|
631
|
- |
|
-
|
-
|
Mako is a template library written in Python. Prior to 1.3.12, on Windows, a URI using backslash traversal (e.g. \..\..\ secret.txt) bypasses the directory traversal check in Template.__init__ and th…
New
|
CWE-22
Path Traversal
|
CVE-2026-44307
|
2026-05-14 03:15 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
632
|
5.3 |
MEDIUM
Network
|
-
|
-
|
GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. Th…
New
|
CWE-284
CWE-639
Improper Access Control
Authorization Bypass Through User-Controlled Key
|
CVE-2026-44341
|
2026-05-14 03:15 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
633
|
- |
|
-
|
-
|
Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools with…
New
|
CWE-22
Path Traversal
|
CVE-2026-44301
|
2026-05-14 03:14 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
634
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentio…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-44245
|
2026-05-14 03:14 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
635
|
6.3 |
MEDIUM
Network
|
-
|
-
|
A command
injection vulnerability was discovered in TeamViewer DEX Platform On-Premises
(former 1E DEX Platform On-Premises) prior to version 9.2. Improper input validation allows
authenticated users…
New
|
CWE-20
Improper Input Validation
|
CVE-2026-2695
|
2026-05-14 03:10 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
636
|
7.5 |
HIGH
Network
|
phpoffice
|
phpspreadsheet
|
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:I…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-40863
|
2026-05-14 03:01 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
637
|
8.8 |
HIGH
Network
|
dell
|
automation_platform
|
Dell Automation Platform versions prior to 2.0.0.0, contains a missing authorization vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading …
Update
|
CWE-862
Missing Authorization
|
CVE-2026-32658
|
2026-05-14 03:00 |
2026-05-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
638
|
5.7 |
MEDIUM
Network
|
kimai
|
kimai
|
Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLE_USER can create a tag with a formula string as its name (e.g. =SUM(54+51)) via POST /api/tags…
Update
|
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
|
CVE-2026-42267
|
2026-05-14 02:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
639
|
9.1 |
CRITICAL
Network
|
axios
|
axios
|
Axios is a promise based HTTP client for the browser and Node.js. From version 1.0.0 to before version 1.15.2, fFive config properties (auth, baseURL, socketPath, beforeRedirect, and insecureHTTPPars…
Update
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42264
|
2026-05-14 02:53 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
640
|
5.5 |
MEDIUM
Local
|
samsung
|
android
|
Incorrect default permissions in FactoryCamera prior to SMR May-2026 Release 1 allows local attacker to access unique identifier.
New
|
CWE-276
Incorrect Default Permissions
|
CVE-2026-21015
|
2026-05-14 02:52 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
