|
2671
|
8.1 |
HIGH
Network
|
fit2cloud
|
sqlbot
|
SQLBot is an intelligent Text-to-SQL system based on large language models and RAG. Prior to 1.8.0, SQLBot contains a Cross-Workspace IDOR (Insecure Direct Object Reference) and Authorization Bypass …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-42463
|
2026-05-16 02:34 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2672
|
9.1 |
CRITICAL
Network
|
opnsense
|
opnsense
|
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, the XMLRPC method opnsense.restore_config_section fails to sanitize user supplied input leading to Remote Code Execution. T…
|
CWE-88
Argument Injection
|
CVE-2026-44193
|
2026-05-16 02:30 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2673
|
4.7 |
MEDIUM
Network
|
lfprojects
|
mcp_registry
|
The MCP Registry provides MCP clients with a list of MCP servers, like an app store for MCP servers. Prior to 1.7.6, the client-side and server-side GitHub OIDC flow is bound only to a global audienc…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-44428
|
2026-05-16 02:23 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2674
|
9.1 |
CRITICAL
Network
|
opnsense
|
opnsense
|
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, an authenticated Remote Code Execution (RCE) vulnerability in the OPNsense core allows a user with user-management privileg…
|
CWE-78
OS Command
|
CVE-2026-44194
|
2026-05-16 02:19 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2675
|
6.5 |
MEDIUM
Network
|
shellhub
|
shellhub
|
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated u…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-44423
|
2026-05-16 02:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2676
|
7.5 |
HIGH
Network
|
zitadel
|
zitadel
|
ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to pro…
|
CWE-90
LDAP Injection
|
CVE-2026-44671
|
2026-05-16 02:15 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2677
|
6.5 |
MEDIUM
Network
|
frappe
|
erpnext
|
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.102.0 and 16.11.0, certain endpoints failed to enforce proper authorization checks, allowing users to modify data beyo…
|
CWE-862
Missing Authorization
|
CVE-2026-44448
|
2026-05-16 01:20 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2678
|
9.1 |
CRITICAL
Network
|
opnsense
|
opnsense
|
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.8, unsanitized user input is passed to the DHCP configuration of the configured interface, which is processed by a shell scrip…
|
CWE-88
Argument Injection
|
CVE-2026-45158
|
2026-05-16 01:19 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2679
|
6.5 |
MEDIUM
Network
|
opnsense
|
opnsense
|
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.7, a logic flaw in the OPNsense lockout_handler allows an unauthenticated attacker to continuously reset the authentication fa…
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-44195
|
2026-05-16 01:06 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2680
|
9.8 |
CRITICAL
Network
|
apache
|
tomcat
|
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0…
|
CWE-20
Improper Input Validation
|
CVE-2026-41293
|
2026-05-16 00:57 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
