|
1661
|
7.1 |
HIGH
Network
|
-
|
-
|
An Editor can overwrite a dashboard not owned by them to acquire admin on that specific dashboard. The user must have write access to the dashboard to escalate privilege.
|
-
|
CVE-2026-33377
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1662
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Using the $__timeGroup macro, one can achieve an OOM by overloading the server. This requires a SQL datasource. If the server is set up to auto-restart, the impact is minimal or non-existent, as the …
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-33378
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1663
|
6.3 |
MEDIUM
Network
|
-
|
-
|
A vulnerability in SQL Expressions allows an authenticated attacker to read arbitrary files from the Grafana server's filesystem. Only instances with the sqlExpressions feature toggle enabled are vul…
|
CWE-552
Files or Directories Accessible to External Parties
|
CVE-2026-33380
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1664
|
5.9 |
MEDIUM
Network
|
-
|
-
|
When a user's access to mint tokens for a service account is revoked, it is sometimes still possible to do so for a few seconds after the event. The user will eventually lose access to do this.
|
CWE-284
Improper Access Control
|
CVE-2026-33381
|
2026-05-15 01:21 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1665
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Blind SQL Injection.
Th…
|
CWE-89
SQL Injection
|
CVE-2025-11024
|
2026-05-15 01:20 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1666
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking.
This issue affects E-Commerce Website: b…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-2347
|
2026-05-15 01:20 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1667
|
8.8 |
HIGH
Network
|
-
|
-
|
Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc. Yaay Social Media App allows Accessing Functionality Not Properly Constrained by ACLs.
This i…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2025-12008
|
2026-05-15 01:20 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1668
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Authorization bypass through User-Controlled key vulnerability in Im Park Information Technology, Electronics, Press, Publishing and Advertising, Education Ltd. Co. DijiDemi allows Privilege Abuse.
…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-6008
|
2026-05-15 01:20 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1669
|
8.8 |
HIGH
Network
|
-
|
-
|
Authorization bypass through User-Controlled key vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Ex…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2025-15025
|
2026-05-15 01:20 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1670
|
10.0 |
CRITICAL
Network
|
vm2_project
|
vm2
|
vm2 is an open source vm/sandbox for Node.js. From 3.9.6 to 3.10.5, vm2's bridge exposes mutable proxies for real host-realm intrinsic prototypes and then forwards sandbox writes into the underlying …
|
CWE-94
CWE-1321
Code Injection
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-44005
|
2026-05-15 01:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
