|
2261
|
2.4 |
LOW
Network
|
-
|
-
|
Zen is a firefox-based browser. Prior to 1.19.12b, RSS feed URLs entered by the user are validated to http: or https: in promptForFeedUrl, but item links inside the feed are not subject to the same r…
|
CWE-20
Improper Input Validation
|
CVE-2026-44658
|
2026-05-14 00:37 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2262
|
4.7 |
MEDIUM
Network
|
-
|
-
|
Zen is a firefox-based browser. Prior to 1.19.12b, the ZEN Browser incorrectly truncates long hostnames in the address bar and shows only the attacker-controlled prefix of the subdomain, hiding the a…
|
CWE-451
User Interface (UI) Misrepresentation of Critical Information
|
CVE-2026-44659
|
2026-05-14 00:37 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2263
|
- |
|
-
|
-
|
An authenticated administrator who configures or tests LDAP connectivity in Sonatype Nexus Repository Manager versions 3.0.0 through 3.91.1 may be able to initiate unintended server-side connections …
|
CWE-502
CWE-918
Deserialization of Untrusted Data
Server-Side Request Forgery (SSRF)
|
CVE-2026-3048
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2264
|
- |
|
-
|
-
|
An authenticated user with upload permission to a hosted repository can store content that causes arbitrary JavaScript to execute in the browser of any user who browses that repository directory via …
|
CWE-79
Cross-site Scripting
|
CVE-2026-7308
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2265
|
- |
|
-
|
-
|
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /collection/. Exploi…
|
CWE-79
Cross-site Scripting
|
CVE-2026-3319
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2266
|
- |
|
-
|
-
|
Reflected Cross-Site Scripting (XSS) in the latest demo version of the Cradle eCommerce platform. User-controlled input is insecurely reflected in the HTML output in the endpoint /product/. Exploitat…
|
CWE-79
Cross-site Scripting
|
CVE-2026-3320
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2267
|
- |
|
-
|
-
|
Insecure generation of credentials in the local SAT (Technical Support) access functionality of the Ingecon Sun EMS Board. The vulnerability arose because the secret access credentials were not based…
|
CWE-327
Use of a Broken or Risky Cryptographic Algorithm
|
CVE-2026-8072
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2268
|
7.7 |
HIGH
Network
|
-
|
-
|
In Meari IoT Cloud MQTT Broker deployments running EMQX 4.x, any authenticated low-privilege account can subscribe to global wildcard topics and receive telemetry from devices the user does not own. …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-33356
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2269
|
7.5 |
HIGH
Network
|
-
|
-
|
In Meari client applications embedding "com.meari.sdk" (including CloudEdge 5.5.0 build 220, Arenti 1.8.1 build 220, and related white-label <= 1.8.x), the integrated call path to openapi-euce.mearic…
|
CWE-862
Missing Authorization
|
CVE-2026-33357
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2270
|
7.5 |
HIGH
Network
|
-
|
-
|
In Meari IoT Cloud alert image storage on Alibaba OSS (latest observed; storage service version not disclosed), motion snapshots are retrievable without authentication, signed URLs, or expiry enforce…
|
CWE-862
Missing Authorization
|
CVE-2026-33359
|
2026-05-14 00:36 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
