|
351
|
9.4 |
CRITICAL
Network
|
-
|
-
|
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, the default deny-lists used by Gotenberg's downloadFrom feature and webhook feature are bypassable. Because the filter is r…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42596
|
2026-05-16 02:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
352
|
8.2 |
HIGH
Network
|
-
|
-
|
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary…
Update
|
CWE-184
Incomplete Blacklist
|
CVE-2026-42590
|
2026-05-16 02:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
353
|
9.1 |
CRITICAL
Network
|
-
|
-
|
OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates databas…
New
|
CWE-94
Code Injection
|
CVE-2026-41258
|
2026-05-16 02:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
354
|
- |
|
-
|
-
|
Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors (custom error pages) middleware. Whe…
New
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-41181
|
2026-05-16 02:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
355
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is proce…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-23695
|
2026-05-16 02:16 |
2026-05-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
356
|
6.5 |
MEDIUM
Network
|
shellhub
|
shellhub
|
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated u…
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-44423
|
2026-05-16 02:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
357
|
7.5 |
HIGH
Network
|
zitadel
|
zitadel
|
ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to pro…
New
|
CWE-90
LDAP Injection
|
CVE-2026-44671
|
2026-05-16 02:15 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
358
|
6.5 |
MEDIUM
Network
|
frappe
|
erpnext
|
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyo…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-44448
|
2026-05-16 01:20 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
359
|
9.1 |
CRITICAL
Network
|
opnsense
|
opnsense
|
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell scrip…
Update
|
CWE-88
Argument Injection
|
CVE-2026-45158
|
2026-05-16 01:19 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
360
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Insufficient policy enforcement in Payments in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. (Chromium sec…
New
|
CWE-284
Improper Access Control
|
CVE-2026-8566
|
2026-05-16 01:16 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
