|
1941
|
5.3 |
MEDIUM
Network
|
angular
|
angular
|
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Se…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41423
|
2026-05-12 23:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1942
|
7.5 |
HIGH
Network
|
-
|
-
|
An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan o…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-29974
|
2026-05-12 23:51 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1943
|
7.5 |
HIGH
Network
|
-
|
-
|
lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by o…
|
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
|
CVE-2026-29975
|
2026-05-12 23:51 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1944
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file throug…
|
CWE-94
Code Injection
|
CVE-2026-42607
|
2026-05-12 23:51 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1945
|
9.4 |
CRITICAL
Network
|
-
|
-
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without…
|
CWE-20
CWE-862
Improper Input Validation
Missing Authorization
|
CVE-2026-42613
|
2026-05-12 23:51 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1946
|
- |
|
-
|
-
|
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now s…
|
CWE-73
External Control of File Name or Path
|
CVE-2026-42845
|
2026-05-12 23:51 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1947
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the GET /api/collections and GET /api/collections/:id endpoints return collections from all libraries without checking w…
|
CWE-863
Incorrect Authorization
|
CVE-2026-42884
|
2026-05-12 23:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1948
|
4.9 |
MEDIUM
Network
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.32.2, the POST /api/backups/upload endpoint decompresses the details entry from an uploaded .audiobookshelf ZIP file entirely …
|
CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
|
CVE-2026-42886
|
2026-05-12 23:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1949
|
4.5 |
MEDIUM
Network
|
-
|
-
|
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting (XSS) vulnerability exists in the Login Page due to improper sanitization of the authLogin…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42887
|
2026-05-12 23:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1950
|
7.2 |
HIGH
Network
|
-
|
-
|
WWBN AVideo is an open source video platform. In versions up to and including 29.0, the server-side mitigation for the YPTSocket autoEvalCodeOnHTML eval sink (from CVE-2026-40911) only strips the pay…
|
CWE-94
Code Injection
|
CVE-2026-43874
|
2026-05-12 23:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
