CVE-2026-44455 - Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
CVE ID :CVE-2026-44455
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44455
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44456 - Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
CVE ID :CVE-2026-44456
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44456
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44457 - Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
CVE ID :CVE-2026-44457
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44457
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44458 - Hono: CSS Declaration Injection via Style Object Values in JSX SSR
CVE ID :CVE-2026-44458
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44458
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44459 - Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
CVE ID :CVE-2026-44459
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44459
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44467 - Claude Desktop: SSH Host Key Verification Bypass Allows Man-in-the-Middle Attack on Remote Sessions
CVE ID :CVE-2026-44467
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44467
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44470 - Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
CVE ID :CVE-2026-44470
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44470
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44479 - Vercel: Non-interactive mode includes CLI arguments in suggested command output
CVE ID :CVE-2026-44479
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44479
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44572 - Next.js: Middleware / Proxy redirects can be cache-poisoned
CVE ID :CVE-2026-44572
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44572
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44664 - fast-xml-builder: Comment Value bypass regex
CVE ID :CVE-2026-44664
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44664
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44665 - fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes
CVE ID :CVE-2026-44665
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44665
Published : May 13, 2026, 4:16 p.m. | 33 minutes ago
Description :fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45028 - Astro: Server island encrypted parameters vulnerable to cross-component replay
CVE ID :CVE-2026-45028
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45028
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45033 - GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
CVE ID :CVE-2026-45033
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45033
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45740 - protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
CVE ID :CVE-2026-45740
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45740
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6281 - Lenovo Personal Cloud Storage Command Injection Vulnerability
CVE ID :CVE-2026-6281
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-6281
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6282 - Lenovo Personal Cloud Storage Path Traversal Vulnerability
CVE ID :CVE-2026-6282
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-6282
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8367 - aria2c Improper Certificate Validation
CVE ID :CVE-2026-8367
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8367
Published : May 13, 2026, 4:17 p.m. | 32 minutes ago
Description :aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45229 - Quark Drive < 0.8.5 Mass Assignment via POST /update
CVE ID :CVE-2026-45229
Published : May 13, 2026, 7:54 p.m. | 59 minutes ago
Description :Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45229
Published : May 13, 2026, 7:54 p.m. | 59 minutes ago
Description :Quark Drive before 0.8.5 contains a mass assignment vulnerability in the POST /update endpoint that allows authenticated attackers to overwrite administrator credentials by posting an arbitrary webui object to the config_data dictionary. Attackers can exploit insufficient deny-list filtering to permanently replace stored login credentials, lock out legitimate administrators, and gain persistent access to all configured tasks, cloud tokens, and notification services.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45228 - Quark Drive < 0.8.5 Stored XSS via System Configuration
CVE ID :CVE-2026-45228
Published : May 13, 2026, 7:54 p.m. | 58 minutes ago
Description :Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45228
Published : May 13, 2026, 7:54 p.m. | 58 minutes ago
Description :Quark Drive before 0.8.5 contains a stored cross-site scripting vulnerability in the System Configuration page where the template renders push_config key names using Vue.js's v-html directive without escaping. Authenticated attackers can inject HTML or JavaScript payloads as key names through the POST /update endpoint, which are persisted to disk and executed in the browsers of all authenticated users accessing the System Configuration tab, allowing session cookie exfiltration and arbitrary authenticated actions.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-42602 - azureauthextension Authenticate method does not validate bearer tokens, allowing auth bypass via replay
CVE ID :CVE-2026-42602
Published : May 13, 2026, 8:12 p.m. | 41 minutes ago
Description :azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42602
Published : May 13, 2026, 8:12 p.m. | 41 minutes ago
Description :azureauthextension is the Azure Authenticator Extension. From 0.124.0 to 0.150.0, a server-side authentication bypass in azureauthextension allows any party who holds a single valid Azure access token for any scope the collector's configured identity can mint for to authenticate to any OpenTelemetry receiver that uses auth: azure_auth. The extension's Authenticate method does not validate incoming bearer tokens as JWTs. Instead, it calls its own configured credential to obtain an access token and compares the client's token to the result with string equality — and the scope for that server-side token request is taken from the client-supplied Host header. As a result, a token minted for any Azure resource the service principal has ever been issued a token for (ARM, Graph, Key Vault, Storage, etc.) will authenticate to the collector if the attacker picks a matching Host. Tokens are replayable for the full issued lifetime (commonly several hours for managed identity tokens).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8328 - FTP PASV SSRF, ftpcp() does not use actual peer address, trusts server-supplied PASV host address
CVE ID :CVE-2026-8328
Published : May 13, 2026, 8:14 p.m. | 38 minutes ago
Description :The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8328
Published : May 13, 2026, 8:14 p.m. | 38 minutes ago
Description :The ftpcp() function in Lib/ftplib.py was not updated when CVE-2021-4189 was fixed. While makepasv() was patched to replace server-supplied PASV host addresses with the actual peer address (getpeername()[0]), ftpcp() still calls parse227() directly and passes the raw attacker-controllable IP address and port to target.sendport(). This patch is related to CVE-2021-4189.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...