|
301
|
8.8 |
HIGH
Network
|
zed
|
zed
|
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowliste…
Update
|
CWE-184
Incomplete Blacklist
|
CVE-2026-44462
|
2026-06-3 10:00 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
302
|
8.6 |
HIGH
Local
|
zed
|
zed
|
Zed is a code editor. Prior to 0.227.1, Zed builds SSH/WSL remote commands as a shell command string that starts with exec env ..., but environment variable keys are inserted without shell quoting or…
Update
|
CWE-78
OS Command
|
CVE-2026-44461
|
2026-06-3 09:58 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
303
|
7.5 |
HIGH
Network
|
jg-rp
|
python_liquid
|
Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search pa…
Update
|
CWE-22
Path Traversal
|
CVE-2026-45017
|
2026-06-3 09:43 |
2026-05-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
304
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorr…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-9732
|
2026-06-3 09:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305
|
4.4 |
MEDIUM
Network
|
-
|
-
|
The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the `get_shop_url()` method returning the `shop_name`…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-7421
|
2026-06-3 09:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
306
|
4.3 |
MEDIUM
Network
|
-
|
-
|
A weakness has been identified in johnhuang316 code-index-mcp up to 2.14.0. Affected is the function is_safe_regex_pattern of the component search_code_advanced. Executing a manipulation of the argum…
New
|
CWE-400
CWE-1333
Uncontrolled Resource Consumption
Inefficient Regular Expression Complexity
|
CVE-2026-10692
|
2026-06-3 09:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
307
|
4.3 |
MEDIUM
Network
|
-
|
-
|
A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a ma…
New
|
CWE-400
CWE-1333
Uncontrolled Resource Consumption
Inefficient Regular Expression Complexity
|
CVE-2026-10691
|
2026-06-3 09:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
308
|
6.5 |
MEDIUM
Network
|
-
|
-
|
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, users with only `VIEW` access to an MCP server can retrieve the server's decrypted a…
New
|
CWE-201
Insertion of Sensitive Information Into Sent Data
|
CVE-2026-44653
|
2026-06-3 08:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
309
|
- |
|
-
|
-
|
When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or log…
New
|
-
|
CVE-2026-42507
|
2026-06-3 08:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
310
|
- |
|
-
|
-
|
GLPI is a free asset and IT management software package. In versions 11.0.0 through 11.0.6, a technician can store an XSS payload in a ITIL costs. This issue has been fixed in version 11.0.7.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40108
|
2026-06-3 08:16 |
2026-06-3 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
