|
3201
|
3.7 |
LOW
Network
|
-
|
-
|
A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive informat…
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2026-5419
|
2026-06-3 02:16 |
2026-06-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3202
|
4.2 |
MEDIUM
Network
|
pyjwt_project
|
pyjwt
|
PyJWT is a JSON Web Token implementation in Python. Prior to 2.13.0, PyJWKClient passes its uri argument directly to urllib.request.urlopen() which uses Python stdlib's default OpenerDirector registe…
|
CWE-441
CWE-918
Confused Deputy
Server-Side Request Forgery (SSRF)
|
CVE-2026-48522
|
2026-06-3 02:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3203
|
8.5 |
HIGH
Network
|
oracle
|
financials_common_modules
|
Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable v…
|
NVD-CWE-noinfo
CWE-284
Improper Access Control
|
CVE-2026-46820
|
2026-06-3 02:16 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3204
|
4.3 |
MEDIUM
Network
|
apache
|
airflow
|
The Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` in Apache Airflow fetched audit-log rows directly by numeric ID after only the generic Audit Log permission check, while the colle…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-46764
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3205
|
8.8 |
HIGH
Network
|
-
|
-
|
Microsoft UFO open-source framework for intelligent automation across devices and platforms. In 3.0.1-4-ge2626659, Microsoft UFO's WebSocket control plane trusts client-supplied identity and role fie…
|
CWE-290
CWE-639
CWE-862
Authentication Bypass by Spoofing
Authorization Bypass Through User-Controlled Key
Missing Authorization
|
CVE-2026-46414
|
2026-06-3 02:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3206
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, up…
|
CWE-78
CWE-269
CWE-862
OS Command
Improper Privilege Management
Missing Authorization
|
CVE-2026-45632
|
2026-06-3 02:16 |
2026-05-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3207
|
6.1 |
MEDIUM
Network
|
authlib
|
authlib
|
Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to 1.6.12 and 1.7.1, an unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authoriza…
|
CWE-601
CWE-863
Open Redirect
Incorrect Authorization
|
CVE-2026-44681
|
2026-06-3 02:16 |
2026-05-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3208
|
6.5 |
MEDIUM
Network
|
apache
|
airflow
|
A bug in Apache Airflow's Variable response masker caused nested-key redaction (triggered by secret-suffixed key names like `password`, `token`, `secret`, `api_key`) to be bypassed when the JSON valu…
|
CWE-200
Information Exposure
|
CVE-2026-42358
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3209
|
5.9 |
MEDIUM
Network
|
apache
|
airflow
|
Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server behind an HTTPS-terminating reverse proxy (e.g. nginx / Envoy …
|
CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
|
CVE-2026-41017
|
2026-06-3 02:16 |
2026-06-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3210
|
- |
|
-
|
-
|
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then reads a post by attacker-controlle…
|
CWE-285
Improper Authorization
|
CVE-2026-33398
|
2026-06-3 02:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
