|
431
|
- |
|
-
|
-
|
Mastodon is a free, open-source social network server based on ActivityPub. Prior to v4.5.9, v4.4.16, and v4.3.22, Mastodon allows restricting new user sign-up based on e-mail domain names, and perfo…
New
|
CWE-841
Improper Enforcement of Behavioral Workflow
|
CVE-2026-41259
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
432
|
- |
|
-
|
-
|
A path traversal condition in Intrado 911 Emergency Gateway could allow an attacker with existing network access the ability to access the EGW management interface without authentication. Successful …
New
|
CWE-35
Path Traversal: '.../...//'
|
CVE-2026-6074
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
433
|
- |
|
-
|
-
|
LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels wit…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-25874
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
434
|
6.8 |
MEDIUM
Network
|
-
|
-
|
SWUpdate contains an integer underflow vulnerability in the multipart upload parser in mongoose_multipart.c that allows unauthenticated attackers to cause a denial of service by sending a crafted HTT…
New
|
CWE-125
CWE-191
Out-of-bounds Read
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-28525
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
435
|
- |
|
-
|
-
|
A vulnerability in SpiceJet’s booking API allows unauthenticated users to query passenger name records (PNRs) without any access controls. Because PNR identifiers follow a predictable pattern, an att…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-6375
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
436
|
- |
|
-
|
-
|
A weakness in SpiceJet’s public booking retrieval page permits full passenger booking details to be accessed using only a PNR and last name, with no authentication or verification mechanisms. This re…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-6376
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
437
|
7.1 |
HIGH
Local
|
-
|
-
|
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the …
New
|
CWE-22
Path Traversal
|
CVE-2026-6940
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
438
|
6.6 |
MEDIUM
Local
|
-
|
-
|
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malic…
New
|
CWE-59
Link Following
|
CVE-2026-6941
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
439
|
9.8 |
CRITICAL
Network
|
-
|
-
|
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authe…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-26210
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
440
|
- |
|
-
|
-
|
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execut…
New
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-41274
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
