|
641
|
5.5 |
MEDIUM
Local
|
samsung
|
android
|
Incorrect privilege assignment in LocationManager prior to SMR May-2026 Release 1 allows local attackers to access sensitive information.
New
|
NVD-CWE-Other
|
CVE-2026-21016
|
2026-05-14 02:51 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
642
|
9.8 |
CRITICAL
Network
|
nhost
|
nhost\/auth
|
Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.49.1, Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. T…
Update
|
CWE-287
NVD-CWE-noinfo
Improper Authentication
|
CVE-2026-41574
|
2026-05-14 02:46 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
643
|
8.0 |
HIGH
Adjacent
|
-
|
-
|
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy refl…
New
|
CWE-346
CWE-942
Origin Validation Error
Permissive Cross-domain Policy with Untrusted Domains
|
CVE-2026-44184
|
2026-05-14 02:32 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
644
|
6.7 |
MEDIUM
Local
|
samsung
|
android
|
Out-of-bounds write in SveService prior to SMR May-2026 Release 1 allows local privileged attackers to execute arbitrary code.
New
|
CWE-787
Out-of-bounds Write
|
CVE-2026-21018
|
2026-05-14 02:31 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
645
|
- |
|
-
|
-
|
Network-AI is a TypeScript/Node.js multi-agent orchestrator. Prior to 5.1.3, the MCP HTTP transport accepts JSON-RPC tools/call requests with no authentication, session, origin, or token check, and d…
Update
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-42856
|
2026-05-14 02:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
646
|
4.3 |
MEDIUM
Network
|
-
|
-
|
@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient valida…
New
|
CWE-601
Open Redirect
|
CVE-2026-42565
|
2026-05-14 02:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
647
|
8.2 |
HIGH
Network
|
-
|
-
|
jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/[filename]. The filename route parameter is jo…
New
|
CWE-22
CWE-200
Path Traversal
Information Exposure
|
CVE-2026-42564
|
2026-05-14 02:31 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
648
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.…
New
|
CWE-290
CWE-348
Authentication Bypass by Spoofing
Use of Less Trusted Source
|
CVE-2026-44183
|
2026-05-14 02:31 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
649
|
7.8 |
HIGH
Local
|
samsung
|
android
|
Improper export of android application components in OmaCP prior to SMR May-2026 Release 1 allows local attackers to trigger privileged functions.
New
|
NVD-CWE-Other
|
CVE-2026-21020
|
2026-05-14 02:30 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
650
|
6.8 |
MEDIUM
Physics
|
samsung
|
android
|
Improper input validation in Routines prior to SMR May-2026 Release 1 allows physical attackers to launch privileged activity.
New
|
NVD-CWE-noinfo
|
CVE-2026-21021
|
2026-05-14 02:29 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
