|
431
|
3.0 |
LOW
Network
|
-
|
-
|
In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing.
New
|
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-44916
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
432
|
- |
|
-
|
-
|
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthen…
New
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2026-41161
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
433
|
8.1 |
HIGH
Network
|
-
|
-
|
Dapr is a portable, event-driven, runtime for building distributed applications across cloud and edge. From versions 1.3.0 to before 1.15.14, 1.16.0-rc.1 to before 1.16.14, and 1.17.0-rc.1 to before …
New
|
CWE-22
CWE-284
Path Traversal
Improper Access Control
|
CVE-2026-41491
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
434
|
- |
|
-
|
-
|
CROSS implementation contains reference and optimized implementations of the CROSS post-quantum signature algorithm. Prior to commit fc6b7e7, there is a buffer overflow in crypto_sign_open() caused b…
New
|
CWE-121
CWE-122
Stack-based Buffer Overflow
Heap-based Buffer Overflow
|
CVE-2026-41509
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
435
|
9.9 |
CRITICAL
Network
|
-
|
-
|
ai-scanner is an AI model safety scanner built on NVIDIA garak. From version 1.0.0 to before version 1.4.1, there is a remote code execution vulnerability via JavaScript injection in `BrowserAutomati…
New
|
CWE-94
Code Injection
|
CVE-2026-41512
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
436
|
- |
|
-
|
-
|
An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload func…
New
|
-
|
CVE-2026-38361
|
2026-05-9 01:08 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
437
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated cre…
New
|
CWE-288
Authentication Bypass Using an Alternate Path or Channel
|
CVE-2026-41308
|
2026-05-9 01:08 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
438
|
- |
|
-
|
-
|
Langfuse is an open source large language model engineering platform. From version 3.68.0 to before version 3.167.0, there is a role-based-access control flaw in the LLM connection update flow. An a…
New
|
CWE-284
Improper Access Control
|
CVE-2026-41487
|
2026-05-9 01:08 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
439
|
6.1 |
MEDIUM
Network
|
-
|
-
|
In th30d4y/IP from version 1.0.1 to before version 2.0.1, a DOM-Based Cross-Site Scripting (XSS) vulnerability was identified in an IP Reputation Checker application. Unsanitized user input was direc…
New
|
CWE-79
CWE-80
Cross-site Scripting
Basic XSS
|
CVE-2026-41575
|
2026-05-9 01:08 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
440
|
9.0 |
CRITICAL
Network
|
-
|
-
|
RELATE is a web-based courseware package. Prior to commit 2f68e16, there is a timing attack vulnerability in course/auth.py — check_sign_in_key(). This issue has been patched via commit 2f68e16.
New
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2026-41588
|
2026-05-9 01:08 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
