|
301
|
9.8 |
CRITICAL
Network
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, every MCP write tool (send_tokens, execute_contract, instantiate_contract, upload_wasm, ibc_transfer, etc.) accept…
New
|
CWE-200
CWE-312
CWE-522
CWE-532
Information Exposure
Cleartext Storage of Sensitive Information
Insufficiently Protected Credentials
Inclusion of Sensitive Information in Log Files
|
CVE-2026-43992
|
2026-05-13 02:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
302
|
8.4 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, substring-based blocklist in plugin-shell's command-safety check could be bypassed by adversarial argument constru…
New
|
CWE-78
CWE-184
OS Command
Incomplete Blacklist
|
CVE-2026-43991
|
2026-05-13 02:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
303
|
8.4 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument…
New
|
CWE-77
CWE-78
Command Injection
OS Command
|
CVE-2026-43990
|
2026-05-13 02:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
304
|
8.5 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved t…
New
|
CWE-20
CWE-22
CWE-59
CWE-73
Improper Input Validation
Path Traversal
Link Following
External Control of File Name or Path
|
CVE-2026-43989
|
2026-05-13 02:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305
|
6.2 |
MEDIUM
Local
|
-
|
-
|
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachab…
New
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-43896
|
2026-05-13 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
306
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/libraries/:id/download endpoint validates that the requesting user has access to the library specified in t…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-42883
|
2026-05-13 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
307
|
8.5 |
HIGH
Network
|
-
|
-
|
Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42858
|
2026-05-13 02:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
308
|
- |
|
-
|
-
|
Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "moves", /api/v1/messages/{id}/history still returns historical content values, allo…
New
|
CWE-284
Improper Access Control
|
CVE-2026-40300
|
2026-05-13 02:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
309
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Hustle: through 7.8.10.1.
New
|
CWE-862
Missing Authorization
|
CVE-2026-25431
|
2026-05-13 02:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
310
|
- |
|
-
|
-
|
Null pointer dereference for some Intel(R) QAT software drivers for Windows before version 2.6.0 within Ring 3: User Applications may allow a denial of service. Unprivileged software adversary with a…
New
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-20914
|
2026-05-13 02:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
