|
581
|
3.4 |
LOW
Network
|
-
|
-
|
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAut…
New
|
CWE-200
CWE-601
Information Exposure
Open Redirect
|
CVE-2026-42195
|
2026-05-9 07:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
582
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, the /webhooks/sns endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verif…
New
|
CWE-347
Improper Verification of Cryptographic Signature
|
CVE-2026-42193
|
2026-05-9 07:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
583
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Plunk is an open-source email platform built on top of AWS SES. Prior to version 0.9.0, a stored cross-site scripting (XSS) vulnerability exists in the campaign management feature, where the email bo…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42192
|
2026-05-9 07:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
584
|
9.1 |
CRITICAL
Network
|
-
|
-
|
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new use…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-41902
|
2026-05-9 07:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
585
|
- |
|
-
|
-
|
Emlog is an open source website building system. Prior to version 2.6.11, insecure plugin upload functionality allows attackers to upload and execute arbitrary PHP code, leading to complete server co…
New
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-41517
|
2026-05-9 07:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
586
|
- |
|
-
|
-
|
Ray is an AI compute engine. From version 2.54.0 to before version 2.55.0, Ray Data registers custom Arrow extension types (ray.data.arrow_tensor, ray.data.arrow_tensor_v2, ray.data.arrow_variable_sh…
New
|
CWE-94
CWE-502
Code Injection
Deserialization of Untrusted Data
|
CVE-2026-41486
|
2026-05-9 07:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
587
|
7.5 |
HIGH
Network
|
-
|
-
|
The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).
New
|
-
|
CVE-2026-39836
|
2026-05-9 07:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
588
|
5.3 |
MEDIUM
Network
|
-
|
-
|
ReverseProxy can forward queries containing parameters not visible to Rewrite functions. When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitize…
New
|
-
|
CVE-2026-39825
|
2026-05-9 07:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
589
|
5.3 |
MEDIUM
Local
|
-
|
-
|
The "go bug" command writes to two files with predictable names in the system temporary directory (for example, "/tmp"). An attacker with access to the temporary directory can create a symlink in one…
New
|
-
|
CVE-2026-39819
|
2026-05-9 07:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
590
|
5.9 |
MEDIUM
Local
|
-
|
-
|
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" su…
New
|
-
|
CVE-2026-39817
|
2026-05-9 07:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
