|
1191
|
5.3 |
MEDIUM
Network
|
thecodingmachine
|
gotenberg
|
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, FilterOutboundURL resolves the hostname, checks the resolved IPs against the private-address deny-list, and returns only th…
|
CWE-367
CWE-918
Time-of-check Time-of-use (TOCTOU) Race Condition
Server-Side Request Forgery (SSRF)
|
CVE-2026-42592
|
2026-05-18 22:02 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1192
|
9.8 |
CRITICAL
Network
|
thecodingmachine
|
gotenberg
|
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.31.0, Gotenberg's /forms/pdfengines/metadata/write HTTP endpoint accepts a JSON metadata object and passes its keys directly to E…
|
CWE-78
OS Command
|
CVE-2026-42589
|
2026-05-18 22:01 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1193
|
5.3 |
MEDIUM
Network
|
thecodingmachine
|
gotenberg
|
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/…
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-42593
|
2026-05-18 22:01 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1194
|
8.6 |
HIGH
Network
|
thecodingmachine
|
gotenberg
|
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint (/forms/chromium/convert/url) has no default protection against HTTP/HTTPS-based S…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42595
|
2026-05-18 22:01 |
2026-05-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1195
|
5.3 |
MEDIUM
Network
|
mongodb
|
mongodb
|
When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted.
This is…
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-8200
|
2026-05-18 22:01 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1196
|
6.5 |
MEDIUM
Network
|
mongodb
|
mongodb
|
Using a densely populated chars mask and a large input string in the MongoDB aggregation operators $trim, $ltrim, and $rtrim, an authenticated user with aggregation permissions can pin CPU utilizatio…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-8202
|
2026-05-18 21:55 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1197
|
6.5 |
MEDIUM
Network
|
mongodb
|
mongodb
|
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the se…
|
CWE-416
Use After Free
|
CVE-2026-8336
|
2026-05-18 21:54 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1198
|
7.5 |
HIGH
Network
|
netty
|
netty
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final, when decoding header blocks, the non-Huffman branch of io.netty.handler.codec.http3.QpackDecoder#decodeHuf…
|
CWE-770
CWE-789
Allocation of Resources Without Limits or Throttling
Memory Allocation with Excessive Size Value
|
CVE-2026-42582
|
2026-05-18 21:54 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1199
|
7.5 |
HIGH
Network
|
netty
|
netty
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explici…
|
CWE-113
HTTP Response Splitting
|
CVE-2026-42578
|
2026-05-18 21:54 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1200
|
7.5 |
HIGH
Network
|
netty
|
netty
|
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks…
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-42585
|
2026-05-18 21:24 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
