|
2421
|
7.2 |
HIGH
Network
|
-
|
-
|
OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the Database…
|
CWE-89
SQL Injection
|
CVE-2026-42425
|
2026-05-27 00:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2422
|
- |
|
-
|
-
|
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-28496. Reason: This candidate is a duplicate of CVE-2026-28496. Notes: All CVE users should reference CVE-2026-284…
|
-
|
CVE-2026-42347
|
2026-05-27 00:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2423
|
4.9 |
MEDIUM
Network
|
-
|
-
|
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying…
|
CWE-22
Path Traversal
|
CVE-2026-41917
|
2026-05-27 00:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2424
|
9.0 |
CRITICAL
Network
|
-
|
-
|
A vulnerability in MLflow versions <=3.10.1.dev0 allows unauthorized access to multipart upload (MPU) endpoints when the `--serve-artifacts` mode is enabled. The authorization logic does not enforce …
|
CWE-862
Missing Authorization
|
CVE-2026-2651
|
2026-05-27 00:16 |
2026-05-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2425
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs…
|
CWE-200
Information Exposure
|
CVE-2026-6826
|
2026-05-26 23:59 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2426
|
5.3 |
MEDIUM
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below is vulnerable to authorization Bypass in the Calendar Event Frontend Dialog which can allow cross-calendar data disclosure. A public calendar block can be used as a pivot…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-8204
|
2026-05-26 23:58 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2427
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/<pkgHandle>. The do_update() method in concrete/controllers/single_page/da…
|
CWE-352
Origin Validation Error
|
CVE-2026-8417
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2428
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/<remoteMPID>. An attacker who controls the remote package ret…
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8426
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2429
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticate…
|
CWE-352
Origin Validation Error
|
CVE-2026-8421
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2430
|
8.8 |
HIGH
Network
|
concretecms
|
concrete_cms
|
Concrete CMS 9.5.0 and below emits a CSRF token in the local_available_update.php view ($token->output('do_update')) but the corresponding do_update() method in concrete/controllers/single_page/dashb…
|
CWE-352
CWE-829
Origin Validation Error
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-8428
|
2026-05-26 23:57 |
2026-05-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
