|
1151
|
8.4 |
HIGH
Network
|
-
|
-
|
Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. From 2.0.0 to before 3.1.5 and 2.3.11, Himmelblau contained an authentication bypass vulnerability in the Device Autho…
|
CWE-863
Incorrect Authorization
|
CVE-2026-45108
|
2026-05-28 05:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1152
|
7.5 |
HIGH
Network
|
-
|
-
|
Vanetza is an open-source implementation of the ETSI C-ITS protocol suite. In 26.02 and earlier, a denial-of-service vulnerability was identified in the ASN.1/OER parsing pipeline of Vanetza. When pr…
|
CWE-248
Uncaught Exception
|
CVE-2026-43988
|
2026-05-28 05:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1153
|
8.7 |
HIGH
Network
|
-
|
-
|
RELATE is a web-based courseware package. Versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 have a stored cross-site scripting vulnerability that allows any enrolled student to execut…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42197
|
2026-05-28 05:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1154
|
6.3 |
MEDIUM
Network
|
-
|
-
|
FacturaScripts is an open source accounting and invoicing software. In 2025.81 and earlier, an authenticated unrestricted file upload vulnerability exists in FacturaScripts' product image upload func…
|
CWE-94
CWE-434
Code Injection
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-42879
|
2026-05-28 04:49 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1155
|
- |
|
-
|
-
|
MaxKB is an open-source AI assistant for enterprise. Prior to 2.8.1, MaxKB v2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch (chat/api/o…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42335
|
2026-05-28 04:41 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1156
|
- |
|
-
|
-
|
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a server-side request forgery (SSRF) bypass in the OSS file service URL fetch functionality due to inconsi…
|
CWE-367
CWE-918
Time-of-check Time-of-use (TOCTOU) Race Condition
Server-Side Request Forgery (SSRF)
|
CVE-2026-42336
|
2026-05-28 04:41 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1157
|
- |
|
-
|
-
|
MaxKB is an open-source AI assistant for enterprise. MaxKB 2.8.0 and prior are vulnerable to a broken access control vulnerability in the OSS file service URL fetch API (chat/api/oss/get_url). The en…
|
CWE-862
Missing Authorization
|
CVE-2026-42337
|
2026-05-28 04:41 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1158
|
7.5 |
HIGH
Network
|
-
|
-
|
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint (/api/trigger/v1/webhook/{trigger_id}) is accessible without authentication. The WebhookAuth clas…
|
CWE-287
CWE-306
Improper Authentication
Missing Authentication for Critical Function
|
CVE-2026-44847
|
2026-05-28 04:41 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1159
|
- |
|
-
|
-
|
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via work_flow_template Import. Authenticated users can supply arbitrary URLs in work_flow_template.downloadUrl which are fetc…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45412
|
2026-05-28 04:41 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1160
|
- |
|
-
|
-
|
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute f…
|
CWE-328
Use of Weak Hash
|
CVE-2026-45413
|
2026-05-28 04:41 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
