|
4501
|
5.5 |
MEDIUM
Local
|
dayuanjiang
|
next_ai_draw.io
|
Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, …
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-40608
|
2026-04-28 04:41 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4502
|
8.1 |
HIGH
Network
|
kyverno
|
kyverno
|
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno c…
|
CWE-922
Insecure Storage of Sensitive Information
|
CVE-2026-40868
|
2026-04-28 04:41 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4503
|
9.9 |
CRITICAL
Network
|
microsoft
|
azure_iot_central
|
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
|
CWE-200
Information Exposure
|
CVE-2026-21515
|
2026-04-28 04:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4504
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting…
|
CWE-284
Improper Access Control
|
CVE-2026-40888
|
2026-04-28 04:39 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4505
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Ver…
|
CWE-284
Improper Access Control
|
CVE-2026-40889
|
2026-04-28 04:39 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4506
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.54.0 and 14.38.1, a specially crafted request made to a certain endpoint could result in SQL injection, al…
|
CWE-89
SQL Injection
|
CVE-2026-41320
|
2026-04-28 04:38 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4507
|
6.5 |
MEDIUM
Network
|
pypdf_project
|
pypdf
|
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires…
|
CWE-789
Memory Allocation with Excessive Size Value
|
CVE-2026-41312
|
2026-04-28 04:31 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4508
|
6.5 |
MEDIUM
Network
|
pypdf_project
|
pypdf
|
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to long runtimes. This requires loading a…
|
CWE-834
Excessive Iteration
|
CVE-2026-41313
|
2026-04-28 04:30 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4509
|
6.5 |
MEDIUM
Network
|
pypdf_project
|
pypdf
|
pypdf is a free and open-source pure-python PDF library. An attacker who uses a vulnerability present in versions prior to 6.10.2 can craft a PDF which leads to the RAM being exhausted. This requires…
|
CWE-789
Memory Allocation with Excessive Size Value
|
CVE-2026-41314
|
2026-04-28 04:29 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4510
|
9.1 |
CRITICAL
Network
|
oauth2_proxy_project
|
oauth2_proxy
|
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions 7.5.0 through 7.15.1 may trust a client-supplied `X-Forwarded-Uri` header when `--reverse-proxy` is enabl…
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-40575
|
2026-04-28 04:29 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
