|
131
|
8.1 |
HIGH
Adjacent
|
-
|
-
|
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attac…
New
|
CWE-122
Heap-based Buffer Overflow
|
CVE-2026-29004
|
2026-05-6 23:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
4.7 |
MEDIUM
Network
|
-
|
-
|
Vulnerability in the Oracle Macoron Tool product of Oracle Open Source Projects. The supported versions that is affected is v0.22.0. Easily exploitable vulnerability allows unauthenticated attacker w…
New
|
-
|
CVE-2026-35253
|
2026-05-6 22:26 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplyin…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-41950
|
2026-05-6 22:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
- |
|
-
|
-
|
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline charac…
New
|
CWE-93
CRLF Injection
|
CVE-2026-39849
|
2026-05-6 22:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
- |
|
-
|
-
|
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use (TOCTOU) race condition exists during addon installation.…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-34596
|
2026-05-6 22:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
- |
|
-
|
-
|
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high…
New
|
CWE-328
Use of Weak Hash
|
CVE-2026-34527
|
2026-05-6 22:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
- |
|
-
|
-
|
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, an INI injection vulnerability allows any standard local user to bypass configuration re…
New
|
CWE-93
CRLF Injection
|
CVE-2026-34458
|
2026-05-6 22:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
- |
|
-
|
-
|
CoreDNS is a DNS server that chains plugins. In versions prior to 1.14.3, the tsig plugin can be bypassed on non-plain-DNS transports (DoT, DoH, DoH3, DoQ, and gRPC) because it trusts the transport w…
New
|
CWE-303
Incorrect Implementation of Authentication Algorithm
|
CVE-2026-33190
|
2026-05-6 22:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
- |
|
-
|
-
|
Vaultwarden is a Bitwarden-compatible server written in Rust. In versions 1.35.4 and earlier, the WebAuthn authentication flow in `validate_webauthn_login()` updates persistent credential metadata (1…
New
|
CWE-345
Insufficient Verification of Data Authenticity
|
CVE-2026-31835
|
2026-05-6 22:16 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper …
New
|
CWE-91
Blind XPath Injection
|
CVE-2026-27693
|
2026-05-6 22:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
