| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-42456 | AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR) | Mintplex-Labs | anything-llm | Medium | 4.3 | 2026-05-08 23:01:30 | Deep Dive |
| CVE-2026-42354 | Sentry: Improper authentication on SAML SSO process allows user identity linking | getsentry | sentry | Critical | 9.1 | 2026-05-08 22:58:34 | Deep Dive |
| CVE-2026-42454 | Termix: OS Command Injection in Docker Container Management Endpoints | Termix-SSH | Termix | Critical | 9.9 | 2026-05-08 22:56:18 | Deep Dive |
| CVE-2026-42453 | Termix: Command injection in extractArchive/compressFiles via double-quote escaping bypass | Termix-SSH | Termix | - | - | 2026-05-08 22:55:30 | Deep Dive |
| CVE-2026-42452 | Termix: Pending-TOTP temporary token can regenerate backup codes and neutralize TOTP | Termix-SSH | Termix | High | 8.1 | 2026-05-08 22:54:12 | Deep Dive |
| CVE-2026-42451 | Grimmory: Stored XSS via Malicious EPUB Enables Session Token Theft | grimmory-tools | grimmory | Medium | 6.3 | 2026-05-08 22:51:22 | Deep Dive |
| CVE-2026-41682 | pupnp: Port truncation via atoi() cast in parse_uri() allows SSRF port confusion | pupnp | pupnp | - | - | 2026-05-08 22:47:37 | Deep Dive |
| CVE-2026-45130 | Vim: Heap Buffer Overflow in spell file loading | vim | vim | Medium | 6.6 | 2026-05-08 22:42:35 | Deep Dive |
| CVE-2026-44656 | Vim: OS Command Injection via 'path' completion | vim | vim | - | - | 2026-05-08 22:40:50 | Deep Dive |
| CVE-2026-42307 | Vim: OS Command Injection in netrw | vim | vim | Medium | 4.4 | 2026-05-08 22:38:54 | Deep Dive |
| CVE-2026-42350 | Kargo: Open Redirect in UI OIDC Login Flow via redirectTo Query Parameter | akuity | kargo | - | - | 2026-05-08 22:35:30 | Deep Dive |
| CVE-2026-42352 | pygeoapi 0.23.x: Unauthenticated SSRF via OGC API - Processes Subscriber | geopython | pygeoapi | High | 8.6 | 2026-05-08 22:31:50 | Deep Dive |
| CVE-2026-42351 | pygeoapi: Path Traversal in STAC FileSystemProvider | geopython | pygeoapi | High | 7.5 | 2026-05-08 22:31:18 | Deep Dive |
| CVE-2026-42556 | Postiz stored XSS in public preview page | gitroomhq | postiz-app | High | 8.9 | 2026-05-08 22:28:33 | Deep Dive |
| CVE-2026-42346 | Postiz: TOCTOU DNS rebinding bypasses all SSRF URL validation paths | gitroomhq | postiz-app | Medium | 6.5 | 2026-05-08 22:26:51 | Deep Dive |
| CVE-2026-42298 | Postiz: Arbitrary Code Execution and Token Exfiltration in pr-docker-build.yml via untrusted Dockerfile.dev | gitroomhq | postiz-app | Critical | 10.0 | 2026-05-08 22:24:10 | Deep Dive |
| CVE-2026-42339 | New API: SSRF Filter Bypass via 0.0.0.0 | QuantumNous | new-api | - | - | 2026-05-08 22:21:54 | Deep Dive |
| CVE-2026-41432 | New API: Stripe Webhook Signature Bypass via Empty Secret Enables Unlimited Quota Fraud | QuantumNous | new-api | High | 7.1 | 2026-05-08 22:21:32 | Deep Dive |
| CVE-2026-44286 | FastGPT: SSRF Vulnerability in Laf Workflow Node via Missing Internal Address Validation | labring | FastGPT | - | - | 2026-05-08 22:17:18 | Deep Dive |
| CVE-2026-44284 | FastGPT: Stored MCP tool URL SSRF in FastGPT workflow execution | labring | FastGPT | Medium | 6.3 | 2026-05-08 22:12:40 | Deep Dive |