|
1111
|
8.4 |
HIGH
Local
|
-
|
-
|
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.7, `POST /api/share/<path>` accepts an authentic…
|
CWE-863
Incorrect Authorization
|
CVE-2026-54096
|
2026-06-26 04:58 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1112
|
- |
|
-
|
-
|
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, filebrowser builds the download-as-zip / down…
|
CWE-22
Path Traversal
|
CVE-2026-54093
|
2026-06-26 04:58 |
2026-06-26 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1113
|
- |
|
-
|
-
|
Stored Cross-Site Scripting in the exposed AWS API key store of Thinkst Applied Research Canarytokens.
Anonymous exploitation requires knowledge of a random identifier.
This issue affects Can…
|
CWE-79
Cross-site Scripting
|
CVE-2026-13140
|
2026-06-26 04:52 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1114
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain …
|
CWE-287
Improper Authentication
|
CVE-2026-34917
|
2026-06-26 04:52 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1115
|
0.0 |
NONE
Network
|
-
|
-
|
Low‑privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system‑generated emails, whose content is stored in the details field of the userlog table.…
|
CWE-79
Cross-site Scripting
|
CVE-2026-44956
|
2026-06-26 04:52 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1116
|
0.0 |
NONE
Network
|
-
|
-
|
A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the u…
|
CWE-79
Cross-site Scripting
|
CVE-2026-44960
|
2026-06-26 04:52 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1117
|
0.0 |
NONE
Network
|
-
|
-
|
The XML‑RPC API addUser method has a validation bypass introduced in the fix for CVE‑2025‑55129. As a result, API users could create usernames that enabled impersonation or stored XSS attacks. Proper…
|
CWE-287
Improper Authentication
|
CVE-2026-44961
|
2026-06-26 04:52 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1118
|
- |
|
-
|
-
|
When using the "configparser" module to write configuration files
containing multi-line text values with carriage return characters (\r) the
resulting file could be injected with unexpected keys and …
|
CWE-74
Injection
|
CVE-2026-0864
|
2026-06-26 04:51 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1119
|
- |
|
-
|
-
|
When using the "tarfile" module with a file opened in "streaming mode" (mode="r|") the tarfile module did not properly handle EOF, making archive parsing take exponentially longer.
|
CWE-252
CWE-606
CWE-770
Unchecked Return Value
Unchecked Input for Loop Condition
Allocation of Resources Without Limits or Throttling
|
CVE-2026-11972
|
2026-06-26 04:51 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1120
|
- |
|
-
|
-
|
Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Google go-attestation. parseEfiSignatureList() does not advance the buffer past vendor bytes before reading entri…
|
CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
|
CVE-2026-12681
|
2026-06-26 04:51 |
2026-06-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
