|
1921
|
7.6 |
HIGH
Network
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 BEAR woo-bulk-editor allows Blind SQL Injection.This issue affects BEAR: from n/a thro…
|
CWE-89
SQL Injection
|
CVE-2026-45213
|
2026-05-12 23:03 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1922
|
8.5 |
HIGH
Network
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xp…
|
CWE-89
SQL Injection
|
CVE-2026-45214
|
2026-05-12 23:03 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1923
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through <= 4.3.0.
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-45215
|
2026-05-12 23:03 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1924
|
7.7 |
HIGH
Network
|
-
|
-
|
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Travel WP Travel wp-travel allows Blind SQL Injection.This issue affects WP Travel: from n/a t…
|
CWE-89
SQL Injection
|
CVE-2026-45218
|
2026-05-12 23:03 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1925
|
4.8 |
MEDIUM
Network
|
weblate
|
wlc
|
wlc is a Weblate command-line client using Weblate's REST API. Prior to version 2.0.0, the HTML output format in wlc embeds API response data into HTML without escaping, allowing cross-site scripting…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42150
|
2026-05-12 23:00 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1926
|
3.3 |
LOW
Network
|
kimai
|
kimai
|
Kimai is an open-source time tracking application. Prior to version 2.54.0, the Team API endpoints use #[IsGranted('edit_team')] instead of #[IsGranted('edit', 'team')], causing Symfony TeamVoter to …
|
CWE-862
Missing Authorization
|
CVE-2026-41498
|
2026-05-12 22:59 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1927
|
6.5 |
MEDIUM
Network
|
onyx
|
onyx
|
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by provi…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-42277
|
2026-05-12 22:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1928
|
5.9 |
MEDIUM
Network
|
elabftw
|
elabftw
|
eLabFTW is an open source electronic lab notebook. In elabftw versions through 5.4.1, the login flow did not reliably preserve the multi-factor authentication state across authentication steps. Under…
|
CWE-302
Authentication Bypass by Assumed-Immutable Data
|
CVE-2026-28510
|
2026-05-12 22:58 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1929
|
9.1 |
CRITICAL
Network
|
librenms
|
librenms
|
LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's in…
|
CWE-78
OS Command
|
CVE-2024-51092
|
2026-05-12 22:50 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1930
|
7.3 |
HIGH
Network
|
astrbot
|
astrbot
|
AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
|
CWE-321
Use of Hard-coded Cryptographic Key
|
CVE-2025-55449
|
2026-05-12 22:49 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
