|
2571
|
8.8 |
HIGH
Network
|
apache
|
nifi
|
The optional extension component TinkerpopClientService is missing the Restricted annotation with the Execute Code Required Permission in Apache NiFi 2.0.0-M1 through 2.8.0. The TinkerpopClientServic…
|
CWE-862
Missing Authorization
|
CVE-2026-39816
|
2026-05-9 11:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2572
|
- |
|
-
|
-
|
UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a critical logic flaw in its policy enforcement pipeline…
|
CWE-284
CWE-639
Improper Access Control
Authorization Bypass Through User-Controlled Key
|
CVE-2026-42278
|
2026-05-9 09:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2573
|
8.1 |
HIGH
Network
|
praison
|
praisonai
praisonaiagents
|
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine si…
|
CWE-89
SQL Injection
|
CVE-2026-41496
|
2026-05-9 09:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2574
|
9.8 |
CRITICAL
Network
|
gitpython_project
|
gitpython
|
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)…
|
CWE-88
Argument Injection
|
CVE-2026-42284
|
2026-05-9 08:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2575
|
- |
|
-
|
-
|
Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check th…
|
CWE-601
Open Redirect
|
CVE-2026-42259
|
2026-05-9 08:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2576
|
9.8 |
CRITICAL
Network
|
-
|
-
|
ChestnutCMS v1.5.10 has a SQL injection vulnerability. The content parameter of the cms_content tag can be manipulated in the admin backend and injected into a SQL query when the template is rendered.
|
CWE-94
Code Injection
|
CVE-2026-36458
|
2026-05-9 08:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2577
|
- |
|
-
|
-
|
Uncontrolled Resource Consumption vulnerability in ericmj decimal allows unauthenticated remote Denial of Service.
The decimal library does not bound the exponent on parsed input. Storing a decimal …
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-32686
|
2026-05-9 08:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2578
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports bot…
|
CWE-285
Improper Authorization
|
CVE-2026-30496
|
2026-05-9 08:16 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2579
|
8.8 |
HIGH
Adjacent
|
-
|
-
|
The Optoma CinemaX P2 projector (firmware TVOS-04.24.010.04.01, Android 8.0.0) exposes Android Debug Bridge (ADB) on TCP port 5555 over the network without requiring authentication. The device is con…
|
CWE-285
Improper Authorization
|
CVE-2026-30495
|
2026-05-9 08:16 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2580
|
6.1 |
MEDIUM
Network
|
-
|
-
|
Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL being rended from cron.erb.
|
CWE-79
Cross-site Scripting
|
CVE-2025-67202
|
2026-05-9 08:16 |
2026-05-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
