|
1781
|
7.5 |
HIGH
Network
|
fohrloop
|
dash-uploader
|
An issue in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, dash_uploader/upload.py in the Upload func…
|
NVD-CWE-noinfo
CWE-400
CWE-670
Uncontrolled Resource Consumption
Always-Incorrect Control Flow Implementation
|
CVE-2026-38361
|
2026-05-13 05:55 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1782
|
7.2 |
HIGH
Network
|
dolibarr
|
dolibarr_erp\/crm
|
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerabilit…
|
CWE-74
Injection
|
CVE-2025-67486
|
2026-05-13 05:54 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1783
|
9.9 |
CRITICAL
Network
|
pfsense
|
pfsense
|
Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally all…
|
CWE-284
CWE-915
Improper Access Control
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2025-69691
|
2026-05-13 05:39 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1784
|
7.5 |
HIGH
Network
|
vmware
|
spring_cloud_config
|
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects.
Spring C…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40981
|
2026-05-13 05:34 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1785
|
6.1 |
MEDIUM
Network
|
naturalintelligence
|
fast-xml-parser
|
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the …
|
CWE-91
Blind XPath Injection
|
CVE-2026-41650
|
2026-05-13 05:30 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1786
|
9.8 |
CRITICAL
Network
|
snipeitapp
|
snipe-it
|
Insecure Permissions vulnerability in grokability snipe-it v.8.4.0 and before and fixed after 2026-03-10 commit 676a9958 allows a remote attacker to execute arbitrary code via the app/Http/Controller…
|
CWE-284
Improper Access Control
|
CVE-2026-37709
|
2026-05-13 05:29 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1787
|
6.3 |
MEDIUM
Network
|
router-for-me
|
cliproxyapi
|
A vulnerability has been found in router-for-me CLIProxyAPI 6.9.29. Affected by this issue is some unknown functionality of the file internal/api/handlers/management/api_tools.go of the component API…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-8081
|
2026-05-13 05:27 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1788
|
7.8 |
HIGH
Local
|
dail8859
|
notepad_next
|
Notepad Next is a cross-platform, reimplementation of Notepad++. Prior to version 0.14, NotepadNext's detectLanguageFromExtension() function interpolates a file's extension directly into a Lua script…
|
CWE-94
Code Injection
|
CVE-2026-42214
|
2026-05-13 05:24 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1789
|
7.5 |
HIGH
Network
|
golang
|
go
|
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
|
CWE-415
Double Free
|
CVE-2026-33811
|
2026-05-13 05:23 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1790
|
4.7 |
MEDIUM
Network
|
google
|
chrome
|
Use after free in Views in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security…
|
CWE-416
Use After Free
|
CVE-2026-7910
|
2026-05-13 05:16 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
