3.4

CVSS3.1

CVE-2026-44405 -

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm.

πŸ“… Published: May 5, 2026, 11:50 p.m. πŸ”„ Last Modified: May 5, 2026, 11:55 p.m.

7.6

CVSS4.0

CVE-2026-40934 - jupyter-server authentication cookies remain valid after password reset due to static cookie secret

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the secret used to sign authentication cookies is persisted to a static file at ~/.local/share/jupyter/runtime/jupyter_cookie_secret and is never rotated when a user changes their password. After a password …

πŸ“… Published: May 5, 2026, 9:31 p.m. πŸ”„ Last Modified: May 5, 2026, 9:31 p.m.

0.0

CVE-2026-28780 - Apache HTTP Server: buffer overflow in mod_proxy_ajp via ajp_msg_check_header()

Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of Apache HTTP Server. If mod_proxy_ajp connects to a malicious AJP server this AJP server can send a malicious AJP message back to mod_proxy_ajp and cause it to write 4 attacker controlled bytes after the end of a heap based buffer. This i…

πŸ“… Published: May 5, 2026, 9:29 p.m. πŸ”„ Last Modified: May 5, 2026, 9:29 p.m.

7.6

CVSS4.0

CVE-2026-40110 - jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat

Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not requi…

πŸ“… Published: May 5, 2026, 9:29 p.m. πŸ”„ Last Modified: May 5, 2026, 9:29 p.m.

8.2

CVSS4.0

CVE-2026-40075 - OpenMRS Core arbitrary file read via path traversal in ModuleResourcesServlet

OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-co…

πŸ“… Published: May 5, 2026, 9:25 p.m. πŸ”„ Last Modified: May 5, 2026, 9:25 p.m.

8.8

CVSS4.0

CVE-2026-39852 - Quarkus authorization bypass via semicolon path normalization inconsistency

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP pa…

πŸ“… Published: May 5, 2026, 8:58 p.m. πŸ”„ Last Modified: May 5, 2026, 8:58 p.m.

7.7

CVSS4.0

CVE-2026-40068 - Claude Code arbitrary code execution via git worktree commondir trust dialog bypass

In versions 2.1.63 through 2.1.83 of Claude Code, the folder trust determination logic used the git worktree commondir file without validating its contents. An attacker could craft a malicious repository with a commondir file pointing to a path the victim had previously trusted, causing Claude Code…

πŸ“… Published: May 5, 2026, 8:52 p.m. πŸ”„ Last Modified: May 5, 2026, 10:30 p.m.

8.7

CVSS4.0

CVE-2026-39849 - Pi-hole FTL remote code execution via newline injection in dns.interface configuration

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsm…

πŸ“… Published: May 5, 2026, 8:50 p.m. πŸ”„ Last Modified: May 5, 2026, 8:50 p.m.

4.3

CVSS4.0

CVE-2026-39402 - lxc lxc-user-nic insufficient ownership validation allows cross-tenant OVS port deletion

lxc is a Linux container runtime. In the setuid helper lxc-user-nic, the delete path contains a logic flaw in the find_line() function that allows an unprivileged user to delete OVS-attached network interfaces belonging to other users. When lxc-user-nic delete scans its NIC database to authorize a …

πŸ“… Published: May 5, 2026, 8:45 p.m. πŸ”„ Last Modified: May 5, 2026, 8:45 p.m.

6.9

CVSS4.0

CVE-2026-39383 - Gotenberg unauthenticated blind SSRF via unfiltered webhook URL

Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The …

πŸ“… Published: May 5, 2026, 8:39 p.m. πŸ”„ Last Modified: May 5, 2026, 10:30 p.m.
Total resulsts: 348134
Page 2 of 34,814
Β« previous page Β» next page
Filters