CVE-2026-48152

Budibase is an open-source low-code platform. Prior to 3.39.0, the single-datasource GET and PUT routes are guarded by generic TABLE READ, not by Builder/Admin permission or datasource-specific ownership/resource checks. The built-in Basic app user role maps to the WRITE permission set, which...

CVE-2026-44641

Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.8.12, Microsoft APM normalizes marketplace plugins by copying plugin components referenced in plugin.json into .apm/. The manifest fields agents, skills, commands, and hooks are attacker-controlled, but...

CVE-2026-8915

Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers. This issue affects Escargot: 36f5fb58366a67b713c02f6fd985e924fcc09e31...

CVE-2026-46496

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

CVE-2026-46496

HAX CMS is affected by a stored XSS in the component. Versions prior to 26.0.0 fail to sanitize input in the source/source-data attributes, allowing javascript: URIs that execute attacker-controlled JavaScript in victims’ browsers. This can lead to token exposure (e.g., JWTs) and other sensitive...

CVE-2026-46496 HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

CVE-2023-50360

creationtimestamp| type| source ---|---|--- 2026-06-05 18:08:09+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mnkq7kahtd2r...

CVE-2026-11334

creationtimestamp| type| source ---|---|--- 2026-06-05 17:33:20+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkobc5r4e2j 2026-06-06 23:05:28+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mnnrc4tsfi2s...

CVE-2026-11333

creationtimestamp| type| source ---|---|--- 2026-06-05 17:23:18+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnknpel66t2e...

CVE-2026-11362

creationtimestamp| type| source ---|---|--- 2026-06-05 17:08:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkmuinxhj25 2026-06-06 03:47:05+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mnlqkntccr25...

CVE-2026-9270

creationtimestamp| type| source ---|---|--- 2026-06-05 17:03:59+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkmmt2ikd2g 2026-06-06 03:42:00+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mnlqbomqr22m...

CVE-2026-25860

creationtimestamp| type| source ---|---|--- 2026-06-05 17:00:04+00:00| seen| https://t.me/GithubRedTeam/87464 2026-06-05 19:00:11+00:00| published-proof-of-concept| Telegram/vT4GraR1tGy8kb2p0gDblUF32yKb9Lm75V4SoCKaucAr0 2026-06-05 21:00:04+00:00| published-proof-of-concept|...

CVE-2026-48101

creationtimestamp| type| source ---|---|--- 2026-06-05 16:56:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkma4igba2f...

MINI-GGXR-58VM-GM39

Bulletin has no description...

Source controller: Improper path handling allows traversal

Impact An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory. The corruption surface is bounded by source-controller's own and downstream Fl...

GHSA-JJRM-HR5F-673X Source controller: Improper path handling allows traversal

Impact An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory. The corruption surface is bounded by source-controller's own and downstream Fl...

GHSA-WVQJ-9WV4-7FF5 NocoDB: Path Traversal via SQLite Source Filename

Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. Details The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to...

NocoDB: Path Traversal via SQLite Source Filename

Summary An authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. Details The SQLite client and the base/integration create services accepted a caller-supplied filename and passed it to...

CVE-2026-6208

creationtimestamp| type| source ---|---|--- 2026-06-05 15:27:21+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkh7wk2k72m...

JLSEC-2026-569

OpenCV is an Open Source Computer Vision Library. Versions 4.10.0 and 4.11.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG images. Version 4.12.0 fixes the vulnerability...