|
1901
|
- |
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the podcast creation endpoint at server/controllers/PodcastController.js accepts a user-controlled file path without suf…
|
CWE-22
Path Traversal
|
CVE-2026-42888
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1902
|
5.3 |
MEDIUM
Network
|
uriparser_project
|
uriparser
|
In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
|
CWE-197
Numeric Truncation Error
|
CVE-2026-44927
|
2026-05-13 00:12 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1903
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Directory Traversal vulnerability in fohrloop dash-uploader v.0.1.0 through v.0.7.0a2 allows a remote attacker to execute arbitrary code via the dash_uploader/httprequesthandler.py, aseHttpRequestHan…
|
CWE-22
Path Traversal
|
CVE-2026-38360
|
2026-05-13 00:10 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1904
|
7.4 |
HIGH
Local
|
-
|
-
|
Akamai Guardicore Platform Agent (GPA) and Zero Trust Client on Linux and macOS allow TOCTOU-based local privilege escalation. The GPA service creates an IPC socket in the world-writable /tmp directo…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-34354
|
2026-05-13 00:10 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1905
|
7.2 |
HIGH
Network
|
-
|
-
|
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI.
|
CWE-22
Path Traversal
|
CVE-2026-41951
|
2026-05-13 00:10 |
2026-05-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1906
|
3.3 |
LOW
Local
|
-
|
-
|
The automatic folder creation feature of Lhaz and Lhaz+ provided by Chitora soft contains a path traversal vulnerability. When the affected product is configured with the automatic folder creation fe…
|
CWE-22
Path Traversal
|
CVE-2026-41530
|
2026-05-13 00:10 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1907
|
7.4 |
HIGH
Network
|
-
|
-
|
"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notific…
|
CWE-295
Improper Certificate Validation
|
CVE-2026-41872
|
2026-05-13 00:10 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1908
|
- |
|
-
|
-
|
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited…
|
CWE-1392
Use of Default Credentials
|
CVE-2026-7428
|
2026-05-13 00:09 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1909
|
5.3 |
MEDIUM
Network
|
-
|
-
|
webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix r…
|
CWE-749
Exposed Dangerous Method or Function
|
CVE-2026-6402
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1910
|
7.4 |
HIGH
Network
|
-
|
-
|
When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP …
|
CWE-235
Improper Handling of Extra Parameters
|
CVE-2026-27851
|
2026-05-13 00:08 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
