|
1901
|
8.1 |
HIGH
Network
|
-
|
-
|
Lemur manages TLS certificate creation. Prior to 1.9.0, Lemur's LDAP authentication module (lemur/auth/ldap.py) constructs LDAP search filters using unsanitized user input via Python string interpola…
|
CWE-90
LDAP Injection
|
CVE-2026-44304
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1902
|
- |
|
-
|
-
|
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the elfinder_checkRisk function validates target and targets for path traversal and home containment, but does not validate the dst (dest…
|
CWE-78
OS Command
|
CVE-2026-44258
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1903
|
7.5 |
HIGH
Network
|
-
|
-
|
basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP s…
|
CWE-400
CWE-770
Uncontrolled Resource Consumption
Allocation of Resources Without Limits or Throttling
|
CVE-2026-44240
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1904
|
9.3 |
CRITICAL
Network
|
-
|
-
|
Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged web application, giving it access to the …
|
CWE-22
CWE-284
Path Traversal
Improper Access Control
|
CVE-2026-44225
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1905
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Shelf is a platform for tracking physical assets. From 1.12 to before 1.20.1, a SQL injection vulnerability in the sortBy query parameter on the /assets route allows any authenticated user (any role)…
|
CWE-20
CWE-89
Improper Input Validation
SQL Injection
|
CVE-2026-44204
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1906
|
5.9 |
MEDIUM
Network
|
-
|
-
|
Granian is a Rust HTTP server for Python applications. From 0.2.0 to 2.7.4, Granian aborts a worker process if a WSGI application returns an invalid HTTP response header name or value. The WSGI respo…
|
CWE-248
CWE-755
Uncaught Exception
Improper Handling of Exceptional Conditions
|
CVE-2026-42545
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1907
|
8.8 |
HIGH
Network
|
-
|
-
|
ChurchCRM is an open-source church management system. Prior to 7.3.2, UserEditor.php processes user account creation and permission updates entirely through $_POST parameters with no CSRF token valid…
|
CWE-269
CWE-306
CWE-352
Improper Privilege Management
Missing Authentication for Critical Function
Origin Validation Error
|
CVE-2026-42289
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1908
|
- |
|
-
|
-
|
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Prior to 1.2.3, an adversary with knowledge of an investigation ID, c…
|
CWE-284
Improper Access Control
|
CVE-2026-42158
|
2026-05-14 22:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1909
|
6.8 |
MEDIUM
Physics
|
-
|
-
|
Hiseeu C90 v5.7.15 is vulnerable to Insecure Permissions. The UART bootloader is accessible when battery is disconnected (hidden/debug mode).
|
CWE-276
Incorrect Default Permissions
|
CVE-2026-36742
|
2026-05-14 22:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1910
|
7.2 |
HIGH
Network
|
-
|
-
|
U-SPEED AC1200 Gigabit Wi-Fi Router (Model: T18-21K) V1.0 is vulnerable to Command Injection. The Network Time Protocol (NTP) configuration interface does not properly sanitize user-supplied input. A…
|
CWE-77
Command Injection
|
CVE-2026-36741
|
2026-05-14 22:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
