|
811
|
8.8 |
HIGH
Network
|
jenkins
|
official_owasp_zap
|
Jenkins OWASP ZAP Plugin 1.0.7 and earlier performs build operations on the Jenkins controller rather than the assigned agent, allowing attackers with Item/Configure permission to execute arbitrary c…
New
|
CWE-610
Externally Controlled Reference to a Resource in Another Sphere
|
CVE-2026-57301
|
2026-06-27 04:06 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
812
|
4.3 |
MEDIUM
Network
|
jenkins
|
fitnesse
|
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to t…
New
|
CWE-256
Plaintext Storage of a Password
|
CVE-2026-57302
|
2026-06-27 04:05 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
813
|
4.2 |
MEDIUM
Network
|
jenkins
|
zowe_zdevops
|
A cross-site request forgery (CSRF) vulnerability in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-57306
|
2026-06-27 04:05 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
814
|
4.2 |
MEDIUM
Network
|
jenkins
|
zowe_zdevops
|
A missing permission check in Jenkins Zowe zDevOps Plugin 1.1.3.50.ve350c9b_450b_1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-spe…
New
|
CWE-862
Missing Authorization
|
CVE-2026-57307
|
2026-06-27 04:05 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
815
|
7.5 |
HIGH
Network
|
shell-quote_project
|
shell-quote
|
shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a resu…
New
|
CWE-407
Inefficient Algorithmic Complexity
|
CVE-2026-13311
|
2026-06-27 04:03 |
2026-06-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
816
|
2.6 |
LOW
Network
|
nokogiri
|
nokogiri
|
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-…
New
|
CWE-178
CWE-184
CWE-611
Improper Handling of Case Sensitivity
Incomplete Blacklist
XXE
|
CVE-2026-57234
|
2026-06-27 04:03 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
817
|
8.1 |
HIGH
Network
|
librechat
|
librechat
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen…
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-54036
|
2026-06-27 04:02 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
818
|
8.8 |
HIGH
Network
|
dokku
|
dokku
|
Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filen…
New
|
CWE-95
Eval Injection
|
CVE-2026-45406
|
2026-06-27 04:01 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
819
|
5.5 |
MEDIUM
Local
|
freebsd
|
freebsd
|
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The …
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-45256
|
2026-06-27 03:58 |
2026-06-27 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
820
|
7.5 |
HIGH
Network
|
apache
|
apache-airflow-providers-ftp
|
The Apache Airflow FTP provider's `FTPSHook.get_conn()` created an `ftplib.FTP_TLS` connection but never called `prot_p()`, so although the control channel was TLS-protected the data channel was tran…
New
|
CWE-319
Cleartext Transmission of Sensitive Information
|
CVE-2026-49486
|
2026-06-27 03:58 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
