|
931
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Mojolicious::Plugin::Statsd versions through 0.04 for Perl allowed metric injections.
The metric names and set values were not checked for newlines, colons or pipes. Metrics generated from untrusted…
Update
|
CWE-93
CRLF Injection
|
CVE-2026-46740
|
2026-05-29 01:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
932
|
7.7 |
HIGH
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is D…
Update
|
CWE-200
Information Exposure
|
CVE-2026-46427
|
2026-05-29 01:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
933
|
4.2 |
MEDIUM
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.38.2, the public API role unassignment endpoint (POST /api/public/v1/roles/unassign) updates user documents in CouchDB but does not invalidate…
Update
|
CWE-269
Improper Privilege Management
|
CVE-2026-46424
|
2026-05-29 01:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
934
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.38.1, the row action trigger endpoint (POST /api/tables/:sourceId/actions/:actionId/trigger) fails to validate that the user-supplied rowId is…
Update
|
CWE-863
Incorrect Authorization
|
CVE-2026-45718
|
2026-05-29 01:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
935
|
5.4 |
MEDIUM
Network
|
-
|
-
|
WeGIA is a web manager for charitable institutions. Prior to 3.7.3, an Open Redirect vulnerability was identified in the /WeGIA/controle/control.php endpoint of the WeGIA application, specifically th…
Update
|
CWE-601
Open Redirect
|
CVE-2026-45335
|
2026-05-29 01:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
936
|
7.5 |
HIGH
Network
|
-
|
-
|
Dalfox is a powerful open-source XSS scanner and utility focused on automation. Prior to 2.13.0, ParameterAnalysis in pkg/scanning/parameterAnalysis.go runs two sequential worker stages that both wri…
Update
|
CWE-362
CWE-404
Race Condition
Improper Resource Shutdown or Release
|
CVE-2026-45090
|
2026-05-29 01:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
937
|
7.7 |
HIGH
Network
|
-
|
-
|
Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint (POST /api/plugin) validates the submitted URL with a single substring check: url.includes(".tar.gz"). A…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-45061
|
2026-05-29 01:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
938
|
5.9 |
MEDIUM
Network
|
-
|
-
|
view_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. From 3.0.0 to 4.9.0, the system test entrypoint canonicalizes a user-controlled file …
Update
|
CWE-187
Partial String Comparison
|
CVE-2026-44837
|
2026-05-29 01:16 |
2026-05-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
939
|
- |
|
-
|
-
|
mapfish-print is a component of MapFish for printing templated cartographic maps. From 3.23.0 to before 3.28.28, 3.30.30, 3.31.22, 3.33.14, and 4.0.3, the attacker can execute arbitrary code in Dyna…
New
|
CWE-94
Code Injection
|
CVE-2026-44672
|
2026-05-29 01:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
940
|
7.4 |
HIGH
Network
|
-
|
-
|
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the passwo…
Update
|
CWE-200
CWE-287
CWE-306
Information Exposure
Improper Authentication
Missing Authentication for Critical Function
|
CVE-2026-44460
|
2026-05-29 01:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
