|
1071
|
6.1 |
MEDIUM
Network
|
astro
|
astro
|
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphert…
|
CWE-323
CWE-79
Reusing a Nonce, Key Pair in Encryption
Cross-site Scripting
|
CVE-2026-45028
|
2026-05-14 22:28 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1072
|
8.8 |
HIGH
Network
|
-
|
-
|
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspec…
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-45227
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1073
|
8.1 |
HIGH
Network
|
-
|
-
|
Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpola…
|
CWE-90
LDAP Injection
|
CVE-2026-44304
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1074
|
- |
|
-
|
-
|
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (dest…
|
CWE-78
OS Command
|
CVE-2026-44258
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1075
|
7.5 |
HIGH
Network
|
-
|
-
|
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP s…
|
CWE-400
CWE-770
Uncontrolled Resource Consumption
Allocation of Resources Without Limits or Throttling
|
CVE-2026-44240
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1076
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the …
|
CWE-22
CWE-284
Path Traversal
Improper Access Control
|
CVE-2026-44225
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1077
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role)…
|
CWE-20
CWE-89
Improper Input Validation
SQL Injection
|
CVE-2026-44204
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1078
|
5.9 |
MEDIUM
Network
|
-
|
-
|
Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI respo…
|
CWE-248
CWE-755
Uncaught Exception
Improper Handling of Exceptional Conditions
|
CVE-2026-42545
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1079
|
8.8 |
HIGH
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token valid…
|
CWE-269
CWE-306
CWE-352
Improper Privilege Management
Missing Authentication for Critical Function
Origin Validation Error
|
CVE-2026-42289
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1080
|
- |
|
-
|
-
|
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, c…
|
CWE-284
Improper Access Control
|
CVE-2026-42158
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
