|
141
|
8.2 |
HIGH
Network
|
-
|
-
|
Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and ga…
New
|
CWE-287
Improper Authentication
|
CVE-2026-48780
|
2026-06-17 00:46 |
2026-06-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
142
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler expos…
New
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-48713
|
2026-06-17 00:46 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
143
|
9.1 |
CRITICAL
Network
|
-
|
-
|
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request…
New
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-48714
|
2026-06-17 00:46 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
144
|
7.1 |
HIGH
Local
|
-
|
-
|
A vulnerability in Kedro version 1.2.0 allows an attacker to exploit path traversal by providing a crafted version string. The `_get_versioned_path()` method in `kedro/io/core.py` directly interpolat…
Update
|
CWE-22
Path Traversal
|
CVE-2026-3840
|
2026-06-17 00:42 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
145
|
8.8 |
HIGH
Network
|
-
|
-
|
Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting clie…
Update
|
CWE-415
Double Free
|
CVE-2026-12043
|
2026-06-17 00:42 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
146
|
7.5 |
HIGH
Network
|
-
|
-
|
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into…
Update
|
CWE-93
CRLF Injection
|
CVE-2026-12143
|
2026-06-17 00:42 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
147
|
7.5 |
HIGH
Network
|
-
|
-
|
IBM Qiskit SDK 0.43.0 through 2.5.0 could allow an attacker to trigger a segmentation fault leading to a denial of service due to uncontrolled recursion in the parser.
Update
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-4870
|
2026-06-17 00:42 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
148
|
- |
|
-
|
-
|
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator.
### S…
Update
|
CWE-22
Path Traversal
|
CVE-2026-11769
|
2026-06-17 00:42 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
149
|
- |
|
-
|
-
|
The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent DNS rebinding attacks. Prior to the v0.25.0 release, users ha…
Update
|
CWE-346
Origin Validation Error
|
CVE-2026-11624
|
2026-06-17 00:42 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
150
|
5.5 |
MEDIUM
Local
|
-
|
-
|
Incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions …
New
|
CWE-276
Incorrect Default Permissions
|
CVE-2026-11931
|
2026-06-17 00:42 |
2026-06-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
