…
New
|
CWE-285
CWE-862
Improper Authorization
Missing Authorization
|
CVE-2026-45371
|
2026-05-16 04:17 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
283
|
- |
|
-
|
-
|
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.233, since Tabby does not escape control characters from file paths when dragging and dropping a file into it, code …
New
|
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
|
CVE-2026-45038
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
284
|
6.5 |
MEDIUM
Network
|
-
|
-
|
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit tr…
New
|
CWE-73
External Control of File Name or Path
|
CVE-2026-45008
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
285
|
- |
|
-
|
-
|
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and form…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44719
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
286
|
- |
|
-
|
-
|
Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, explorations.get, explorations.replace, and explorations.delete opera…
New
|
CWE-639
CWE-862
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-44718
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
287
|
- |
|
-
|
-
|
LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an HS256/HS384/HS512 token. In the OpenSSL back…
New
|
CWE-327
CWE-347
Use of a Broken or Risky Cryptographic Algorithm
Improper Verification of Cryptographic Signature
|
CVE-2026-44699
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
288
|
7.1 |
HIGH
Local
|
-
|
-
|
Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.jso…
New
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-44641
|
2026-05-16 04:17 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
289
|
7.5 |
HIGH
Network
|
-
|
-
|
hoppscotch is an open source API development ecosystem. The fix for CVE-2026-28215 in version 2026.2.0 addresses the unauthenticated POST /v1/onboarding/config endpoint by checking onboardingComplete…
Update
|
CWE-284
CWE-287
Improper Access Control
Improper Authentication
|
CVE-2026-44478
|
2026-05-16 04:17 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
290
|
4.0 |
MEDIUM
Network
|
lfprojects
|
mcp_registry
|
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.7, the Registry's HTTP-based namespace verification (POST /v0/auth/http, POST /v0.1/a…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-44430
|
2026-05-16 04:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
