|
1861
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths. Text returned by a PostgreSQL server (ErrorResponse messages, including object names quoted back inside relat…
|
CWE-79
CWE-116
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-12048
|
2026-06-23 05:23 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1862
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Open redirect in pgAdmin 4's multi-factor authentication flow. The MFA validate and register endpoints honoured the user-supplied 'next' query/form parameter without confirming the target pointed bac…
|
CWE-601
Open Redirect
|
CVE-2026-12049
|
2026-06-23 05:23 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1863
|
4.3 |
MEDIUM
Network
|
-
|
-
|
SQL injection in pgAdmin 4's named restore point endpoint (POST /browser/server/restore_point/{gid}/{sid}). The user-supplied 'value' field was interpolated directly into the SQL string with str.form…
|
CWE-89
SQL Injection
|
CVE-2026-12050
|
2026-06-23 05:23 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1864
|
- |
|
-
|
-
|
A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables with…
|
-
|
CVE-2026-11752
|
2026-06-23 05:21 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1865
|
- |
|
-
|
-
|
SP LMS (com_splms) < 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server.
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-48909
|
2026-06-23 05:21 |
2026-06-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1866
|
- |
|
-
|
-
|
A vulnerability has been identified in centraldogma-server-mirror-git versions prior to 0.84.0, where the Git mirror SSH client does not verify remote host keys for git+ssh:// connections, allowing a…
|
CWE-322
Key Exchange without Entity Authentication
|
CVE-2026-11745
|
2026-06-23 05:21 |
2026-06-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1867
|
- |
|
-
|
-
|
A vulnerability has been identified in centraldogma-server versions prior to 0.84.0, where enabling ZooKeeper replication without setting replication.secret causes the server to silently fall back to…
|
CWE-798
Use of Hard-coded Credentials
|
CVE-2026-11746
|
2026-06-23 05:21 |
2026-06-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1868
|
- |
|
-
|
-
|
A vulnerability has been identified in centraldogma-server-auth-shiro versions prior to 0.84.0, where the SearchFirstActiveDirectoryRealm substitutes the login username into an LDAP search filter wit…
|
CWE-90
LDAP Injection
|
CVE-2026-11748
|
2026-06-23 05:21 |
2026-06-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1869
|
5.3 |
MEDIUM
Network
|
-
|
-
|
A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a `GOAWAY` frame. This vulnerability affects two supported release lines: **Node.js 22** and **Node.js …
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-48937
|
2026-06-23 05:20 |
2026-06-19 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1870
|
7.5 |
HIGH
Network
|
-
|
-
|
The public dashboard query endpoint does not limit request body size before processing, allowing unauthenticated attackers to trigger excessive memory allocation by sending arbitrarily large JSON pay…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-42127
|
2026-06-23 05:19 |
2026-06-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
