CVE-2026-42208 - LiteLLM: SQL injection in Proxy API key verification
CVE ID :CVE-2026-42208
Published : May 8, 2026, 3:38 a.m. | 39 minutes ago
Description :LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42208
Published : May 8, 2026, 3:38 a.m. | 39 minutes ago
Description :LiteLLM is a proxy server (AI Gateway) to call LLM APIs in OpenAI (or native) format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An unauthenticated attacker could send a specially crafted Authorization header to any LLM API route (for example POST /chat/completions) and reach this query through the proxy's error-handling path. An attacker could read data from the proxy's database and may be able to modify it, leading to unauthorised access to the proxy and the credentials it manages. This issue has been patched in version 1.83.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42272 - Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation
CVE ID :CVE-2026-42272
Published : May 8, 2026, 3:40 a.m. | 37 minutes ago
Description :Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42272
Published : May 8, 2026, 3:40 a.m. | 37 minutes ago
Description :Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall handles URL-encoded slashes (%2F) in a case-sensitive manner, while percent-encoding is defined to be case-insensitive. As a result, the lowercase equivalent (%2f) is not recognized and therefore not processed as expected when allow_encoded_slashes is set to off (the default setting). This discrepancy can lead to differences in how request paths are interpreted by heimdall and upstream components, which may result in authorization bypass. This issue has been patched in version 0.17.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42273 - Heimdall: Case-sensitive host matching may lead to policy bypass
CVE ID :CVE-2026-42273
Published : May 8, 2026, 3:42 a.m. | 34 minutes ago
Description :Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42273
Published : May 8, 2026, 3:42 a.m. | 34 minutes ago
Description :Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than intended. This issue has been patched in version 0.17.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42274 - Heimdall: Authorization bypass via path normalization mismatch
CVE ID :CVE-2026-42274
Published : May 8, 2026, 3:43 a.m. | 33 minutes ago
Description :Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42274
Published : May 8, 2026, 3:43 a.m. | 33 minutes ago
Description :Heimdall is a cloud native Identity Aware Proxy and Access Control Decision service. Prior to version 0.17.14, Heimdall performs rule matching on the raw (non-normalized) request path, while downstream components may normalize dot-segments according to RFC 3986, Section 6.2.2.3. This discrepancy can result in heimdall authorizing a request for one path (e.g., /user/../admin, or URL-encoded variants such as /user/%2e%2e/admin or /user/%2e%2e%2fadmin. The latter would require the allow_encoded_slashes option to be set to on or no_decode.) while the downstream ultimately processes a different, normalized path (/admin). This issue has been patched in version 0.17.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8136 - SourceCodester Pharmacy Sales and Inventory System index.php users cross site scripting
CVE ID :CVE-2026-8136
Published : May 8, 2026, 3:45 a.m. | 32 minutes ago
Description :A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8136
Published : May 8, 2026, 3:45 a.m. | 32 minutes ago
Description :A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /index.php?page=users. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42275 - zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write
CVE ID :CVE-2026-42275
Published : May 8, 2026, 3:45 a.m. | 31 minutes ago
Description :zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42275
Published : May 8, 2026, 3:45 a.m. | 31 minutes ago
Description :zrok is software for sharing web services, files, and network resources. Prior to version 2.0.2, the zrok WebDAV drive backend (davServer.Dir) restricts path traversal through lexical normalization but does not prevent symlink following. When a symbolic link inside the shared DriveRoot points to a location outside that root, remote WebDAV consumers can read files and—on shares without OS-level permission restrictions—write or overwrite files anywhere on the host filesystem accessible to the zrok process. This issue has been patched in version 2.0.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-30167 - Atlona AT-OME-MS42 Remote Command Execution Vulnerability
CVE ID :CVE-2024-30167
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-30167
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-33288 - "PHP Prison Management System SQL Injection"
CVE ID :CVE-2024-33288
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-33288
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-33722 - SOPlanning SQL Injection
CVE ID :CVE-2024-33722
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[].
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-33722
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[].
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-33724 - SOPlanning Cross Site Scripting (XSS)
CVE ID :CVE-2024-33724
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-33724
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-45257 - BYOB Command Injection Vulnerability
CVE ID :CVE-2024-45257
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-45257
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-46507 - Yeti-Platform SSTI Code Execution
CVE ID :CVE-2024-46507
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-46507
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-46508 - Yeti-Platform JWT Token Forgery Vulnerability
CVE ID :CVE-2024-46508
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-46508
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-51092 - LibreNMS OS Command Injection Vulnerability
CVE ID :CVE-2024-51092
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-51092
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-53326 - LINQPad Deserialization Remote Code Execution
CVE ID :CVE-2024-53326
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2024-53326
Published : May 8, 2026, 6:16 a.m. | 2 hours, 4 minutes ago
Description :LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44927 - "Uriparser Integer Pointer Truncation Vulnerability"
CVE ID :CVE-2026-44927
Published : May 8, 2026, 7:13 a.m. | 1 hour, 7 minutes ago
Description :In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44927
Published : May 8, 2026, 7:13 a.m. | 1 hour, 7 minutes ago
Description :In uriparser before 1.0.2, there is pointer difference truncation to int in various places.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44928 - "Apache uriparser Uri Equality Validation Bypass Vulnerability"
CVE ID :CVE-2026-44928
Published : May 8, 2026, 7:15 a.m. | 1 hour, 4 minutes ago
Description :In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44928
Published : May 8, 2026, 7:15 a.m. | 1 hour, 4 minutes ago
Description :In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2023-46453 - GL.iNet SQL Injection Regular Expression Authentication Bypass
CVE ID :CVE-2023-46453
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2023-46453
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55449 - AstrBotDevs AstrBot Critical JWT Private Key Hardcoding Vulnerability
CVE ID :CVE-2025-55449
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2025-55449
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67886 - Bitrix24 Remote Code Execution via Unrestricted File Upload
CVE ID :CVE-2025-67886
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2025-67886
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67887 - Bitrix Remote Code Execution Vulnerability
CVE ID :CVE-2025-67887
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2025-67887
Published : May 8, 2026, 7:16 a.m. | 1 hour, 3 minutes ago
Description :1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...