|
141
|
6.5 |
MEDIUM
Adjacent
|
-
|
-
|
BrowserStack Runner through 0.9.5 contains a path traversal vulnerability in the _default HTTP handler in lib/server.js that allows unauthenticated network-adjacent attackers to read arbitrary files.…
New
|
CWE-22
Path Traversal
|
CVE-2026-49144
|
2026-06-5 01:10 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
142
|
5.9 |
MEDIUM
Network
|
-
|
-
|
QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password ha…
New
|
CWE-916
Use of Password Hash With Insufficient Computational Effort
|
CVE-2026-25861
|
2026-06-5 01:10 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
143
|
3.6 |
LOW
Local
|
-
|
-
|
A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculate_dataframe_hash of the file mlrun/utils/helpers.py of the component DataFrame Hash Han…
New
|
CWE-327
CWE-328
Use of a Broken or Risky Cryptographic Algorithm
Use of Weak Hash
|
CVE-2026-10766
|
2026-06-5 01:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
144
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OMICARD EDM developed by ITPison has a Insecure Direct Object Reference vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to obtain user's email address.
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-10597
|
2026-06-5 01:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
145
|
4.3 |
MEDIUM
Network
|
-
|
-
|
A vulnerability was detected in keystonejs keystone up to 20260319. This vulnerability affects unknown code in the library packages/core/src/lib/core/queries/output-field.ts of the component GraphQL …
New
|
CWE-400
CWE-404
Uncontrolled Resource Consumption
Improper Resource Shutdown or Release
|
CVE-2026-10802
|
2026-06-5 01:10 |
2026-06-4 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
146
|
6.4 |
MEDIUM
Local
|
-
|
-
|
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, using ``CookieJar.load()`` with untrusted input may allow arbitrary code execution. Most appli…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-34993
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
147
|
- |
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, the SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on ass…
New
|
CWE-345
Insufficient Verification of Data Authenticity
|
CVE-2026-41577
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
148
|
- |
|
-
|
-
|
AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.14.0, cookies set with the `cookies` parameter on requests are sent after following a cross-origin r…
New
|
CWE-346
Origin Validation Error
|
CVE-2026-47265
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
149
|
- |
|
-
|
-
|
authentik is an open-source identity provider. Prior to version 2026.2.3, the WS-Federation provider validates the user-supplied wreply parameter using a raw string prefix check rather than proper UR…
New
|
CWE-601
Open Redirect
|
CVE-2026-41569
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
150
|
9.3 |
CRITICAL
Network
|
-
|
-
|
authentik is an open-source identity provider. Prior to versions 2025.12.5 and 2026.2.3, due to the implementation of stages in the SFE (Simple Flow Executor) in order to make the interface more comp…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-42849
|
2026-06-5 00:49 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
