7.5

CVSS3.1

CVE-2026-7768 - @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth

@fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send many distinct but matching Accept header variants to make the cache grow unbounded, eventually exhausting the Node.j…

πŸ“… Published: May 4, 2026, 7:14 p.m. πŸ”„ Last Modified: May 4, 2026, 7:14 p.m.

9.3

CVSS4.0

CVE-2026-41924 - WDR201A WiFi Extender OS Command Injection via makeRequest.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the makeRequest.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the set_time or StartSniffer functions. Attackers ca…

πŸ“… Published: May 4, 2026, 7:12 p.m. πŸ”„ Last Modified: May 4, 2026, 7:12 p.m.

9.3

CVSS4.0

CVE-2026-41923 - WDR201A WiFi Extender OS Command Injection via internet.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the internet.cgi binary that allows unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the gateway POST parameter. Attackers can exploit unsan…

πŸ“… Published: May 4, 2026, 7:10 p.m. πŸ”„ Last Modified: May 4, 2026, 7:10 p.m.

9.3

CVSS4.0

CVE-2026-41922 - WDR201A WiFi Extender OS Command Injection via wireless.cgi

WDR201A WiFi Extender (HW V2.1, FW LFMZX28040922V1.02) contains an OS command injection vulnerability in the wireless.cgi binary that allow unauthenticated remote attackers to execute arbitrary shell commands by injecting malicious input into the sz11gChannel or PIN POST parameters. Attackers can e…

πŸ“… Published: May 4, 2026, 7:04 p.m. πŸ”„ Last Modified: May 4, 2026, 7:04 p.m.

4.8

CVSS4.0

CVE-2026-41686 - Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes (0…

πŸ“… Published: May 4, 2026, 6:41 p.m. πŸ”„ Last Modified: May 4, 2026, 8:30 p.m.

5.3

CVSS4.0

CVE-2026-42237 - n8n: SQL Injection in Snowflake and MySQL Nodes

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and…

πŸ“… Published: May 4, 2026, 6:39 p.m. πŸ”„ Last Modified: May 4, 2026, 6:39 p.m.

8.7

CVSS4.0

CVE-2026-42236 - n8n: Unauthenticated Denial of Service via MCP Client Registration

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory …

πŸ“… Published: May 4, 2026, 6:38 p.m. πŸ”„ Last Modified: May 4, 2026, 7:59 p.m.

8.8

CVSS4.0

CVE-2026-42235 - n8n: XSS via MCP OAuth client

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that ac…

πŸ“… Published: May 4, 2026, 6:38 p.m. πŸ”„ Last Modified: May 4, 2026, 6:38 p.m.

7.1

CVSS4.0

CVE-2026-42234 - n8n: Python Task Runner Sandbox Escape

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issu…

πŸ“… Published: May 4, 2026, 6:36 p.m. πŸ”„ Last Modified: May 4, 2026, 6:36 p.m.

5.3

CVSS4.0

CVE-2026-42233 - n8n: SQL Injection in Oracle Database Node via Limit Field

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or …

πŸ“… Published: May 4, 2026, 6:35 p.m. πŸ”„ Last Modified: May 4, 2026, 6:35 p.m.
Total resulsts: 347934
Page 2 of 34,794
Β« previous page Β» next page
Filters