|
1051
|
8.3 |
HIGH
Network
|
-
|
-
|
Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.4, the /aggregate/:typename endpoint accepted column and group query parameters that were passed verbatim to goqu.L() — a raw SQL lite…
|
CWE-89
SQL Injection
|
CVE-2026-41422
|
2026-05-8 00:47 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1052
|
5.4 |
MEDIUM
Network
|
-
|
-
|
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a c…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40296
|
2026-05-8 00:47 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1053
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the _extractLLM() function allows attackers to execute arbitrary shell comma…
|
CWE-78
OS Command
|
CVE-2026-42076
|
2026-05-8 00:46 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1054
|
5.2 |
MEDIUM
Local
|
-
|
-
|
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a prototype pollution vulnerability in the mailbox store module allows attackers to modify the behavior of all Ja…
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-42077
|
2026-05-8 00:46 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1055
|
4.2 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, when a user changes their password, browser sessions are correctly invalidated via "cycle_session_keys()", but DRF API tokens ("wlu_…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-41519
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1056
|
- |
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission (default on hosted Weblate SaaS and for any user holding an active billing/trial p…
|
CWE-20
CWE-918
Improper Input Validation
Server-Side Request Forgery (SSRF)
|
CVE-2026-41654
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1057
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of translations in a project inaccessible to the user. Th…
|
CWE-203
Information Exposure Through Discrepancy
|
CVE-2026-44263
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1058
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't properly sanitize some attributes. This issue has…
|
CWE-80
Basic XSS
|
CVE-2026-44264
|
2026-05-8 00:46 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1059
|
7.7 |
HIGH
Network
|
-
|
-
|
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the origina…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41688
|
2026-05-8 00:45 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1060
|
9.6 |
CRITICAL
Network
|
-
|
-
|
Notesnook is a note-taking app focused on user privacy & ease of use. Prior to Notesnook Web/Desktop version 3.3.15 and prior to Notesnook iOS/Android version 3.3.20, a stored XSS vulnerability in th…
|
CWE-79
CWE-94
Cross-site Scripting
Code Injection
|
CVE-2026-42090
|
2026-05-8 00:44 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
