|
2841
|
6.8 |
MEDIUM
Network
|
oauth2_proxy_project
|
oauth2_proxy
|
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Prior to 7.15.2, an authorization bypass exists in OAuth2 Proxy as part of the email_domain enforcement option. An…
|
CWE-863
Incorrect Authorization
|
CVE-2026-40574
|
2026-04-28 04:49 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2842
|
7.5 |
HIGH
Network
|
ransomlook
|
ransomlook
|
RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web…
|
CWE-200
Information Exposure
|
CVE-2026-40584
|
2026-04-28 04:47 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2843
|
9.0 |
CRITICAL
Network
|
craftycontrol
|
crafty_controller
|
An insecure direct object reference vulnerability in the Users API component of Crafty Controller allows a remote, authenticated attacker to perform user modification actions via improper API permiss…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-5652
|
2026-04-28 04:47 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2844
|
4.8 |
MEDIUM
Network
|
pyload-ng_project
|
pyload-ng
|
pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev98, the set_session_cookie_secure before_request handler in src/pyload/webui/app/__init__.py reads the X-Forwa…
|
CWE-346
Origin Validation Error
|
CVE-2026-40594
|
2026-04-28 04:43 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2845
|
5.6 |
MEDIUM
Local
|
home-assistant-ecosystem
|
home_assistant_command-line_interface
|
The Home Assistant Command-line interface (hass-cli) is a command-line tool for Home Assistant. Up to 1.0.0 of home-assitant-cli an unrestricted environment was used to handle Jninja2 templates inste…
|
CWE-94
CWE-1336
Code Injection
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-40602
|
2026-04-28 04:43 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2846
|
5.5 |
MEDIUM
Local
|
dayuanjiang
|
next_ai_draw.io
|
Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, …
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-40608
|
2026-04-28 04:41 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2847
|
8.1 |
HIGH
Network
|
kyverno
|
kyverno
|
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno c…
|
CWE-922
Insecure Storage of Sensitive Information
|
CVE-2026-40868
|
2026-04-28 04:41 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2848
|
9.9 |
CRITICAL
Network
|
microsoft
|
azure_iot_central
|
Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
|
CWE-200
Information Exposure
|
CVE-2026-21515
|
2026-04-28 04:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2849
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.1 and 16.4.1, an authenticated user with default role can access unauthorized information by exploiting…
|
CWE-284
Improper Access Control
|
CVE-2026-40888
|
2026-04-28 04:39 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2850
|
6.5 |
MEDIUM
Network
|
frappe
|
frappe_hr
|
Frappe HR is an open-source human resources management solution (HRMS). Prior to versions 15.58.2 and 16.4.2, authenticated users can access unauthorized files by exploiting certain api endpoint. Ver…
|
CWE-284
Improper Access Control
|
CVE-2026-40889
|
2026-04-28 04:39 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
