| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-42072 | Nornicdb: Improper Network Binding in NornicDB Bolt Server allows unauthorized remote access | orneryd | NornicDB | Critical | 9.8 | 2026-05-08 15:59:43 | Deep Dive |
| CVE-2026-42030 | MapServer: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in OpenLayers viewer | MapServer | MapServer | Medium | 6.1 | 2026-05-08 15:56:49 | Deep Dive |
| CVE-2026-42028 | novaGallery: Unauthenticated Path Traversal in Album and Cached Image Routes Allows Reading Images Outside Gallery Root | novafacile | novagallery | Medium | 5.3 | 2026-05-08 15:54:48 | Deep Dive |
| CVE-2026-41889 | pgx: SQL Injection via placeholder confusion with dollar quoted string literals | jackc | pgx | - | - | 2026-05-08 15:53:00 | Deep Dive |
| CVE-2026-41887 | Flarum: Path traversal in LESS parser via theme color settings (incomplete fix for CVE-2023-27577) | flarum | framework | Medium | 4.9 | 2026-05-08 15:50:38 | Deep Dive |
| CVE-2026-41886 | locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor | locize | locize | High | 7.5 | 2026-05-08 15:45:23 | Deep Dive |
| CVE-2026-42793 | Atom table exhaustion via attacker-controlled GraphQL SDL names in absinthe | absinthe-graphql | absinthe | - | - | 2026-05-08 15:42:46 | Deep Dive |
| CVE-2026-42794 | Reflected XSS via backslash bypass in GraphiQL js_escape in absinthe_plug | absinthe-graphql | absinthe_plug | - | - | 2026-05-08 15:42:41 | Deep Dive |
| CVE-2026-43967 | Quadratic fragment-name uniqueness check causes denial of service in absinthe | absinthe-graphql | absinthe | - | - | 2026-05-08 15:42:34 | Deep Dive |
| CVE-2026-41885 | Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend | locize | i18next-locize-backend | Medium | 6.5 | 2026-05-08 15:41:14 | Deep Dive |
| CVE-2026-41693 | i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite | i18next | i18next-fs-backend | High | 8.2 | 2026-05-08 15:38:51 | Deep Dive |
| CVE-2026-41883 | OmniFaces: EL injection via crafted resource name in wildcard CDN mapping | omnifaces | omnifaces | High | 8.1 | 2026-05-08 15:36:34 | Deep Dive |
| CVE-2026-42353 | Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters | i18next | i18next-http-middleware | High | 8.2 | 2026-05-08 15:29:56 | Deep Dive |
| CVE-2026-41683 | HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header | i18next | i18next-http-middleware | High | 8.6 | 2026-05-08 15:27:05 | Deep Dive |
| CVE-2026-41690 | Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters | i18next | i18next-http-middleware | High | 8.6 | 2026-05-08 15:24:12 | Deep Dive |
| CVE-2026-41591 | Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping | marko-js | marko | Medium | 6.4 | 2026-05-08 15:22:51 | Deep Dive |
| CVE-2026-41070 | openvpn-auth-oauth2 returns FUNC_SUCCESS on client-deny, allowing unauthenticated VPN access | jkroepke | openvpn-auth-oauth2 | Critical | 10.0 | 2026-05-08 15:14:46 | Deep Dive |
| CVE-2026-44499 | ZEBRA: Permanent Block Discovery Halt via Gossip Queue Saturation and Syncer Poisoning | ZcashFoundation | zebra | - | - | 2026-05-08 15:11:25 | Deep Dive |
| CVE-2026-44500 | ZEBRA: Allocation Amplification in Inbound Network Deserializers | ZcashFoundation | zebra | Medium | 5.3 | 2026-05-08 15:10:22 | Deep Dive |
| CVE-2026-44498 | ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops | ZcashFoundation | zebra | - | - | 2026-05-08 15:09:10 | Deep Dive |