|
4151
|
7.5 |
HIGH
Network
|
-
|
-
|
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
|
CWE-22
Path Traversal
|
CVE-2026-6381
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4152
|
7.1 |
HIGH
Network
|
-
|
-
|
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used again…
|
CWE-79
Cross-site Scripting
|
CVE-2026-6495
|
2026-05-19 02:05 |
2026-05-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4153
|
8.1 |
HIGH
Network
|
dani-garcia
|
vaultwarden
|
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, refresh tokens are not invalidated when the user's security_stamp is rotated by some security-sensitive operations (pass…
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-43911
|
2026-05-19 01:58 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4154
|
6.1 |
MEDIUM
Network
|
gofiber
|
fiber
|
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html…
|
CWE-79
Cross-site Scripting
|
CVE-2026-42554
|
2026-05-19 01:50 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4155
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-39608. Reason: This candidate is a reservation duplicate of CVE-2026-39608. Notes: All CVE users should reference …
|
-
|
CVE-2026-4663
|
2026-05-19 01:16 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4156
|
6.1 |
MEDIUM
Network
|
-
|
-
|
fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. T…
|
CWE-91
Blind XPath Injection
|
CVE-2026-44665
|
2026-05-19 01:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4157
|
7.5 |
HIGH
Network
|
-
|
-
|
Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-f…
|
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
|
CVE-2026-44302
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4158
|
- |
|
-
|
-
|
efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk using new File(baseDir, zipEntry.getName()) with no canonical-path check. An entry …
|
CWE-77
Command Injection
|
CVE-2026-44257
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4159
|
- |
|
-
|
-
|
DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, every IPv6 category bypasses is_url_safe. This vulnerability is fixed in 1.3.0.
|
CWE-791
Incomplete Filtering of Special Elements
|
CVE-2026-44232
|
2026-05-19 01:16 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4160
|
8.6 |
HIGH
Network
|
vm2_project
|
vm2
|
vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, a sandbox escape vulnerability in vm2 v3.10.5 allows any sandboxed code to crash the host Node.js process via a single Promise construct…
|
CWE-248
Uncaught Exception
|
CVE-2026-44001
|
2026-05-19 01:16 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
