|
451
|
8.1 |
HIGH
Network
|
-
|
-
|
In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted…
New
|
CWE-89
SQL Injection
|
CVE-2026-44331
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
452
|
- |
|
-
|
-
|
Gotenberg is an API-based document conversion tool. In versions 8.30.1 and earlier, the default private-IP deny-lists for the --webhook-deny-list and --api-download-from-deny-list flags use a case-se…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40280
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
453
|
- |
|
-
|
-
|
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when t…
New
|
CWE-502
CWE-918
Deserialization of Untrusted Data
Server-Side Request Forgery (SSRF)
|
CVE-2026-34084
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
454
|
- |
|
-
|
-
|
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the transfer plugin can select the wrong ACL stanza when both a parent zone and a more-specific subzone are configured. The l…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-33489
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
455
|
- |
|
-
|
-
|
Vaultwarden is a Bitwarden-compatible server written in Rust. In version 1.35.4 and earlier, the get_org_collections_details endpoint (GET /api/organizations/{org_id}/collections/details) is missing …
New
|
CWE-862
Missing Authorization
|
CVE-2026-33420
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
456
|
- |
|
-
|
-
|
SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. In versions 1.7.0 and earlier, the Text2SQL chat interface is vulnerable to prompt injection. The user-provided que…
New
|
CWE-89
SQL Injection
|
CVE-2026-33324
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
457
|
- |
|
-
|
-
|
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the DNS-over-HTTPS (DoH) GET path accepts oversized dns= query parameter values and performs URL query parsing, base64 decodi…
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-32936
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
458
|
- |
|
-
|
-
|
FacturaScripts is an open source accounting and invoicing software. In versions 2025.92 and earlier, the application fails to validate the nick parameter during a POST request to the EditUser control…
New
|
CWE-472
External Control of Assumed-Immutable Web Parameter
|
CVE-2026-32699
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
459
|
- |
|
-
|
-
|
Tunnelblick is an open source graphic user interface for OpenVPN on macOS. In versions 3.3beta26 through 9.0beta01, any local user can read arbitrary root-owned files by exploiting a symlink followin…
New
|
CWE-61
UNIX Symbolic Link (Symlink) Following
|
CVE-2026-31893
|
2026-05-6 05:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
460
|
8.1 |
HIGH
Network
|
-
|
-
|
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-7491
|
2026-05-6 05:16 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
