|
1891
|
- |
|
-
|
-
|
Kirby is an open-source content management system. Prior to versions 4.9.0 and 5.4.0, user avatar creation, replacement and deletion are not gated by user update permissions. This issue has been patc…
|
CWE-862
Missing Authorization
|
CVE-2026-42174
|
2026-05-13 00:37 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1892
|
6.7 |
MEDIUM
Network
|
-
|
-
|
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer to…
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-42176
|
2026-05-13 00:33 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1893
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Lemmy is a link aggregator and forum for the fediverse. Prior to version 0.19.18, Lemmy fetches metadata for user-supplied post URLs and, under the default StoreLinkPreviews image mode, downloads the…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-42181
|
2026-05-13 00:31 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1894
|
8.6 |
HIGH
Network
|
-
|
-
|
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object…
|
CWE-22
CWE-1321
Path Traversal
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-41690
|
2026-05-13 00:29 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1895
|
8.2 |
HIGH
Network
|
-
|
-
|
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled ln…
|
CWE-22
CWE-918
Path Traversal
Server-Side Request Forgery (SSRF)
|
CVE-2026-42353
|
2026-05-13 00:29 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1896
|
8.6 |
HIGH
Network
|
-
|
-
|
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled languag…
|
CWE-79
CWE-113
Cross-site Scripting
HTTP Response Splitting
|
CVE-2026-41683
|
2026-05-13 00:29 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1897
|
8.2 |
HIGH
Network
|
-
|
-
|
i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options…
|
CWE-22
CWE-73
Path Traversal
External Control of File Name or Path
|
CVE-2026-41693
|
2026-05-13 00:29 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1898
|
6.5 |
MEDIUM
Network
|
-
|
-
|
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, proje…
|
CWE-22
CWE-74
Path Traversal
Injection
|
CVE-2026-41885
|
2026-05-13 00:29 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1899
|
7.3 |
HIGH
Network
|
-
|
-
|
D-Link DCS-932L v2.18.01 is vulnerable to Command Injection in the function sub_42EF14 of the file /bin/alphapd. The manipulation of the argument LightSensorControl leads to command injection.
|
CWE-77
Command Injection
|
CVE-2026-36983
|
2026-05-13 00:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1900
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/filesystem/pathexists endpoint uses String.startsWith() to validate that a resolved file path is within a …
|
CWE-22
Path Traversal
|
CVE-2026-42885
|
2026-05-13 00:13 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
