|
1151
|
5.9 |
MEDIUM
Local
|
golang
|
go
|
The "go tool pack" subcommand (usually used only by the compiler as an internal tool with known-good inputs) does not sanitize output filenames. Extracting a malicious archive file with the "pack" su…
Update
|
CWE-787
Out-of-bounds Write
|
CVE-2026-39817
|
2026-05-13 23:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1152
|
10.0 |
CRITICAL
Network
|
peerigon
|
angular-expressions
|
Angular Expressions provides expressions for the Angular.JS web framework as a standalone module. Prior to 1.5.2, an attacker can write a malicious expression using filters that escapes the sandbox t…
New
|
CWE-95
Eval Injection
|
CVE-2026-44643
|
2026-05-13 23:54 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1153
|
9.4 |
CRITICAL
Network
|
-
|
-
|
phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been p…
Update
|
CWE-284
CWE-306
CWE-862
Improper Access Control
Missing Authentication for Critical Function
Missing Authorization
|
CVE-2026-42569
|
2026-05-13 23:54 |
2026-05-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1154
|
8.5 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, the upload_wasm MCP tool accepted a filesystem path from the agent and uploaded whatever bytes the path resolved t…
New
|
CWE-20
CWE-22
CWE-59
CWE-73
Improper Input Validation
Path Traversal
Link Following
External Control of File Name or Path
|
CVE-2026-43989
|
2026-05-13 23:54 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1155
|
- |
|
-
|
-
|
Craft CMS is a content management system (CMS). From 5.0.0-RC1 to before 5.9.18, AssetsController::actionShowInFolder() fetches an asset by ID and returns its filename and complete folder hierarchy (…
New
|
CWE-862
Missing Authorization
|
CVE-2026-44012
|
2026-05-13 23:54 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1156
|
9.9 |
CRITICAL
Network
|
openedx
|
openedx
|
Open edX Platform enables the authoring and delivery of online learning at any scale. The sync_provider_data endpoint in SAMLProviderDataViewSet allows authenticated Enterprise Admin users to supply …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42858
|
2026-05-13 23:53 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1157
|
8.5 |
HIGH
Network
|
openedx
|
edx-enterprise
|
The Open edx Enterprise Service app provides enterprise features to the Open edX platform. From 7.0.2 to 7.0.4, the sync_provider_data endpoint in SAMLProviderDataViewSet fetches SAML metadata from a…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42860
|
2026-05-13 23:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1158
|
7.5 |
HIGH
Network
|
-
|
-
|
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature b…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-34645
|
2026-05-13 23:49 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1159
|
7.5 |
HIGH
Network
|
-
|
-
|
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature b…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-34646
|
2026-05-13 23:49 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1160
|
7.4 |
HIGH
Network
|
-
|
-
|
Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could result in a Security…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-34647
|
2026-05-13 23:49 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
