|
2471
|
6.1 |
MEDIUM
Network
|
-
|
-
|
fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. T…
|
CWE-91
Blind XPath Injection
|
CVE-2026-44665
|
2026-05-19 01:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2472
|
7.5 |
HIGH
Network
|
-
|
-
|
Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-f…
|
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
|
CVE-2026-44302
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2473
|
- |
|
-
|
-
|
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry …
|
CWE-77
Command Injection
|
CVE-2026-44257
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2474
|
- |
|
-
|
-
|
DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0.
|
CWE-791
Incomplete Filtering of Special Elements
|
CVE-2026-44232
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2475
|
8.6 |
HIGH
Network
|
vm2_project
|
vm2
|
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise construct…
|
CWE-248
Uncaught Exception
|
CVE-2026-44001
|
2026-05-19 01:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2476
|
7.5 |
HIGH
Network
|
-
|
-
|
Granian is a Rust HTTP server for Python applications. From 1.2.0 to 2.7.4, Granian aborts a worker process when an unauthenticated client sends a WebSocket upgrade request whose Sec-WebSocket-Protoc…
|
CWE-20
CWE-248
CWE-400
Improper Input Validation
Uncaught Exception
Uncontrolled Resource Consumption
|
CVE-2026-42544
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2477
|
10.0 |
CRITICAL
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard …
|
CWE-94
Code Injection
|
CVE-2026-42288
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2478
|
- |
|
-
|
-
|
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, a remote attacker can create a map node with a malici…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42157
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2479
|
5.0 |
MEDIUM
Network
|
-
|
-
|
mosparo is the modern solution to protect your online forms from spam. Prior to 1.4.13, the automatic rule package source URL feature allows a project member with the editor role to store an attacker…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41195
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2480
|
7.5 |
HIGH
Network
|
-
|
-
|
An issue in prestashop upsshipping all versions through at least 2.4.0 allows a remote attacker to obtain sensitive information via the /modules/upsshipping/logs/, and /modules/upsshipping/lib/UPSBas…
|
CWE-200
Information Exposure
|
CVE-2026-39079
|
2026-05-19 01:16 |
2026-05-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
