|
1011
|
7.5 |
HIGH
Network
|
python
|
urllib3
|
urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) c…
|
CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
|
CVE-2026-44432
|
2026-05-14 22:49 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1012
|
5.9 |
MEDIUM
Network
|
haxx
|
curl
|
A vulnerability exists where a connection requiring TLS incorrectly reuses an
existing unencrypted connection from the same connection pool. If an initial
transfer is made in clear-text (via IMAP, SM…
|
CWE-295
CWE-319
Improper Certificate Validation
Cleartext Transmission of Sensitive Information
|
CVE-2026-4873
|
2026-05-14 22:45 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1013
|
5.4 |
MEDIUM
Network
|
vercel
|
next.js
|
Next.js is a React framework for building full-stack web applications. From 14.2.0 to before 15.5.16 and 16.2.5, applications using React Server Components can be vulnerable to cache poisoning when s…
|
CWE-436
Interpretation Conflict
|
CVE-2026-44576
|
2026-05-14 22:44 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1014
|
5.9 |
MEDIUM
Network
|
haxx
|
curl
|
curl might erroneously pass on credentials for a first proxy to a second
proxy.
This can happen when the following conditions are true:
1. curl is setup to use specific different proxies for differ…
|
CWE-522
Insufficiently Protected Credentials
|
CVE-2026-6253
|
2026-05-14 22:40 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1015
|
6.1 |
MEDIUM
Network
|
astro
|
astro
|
Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphert…
|
CWE-323
CWE-79
Reusing a Nonce, Key Pair in Encryption
Cross-site Scripting
|
CVE-2026-45028
|
2026-05-14 22:28 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1016
|
8.8 |
HIGH
Network
|
-
|
-
|
Heym before 0.0.21 contains a sandbox escape vulnerability in the custom Python tool executor that allows authenticated workflow authors to bypass sandbox restrictions by using object-graph introspec…
|
CWE-693
Protection Mechanism Failure
|
CVE-2026-45227
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1017
|
8.1 |
HIGH
Network
|
-
|
-
|
Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpola…
|
CWE-90
LDAP Injection
|
CVE-2026-44304
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1018
|
- |
|
-
|
-
|
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (dest…
|
CWE-78
OS Command
|
CVE-2026-44258
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1019
|
7.5 |
HIGH
Network
|
-
|
-
|
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP s…
|
CWE-400
CWE-770
Uncontrolled Resource Consumption
Allocation of Resources Without Limits or Throttling
|
CVE-2026-44240
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1020
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the …
|
CWE-22
CWE-284
Path Traversal
Improper Access Control
|
CVE-2026-44225
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
