|
611
|
- |
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.39.0, an anonymous attacker who knows or can enumerate a workspace id (app_...) and an S3-source datasource id (ds_...) can call this endpoint…
New
|
CWE-862
Missing Authorization
|
CVE-2026-50137
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
612
|
7.8 |
HIGH
Local
|
-
|
-
|
Notepad++ is a free and open-source source code editor. In v8.9.6.1, isInTrustedDirectory() does NOT canonicalize the path before checking. It uses a prefix-based check (PathIsPrefix() or equivalent)…
New
|
CWE-42
Path Equivalence: 'filename.' (Trailing Dot)
|
CVE-2026-52884
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
613
|
- |
|
-
|
-
|
Notepad++ is a free and open-source source code editor. Prior to 8.9.6.4, NppCommands.cpp checks the HMAC of the on-disk shortcuts.xml at the moment a user command fires (Time-of-Check). However, the…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-52885
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
614
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB…
New
|
CWE-89 CWE-943
SQL Injection Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-54350
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
615
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-53577
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
616
|
8.7 |
HIGH
Network
|
-
|
-
|
Kestra is an open-source, event-driven orchestration platform. Prior to 1.3.24, this vulnerability exists in the BasicAuth authentication component of the Kestra OSS workflow orchestration platform. …
New
|
CWE-916
Use of Password Hash With Insufficient Computational Effort
|
CVE-2026-55069
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
617
|
8.2 |
HIGH
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.39.9, the webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution paramete…
New
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-54351
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
618
|
9.6 |
CRITICAL
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.39.9, `POST /api/pwa/process-zip` at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with extract-zip…
New
|
CWE-22 CWE-59
Path Traversal Link Following
|
CVE-2026-54352
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
619
|
8.5 |
HIGH
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow vali…
New
|
CWE-367 CWE-918
Time-of-check Time-of-use (TOCTOU) Race Condition Server-Side Request Forgery (SSRF)
|
CVE-2026-54353
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
620
|
7.7 |
HIGH
Network
|
-
|
-
|
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.43 and 1.3.19, several Kestra API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.par…
New
|
CWE-22
Path Traversal
|
CVE-2026-45807
|
2026-06-30 03:51 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|