|
1911
|
6.8 |
MEDIUM
Adjacent
|
-
|
-
|
Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the c…
|
CWE-99
Resource Injection
|
CVE-2026-33603
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1912
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Attacker can upload a malicious Sieve script over ManageSieve service (or locally) to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to deg…
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-40016
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1913
|
3.1 |
LOW
Network
|
-
|
-
|
Attacker can use the IMAP SETACL command to inject the anyone permission to user's dovecot-acl file even if imap_acl_allow_anyone=no. This causes folders to be spammed to all users. The impact is lim…
|
CWE-284
Improper Access Control
|
CVE-2026-40020
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1914
|
4.3 |
MEDIUM
Network
|
-
|
-
|
An attacker can cause uncontrolled memory usage with excessive bracing over IMAP. The fix in CVE-2026-27857 was incomplete, only blocking one way of doing this, so there was still another way left op…
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-42006
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1915
|
8.1 |
HIGH
Network
|
-
|
-
|
HireFlow v1.2 does not implement CSRF token validation on any state-changing POST endpoint. All forms (password change at /profile, candidate deletion at /candidates/delete/<id>, feedback submission …
|
CWE-352
Origin Validation Error
|
CVE-2026-38566
|
2026-05-13 00:06 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1916
|
9.8 |
CRITICAL
Network
|
-
|
-
|
HireFlow v1.2 is vulnerable to SQL injection in the /login and /search endpoints. User-supplied input is concatenated directly into SQL queries without parameterization. An unauthenticated attacker c…
|
CWE-89
SQL Injection
|
CVE-2026-38567
|
2026-05-13 00:06 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1917
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_firmware.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in…
|
CWE-79
Cross-site Scripting
|
CVE-2025-61305
|
2026-05-13 00:05 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1918
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_coveragealerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascr…
|
CWE-79
Cross-site Scripting
|
CVE-2025-61306
|
2026-05-13 00:05 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1919
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A reflected cross-site scripted (XSS) vulnerability in the acc-menu_papers.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in t…
|
CWE-79
Cross-site Scripting
|
CVE-2025-61307
|
2026-05-13 00:05 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1920
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_maintenance.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript…
|
CWE-79
Cross-site Scripting
|
CVE-2025-61308
|
2026-05-13 00:05 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
