|
2441
|
6.5 |
MEDIUM
Network
|
-
|
-
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the fix for CVE-2026-33509 prevents setting storage_folder inside PKGDIR or userdir, but does NOT protect…
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-45306
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2442
|
8.7 |
HIGH
Network
|
-
|
-
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the packages.js template at src/pyload/webui/app/themes/modern/templates/js/packages.js:172 interpolates …
|
CWE-79
Cross-site Scripting
|
CVE-2026-45348
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2443
|
5.0 |
MEDIUM
Network
|
-
|
-
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the PREREQFUNCTION-based private IP check was not applied to HTTPRequest (used by the parse_urls API). An…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-46561
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2444
|
8.8 |
HIGH
Network
|
-
|
-
|
vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and …
|
CWE-22
Path Traversal
|
CVE-2026-4944
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2445
|
7.1 |
HIGH
Network
|
-
|
-
|
An SQL injection vulnerability exists in Mautic's API contact filtering mechanism. Due to insufficient recursive sanitization of nested query parameters, an authenticated API user can bypass input fi…
|
CWE-89
SQL Injection
|
CVE-2026-4776
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2446
|
6.4 |
MEDIUM
Network
|
-
|
-
|
A Server-Side Request Forgery (SSRF) vulnerability exists in Mautic's Focus component. Due to insufficient validation of user-supplied URLs, an authenticated user can trigger outbound HTTP requests f…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-9557
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2447
|
9.9 |
CRITICAL
Network
|
-
|
-
|
A Server-Side Template Injection (SSTI) vulnerability exists in Mautic's theme engine. The platform renders uploaded Twig templates without a sandbox or strict function restrictions. Authenticated us…
|
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-9558
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2448
|
9.9 |
CRITICAL
Network
|
-
|
-
|
A path traversal vulnerability exists in the campaign import feature of Mautic 7. When extracting uploaded ZIP files during campaign imports, a flaw in the validation logic allows file paths to escap…
|
CWE-22
CWE-73
CWE-98
Path Traversal
External Control of File Name or Path
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-9559
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2449
|
7.1 |
HIGH
Network
|
-
|
-
|
An authorization bypass vulnerability exists in the Mautic 7 API v2 endpoints (utilizing API Platform). Under certain conditions, roles configured with owner-scope restrictions (such as `viewown` or …
|
CWE-863
Incorrect Authorization
|
CVE-2026-9808
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2450
|
7.6 |
HIGH
Network
|
-
|
-
|
A stored Cross-Site Scripting (XSS) vulnerability exists in the Projects component of Mautic 7. When displaying project tags and popovers on administrative detail views (such as campaigns, emails, or…
|
CWE-79
Cross-site Scripting
|
CVE-2026-9809
|
2026-05-30 00:39 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
