|
1001
|
7.7 |
HIGH
Network
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a t…
New
|
CWE-89
SQL Injection
|
CVE-2026-45218
|
2026-05-12 23:03 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1002
|
4.8 |
MEDIUM
Network
|
weblate
|
wlc
|
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-42150
|
2026-05-12 23:00 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1003
|
3.3 |
LOW
Network
|
kimai
|
kimai
|
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to …
Update
|
CWE-862
Missing Authorization
|
CVE-2026-41498
|
2026-05-12 22:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1004
|
6.5 |
MEDIUM
Network
|
onyx
|
onyx
|
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by provi…
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-42277
|
2026-05-12 22:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1005
|
5.9 |
MEDIUM
Network
|
elabftw
|
elabftw
|
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under…
Update
|
CWE-302
Authentication Bypass by Assumed-Immutable Data
|
CVE-2026-28510
|
2026-05-12 22:58 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1006
|
9.1 |
CRITICAL
Network
|
librenms
|
librenms
|
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's in…
Update
|
CWE-78
OS Command
|
CVE-2024-51092
|
2026-05-12 22:50 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1007
|
7.3 |
HIGH
Network
|
astrbot
|
astrbot
|
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
Update
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2025-55449
|
2026-05-12 22:49 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1008
|
9.1 |
CRITICAL
Network
|
pfsense
|
pfsense
|
Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes …
Update
|
CWE-502
CWE-915
Deserialization of Untrusted Data
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2025-69690
|
2026-05-12 22:45 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1009
|
9.8 |
CRITICAL
Network
|
citeum
|
opencti
|
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploi…
Update
|
CWE-287
Improper Authentication
|
CVE-2026-27960
|
2026-05-12 22:45 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1010
|
6.5 |
MEDIUM
Network
|
gofiber
|
fiber
|
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query str…
Update
|
CWE-436
Interpretation Conflict
|
CVE-2026-30246
|
2026-05-12 22:44 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
