|
931
|
4.2 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-41519
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
932
|
- |
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial p…
New
|
CWE-20
CWE-918
Improper Input Validation
Server-Side Request Forgery (SSRF)
|
CVE-2026-41654
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
933
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. Th…
New
|
CWE-203
Information Exposure Through Discrepancy
|
CVE-2026-44263
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
934
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has…
New
|
CWE-80
Basic XSS
|
CVE-2026-44264
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
935
|
7.7 |
HIGH
Network
|
-
|
-
|
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the origina…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41688
|
2026-05-8 00:45 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
936
|
9.6 |
CRITICAL
Network
|
-
|
-
|
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in th…
Update
|
CWE-79
CWE-94
Cross-site Scripting
Code Injection
|
CVE-2026-42090
|
2026-05-8 00:44 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
937
|
8.1 |
HIGH
Network
|
-
|
-
|
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a path traversal vulnerability in the skill download (fetch) command allows attackers to write files to arbitrary…
Update
|
CWE-22
Path Traversal
|
CVE-2026-42075
|
2026-05-8 00:43 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
938
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Note Mark is an open-source note-taking application. Prior to version 0.19.3, after a note-mark owner soft-deletes a public book, its notes and uploaded assets stay readable at /api/notes/{id}, /api/…
Update
|
CWE-285
Improper Authorization
|
CVE-2026-41572
|
2026-05-8 00:43 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
939
|
6.5 |
MEDIUM
Network
|
-
|
-
|
titra is an open source time tracking project. In version 0.99.52, the globalsettings Meteor publication returns all global settings without any admin or role check. Any authenticated user can subscr…
Update
|
CWE-200
Information Exposure
|
CVE-2026-42092
|
2026-05-8 00:43 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
940
|
4.4 |
MEDIUM
Network
|
-
|
-
|
PlantUML Macro is a macro for rendering UML diagrams from simple textual schemes. Prior to version 2.4.1, the PlantUML Macro is vulnerable to Server-Side Request Forgery (SSRF). The macro allows user…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42140
|
2026-05-8 00:43 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
