|
4051
|
7.8 |
HIGH
Local
|
-
|
-
|
PHPUnit is a testing framework for PHP. In versions 12.5.21 and 13.1.5, PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as -d name=value command-line argu…
|
CWE-88
CWE-93
Argument Injection
CRLF Injection
|
CVE-2026-41570
|
2026-05-9 02:16 |
2026-05-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4052
|
8.8 |
HIGH
Network
|
-
|
-
|
NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js.
|
CWE-78
OS Command
|
CVE-2025-63705
|
2026-05-9 02:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4053
|
9.8 |
CRITICAL
Network
|
phpoffice
|
phpspreadsheet
|
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.2 and earlier, 2.0.0 through 2.1.14, 2.2.0 through 2.4.3, 3.3.0 through 3.10.3, and 4.0.0 through 5.5.0, when t…
|
CWE-502
CWE-918
Deserialization of Untrusted Data
Server-Side Request Forgery (SSRF)
|
CVE-2026-34084
|
2026-05-9 02:10 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4054
|
5.4 |
MEDIUM
Network
|
phpoffice
|
phpspreadsheet
|
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HT…
|
CWE-79
Cross-site Scripting
|
CVE-2026-35453
|
2026-05-9 02:08 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4055
|
7.5 |
HIGH
Network
|
torproject
|
tor
|
Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.
|
CWE-837
Improper Enforcement of a Single, Unique Action
|
CVE-2026-44601
|
2026-05-9 02:07 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4056
|
7.5 |
HIGH
Network
|
torproject
|
tor
|
Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-44602
|
2026-05-9 02:06 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4057
|
9.8 |
CRITICAL
Network
|
frappe
|
erpnext
|
ERPNext v15.103.1 and before is vulnerable to Server-Side Template Injection (SSTI). An attacker with permission to create or edit email templates can inject template expressions that are executed on…
|
CWE-94
Code Injection
|
CVE-2026-38431
|
2026-05-9 02:06 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4058
|
8.8 |
HIGH
Network
|
mathjs
|
mathjs
|
Math.js is an extensive math library for JavaScript and Node.js. From version 13.1.0 to before version 15.2.0, arbitrary JavaScript can be executed via the expression parser of mathjs. This issue has…
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-41139
|
2026-05-9 02:06 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4059
|
6.1 |
MEDIUM
Network
|
frappe
|
erpnext
|
ERPNext v15.103.1 and before is vulnerable to Cross Site Scripting (XSS) in the Email Template engine. An attacker with permission to create or edit email templates can inject malicious JavaScript co…
|
CWE-79
Cross-site Scripting
|
CVE-2026-38432
|
2026-05-9 02:05 |
2026-05-6 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4060
|
7.7 |
HIGH
Network
|
istio
|
istio
|
Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal se…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41413
|
2026-05-9 02:03 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
