|
1791
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-53948
|
2026-06-26 01:07 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1792
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private…
|
CWE-200 CWE-693
Information Exposure Protection Mechanism Failure
|
CVE-2026-53949
|
2026-06-26 01:07 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1793
|
7.5 |
HIGH
Network
|
-
|
-
|
@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised Activ…
|
CWE-79
Cross-site Scripting
|
CVE-2026-53950
|
2026-06-26 01:07 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1794
|
5.7 |
MEDIUM
Network
|
-
|
-
|
Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context o…
|
CWE-79
Cross-site Scripting
|
CVE-2026-49220
|
2026-06-26 01:06 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1795
|
9.6 |
CRITICAL
Network
|
-
|
-
|
Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticate…
|
CWE-524
Use of Cache Containing Sensitive Information
|
CVE-2026-53943
|
2026-06-26 01:06 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1796
|
4.3 |
MEDIUM
Network
|
-
|
-
|
An attacker can send a web request that causes unlimited memory
allocation in the internal web server, leading to a denial of service.
The internal web server is disabled by default.
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-42005
|
2026-06-26 01:00 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1797
|
7.5 |
HIGH
Network
|
-
|
-
|
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
|
CWE-349
Acceptance of Extraneous Untrusted Data With Trusted Data
|
CVE-2026-33612
|
2026-06-26 01:00 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1798
|
3.7 |
LOW
Network
|
-
|
-
|
An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The pr…
|
CWE-116
Improper Encoding or Escaping of Output
|
CVE-2026-40011
|
2026-06-26 01:00 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1799
|
3.7 |
LOW
Network
|
-
|
-
|
An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
|
CWE-705
Incorrect Control Flow Scoping
|
CVE-2026-40208
|
2026-06-26 00:59 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1800
|
5.3 |
MEDIUM
Network
|
-
|
-
|
An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a…
|
CWE-772
Missing Release of Resource after Effective Lifetime
|
CVE-2026-40209
|
2026-06-26 00:59 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|