|
1531
|
8.1 |
HIGH
Network
|
-
|
-
|
HireFlow v1.2 is vulnerable to Incorrect Access Control. The application does not enforce object-level authorization on the /candidate/<id> and /interview/<id> endpoints. The route handlers retrieve …
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-38568
|
2026-05-13 00:05 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1532
|
5.4 |
MEDIUM
Network
|
-
|
-
|
HireFlow v1.2 is vulnerable to Cross Site Scripting (XSS) in candidate_detail.html via the Resume or Feedback Comment fields via POST /candidates/add or POST /feedback/add.
|
CWE-79
Cross-site Scripting
|
CVE-2026-38569
|
2026-05-13 00:05 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1533
|
5.3 |
MEDIUM
Network
|
uriparser_project
|
uriparser
|
In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
|
CWE-670
Always-Incorrect Control Flow Implementation
|
CVE-2026-44928
|
2026-05-13 00:00 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1534
|
5.3 |
MEDIUM
Network
|
sync-in
|
sync-in_server
|
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthen…
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2026-41161
|
2026-05-13 00:00 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1535
|
5.3 |
MEDIUM
Network
|
angular
|
angular
|
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.21, 20.3.19, 21.2.9, and 22.0.0-next.8, a Se…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41423
|
2026-05-12 23:58 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1536
|
7.5 |
HIGH
Network
|
-
|
-
|
An issue was discovered in kosma minmea 0.3.0. The minmea_scan functions format specifier copies NMEA field data to a caller-provided buffer without a size parameter. Applications using minmea_scan o…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-29974
|
2026-05-12 23:51 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1537
|
7.5 |
HIGH
Network
|
-
|
-
|
lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by o…
|
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
|
CVE-2026-29975
|
2026-05-12 23:51 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1538
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, an authenticated user with administrative privileges can achieve Remote Code Execution (RCE) by uploading a specially crafted ZIP file throug…
|
CWE-94
Code Injection
|
CVE-2026-42607
|
2026-05-12 23:51 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1539
|
9.4 |
CRITICAL
Network
|
-
|
-
|
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, the Login::register() method in the Login plugin accepts attacker-controlled groups and access fields from the registration POST data without…
|
CWE-20
CWE-862
Improper Input Validation
Missing Authorization
|
CVE-2026-42613
|
2026-05-12 23:51 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1540
|
- |
|
-
|
-
|
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload (GHSA-w4rc-p66m-x6qq). Public form uploads now s…
|
CWE-73
External Control of File Name or Path
|
CVE-2026-42845
|
2026-05-12 23:51 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
