|
1551
|
6.4 |
MEDIUM
Network
|
-
|
-
|
Marko is a declarative, HTML-based language for building web apps. Prior to marko version 5.38.36 and prior to @marko/runtime-tags 6.0.164, when dynamic text is interpolated into a <script> or <style…
|
CWE-79
Cross-site Scripting
|
CVE-2026-41591
|
2026-05-9 01:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1552
|
10.0 |
CRITICAL
Network
|
-
|
-
|
openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows. From version 1.26.3 to before version 1.27.3, when openvpn-auth…
|
CWE-287
Improper Authentication
|
CVE-2026-41070
|
2026-05-9 01:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1553
|
6.3 |
MEDIUM
Network
|
-
|
-
|
In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API does not enforce project ownership at any layer. The project_id column in the database is never populated (NULL for every ARQ), da…
|
CWE-282
Improper Ownership Management
|
CVE-2026-40214
|
2026-05-9 01:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1554
|
7.4 |
HIGH
Network
|
-
|
-
|
OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as the default policy for multiple API endpoints. This unconditionally authorizes any request carrying a valid Keystone token regardless…
|
CWE-863
Incorrect Authorization
|
CVE-2026-40213
|
2026-05-9 01:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1555
|
8.6 |
HIGH
Network
|
-
|
-
|
Inngest is a platform for running event-driven and scheduled background functions with queueing, retries, and step orchestration. Versions 3.22.0 through 3.53.1 contain a vulnerability that allows un…
|
CWE-200
CWE-497
Information Exposure
Exposure of Sensitive System Information to an Unauthorized Control Sphere
|
CVE-2026-42047
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1556
|
7.3 |
HIGH
Network
|
-
|
-
|
This vulnerability, in the MAXHUB Pivot client application versions
prior to v1.36.2, may allow an attacker to obtain encrypted tenant email
addresses and related metadata from any tenant. Due to t…
|
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
|
CVE-2026-6411
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1557
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenLearnX is an open-source, decentralized learning and assessment platform. Prior to version 2.0.3, a remote code execution (RCE) vulnerability was identified in the OpenLearnX code execution envir…
|
CWE-78
CWE-94
CWE-250
CWE-284
CWE-693
OS Command
Code Injection
Execution with Unnecessary Privileges
Improper Access Control
Protection Mechanism Failure
|
CVE-2026-41900
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1558
|
8.7 |
HIGH
Network
|
-
|
-
|
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization b…
|
CWE-22
CWE-61
Path Traversal
UNIX Symbolic Link (Symlink) Following
|
CVE-2026-42275
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1559
|
6.1 |
MEDIUM
Network
|
-
|
-
|
In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the mo…
|
CWE-79
Cross-site Scripting
|
CVE-2022-23961
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1560
|
- |
|
-
|
-
|
yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).
|
-
|
CVE-2024-46508
|
2026-05-9 01:08 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
