CVE-2026-8367 - aria2c Improper Certificate Validation
Published: Wed, 13 May 2026 16:17:04 +0000
CVE ID :CVE-2026-8367
Published : May 13, 2026, 4:17 p.m. | 50 minutes ago
Description :aria2c accepts a server certificate with incorrect Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6282 - Lenovo Personal Cloud Storage Path Traversal Vulnerability
Published: Wed, 13 May 2026 16:17:01 +0000
CVE ID :CVE-2026-6282
Published : May 13, 2026, 4:17 p.m. | 50 minutes ago
Description :A potential improper file path validation vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user to move or access files belonging to other users on the same device.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6281 - Lenovo Personal Cloud Storage Command Injection Vulnerability
Published: Wed, 13 May 2026 16:17:01 +0000
CVE ID :CVE-2026-6281
Published : May 13, 2026, 4:17 p.m. | 50 minutes ago
Description :A potential vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow a remote authenticated user on the local network to execute arbitrary commands on the device.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45740 - protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
Published: Wed, 13 May 2026 16:17:00 +0000
CVE ID :CVE-2026-45740
Published : May 13, 2026, 4:17 p.m. | 50 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON() and Namespace.addJSON(). A crafted JSON descriptor with deeply nested namespace definitions could cause the JavaScript call stack to be exhausted during descriptor loading. This vulnerability is fixed in 7.5.8 and 8.2.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45033 - GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
Published: Wed, 13 May 2026 16:17:00 +0000
CVE ID :CVE-2026-45033
Published : May 13, 2026, 4:17 p.m. | 50 minutes ago
Description :GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45028 - Astro: Server island encrypted parameters vulnerable to cross-component replay
Published: Wed, 13 May 2026 16:17:00 +0000
CVE ID :CVE-2026-45028
Published : May 13, 2026, 4:17 p.m. | 50 minutes ago
Description :Astro is a web framework. Astro versions prior to 6.1.10 used AES-GCM encryption to protect the confidentiality and integrity of server island props and slots parameters, but did not bind the ciphertext to its intended component or parameter type. An attacker could replay one component's encrypted props (p) value as another component's slots (s) value, or vice versa. Since slots contain raw unescaped HTML while props may contain user-controlled values, this could lead to XSS in applications. This occurs when the application uses server islands, two different server island components share the same key name for a prop and a slot, and an attacker has full control over the value of the overlapping prop (requires a dynamically rendered page). This vulnerability is fixed in 6.1.10.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44665 - fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes
Published: Wed, 13 May 2026 16:16:59 +0000
CVE ID :CVE-2026-44665
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44664 - fast-xml-builder: Comment Value bypass regex
Published: Wed, 13 May 2026 16:16:58 +0000
CVE ID :CVE-2026-44664
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :fast-xml-builder builds XML from JSON. In 1.1.5, the fix for CVE-2026-41650 in fast-xml-parser sanitizes -- sequences in XML comment content using .replace(/--/g, '- -'). This skip the values containing three consecutive dashes (e.g., --->...), allowing an attacker to break out of an XML comment and inject arbitrary XML/HTML content. This vulnerability is fixed in 1.1.6.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44572 - Next.js: Middleware / Proxy redirects can be cache-poisoned
Published: Wed, 13 May 2026 16:16:58 +0000
CVE ID :CVE-2026-44572
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, an external client could send a x-nextjs-data header on a normal request to a path handled by middleware that returns a redirect. When that happened, the middleware/proxy could treat the request as a data request and replace the standard Location redirect header with the internal x-nextjs-redirect header. Browsers do not follow x-nextjs-redirect, so the response became an unusable redirect for normal clients. If the application was deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request could poison the cached redirect response for the affected path. Subsequent visitors could then receive a cached redirect response without a Location header, causing a denial of service for that redirect path until the cache entry expired or was purged. This vulnerability is fixed in 15.5.16 and 16.2.5.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44479 - Vercel: Non-interactive mode includes CLI arguments in suggested command output
Published: Wed, 13 May 2026 16:16:58 +0000
CVE ID :CVE-2026-44479
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :Vercel’s AI Cloud is a unified platform for building modern applications. From 50.16.0 to 52.0.0, hen the Vercel CLI runs in non-interactive mode (--non-interactive or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those suggestions. The plaintext token may be captured in CI/CD logs, agent transcripts, or other automation output. This vulnerability is fixed in 52.0.1.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44470 - Claude Desktop: Local Privilege Escalation via Directory Junction in CoworkVMService
Published: Wed, 13 May 2026 16:16:58 +0000
CVE ID :CVE-2026-44470
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. Prior to 1.3834.0, the CoworkVMService component in Claude Desktop for Windows ran as SYSTEM and did not validate whether the VM bundle directory was a real directory or an NTFS directory junction before creating files within it. A local non-elevated user could replace the user-writable VM bundle directory with a directory junction pointing to an attacker-chosen location, causing the service to create a SYSTEM-owned file in an arbitrary directory. This could be leveraged for local privilege escalation. This vulnerability is fixed in 1.3834.0.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44467 - Claude Desktop: SSH Host Key Verification Bypass Allows Man-in-the-Middle Attack on Remote Sessions
Published: Wed, 13 May 2026 16:16:58 +0000
CVE ID :CVE-2026-44467
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :The Claude Desktop app gives you Claude Code with a graphical interface built for running multiple sessions side by side. From 1.2581.0 to before 1.4304.0, Claude Desktop's SSH remote development feature verified only whether a hostname existed in ~/.ssh/known_hosts without comparing the server's presented host key against the stored key. This allowed a network-positioned attacker to present an arbitrary SSH host key and have the connection silently accepted, enabling a man-in-the-middle attack on remote development sessions. Successful exploitation required the attacker to be in a network position to intercept SSH traffic (e.g., via ARP spoofing, rogue Wi-Fi, or DNS poisoning) and the target hostname to already have an entry in the victim's known_hosts file. This vulnerability is fixed in 1.4304.0.
Severity: 7.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44459 - Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
Published: Wed, 13 May 2026 16:16:57 +0000
CVE ID :CVE-2026-44459
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, improper validation of the JWT NumericDate claims exp, nbf, and iat in hono/utils/jwt allows tokens with non-spec-compliant claim values to silently bypass time-based checks. This issue is not exploitable by an anonymous attacker; it only manifests when a malformed claim value reaches verify() — typically when the application itself issues such tokens, or when the signing key is otherwise under attacker control. This vulnerability is fixed in 4.12.18.
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44458 - Hono: CSS Declaration Injection via Style Object Values in JSX SSR
Published: Wed, 13 May 2026 16:16:57 +0000
CVE ID :CVE-2026-44458
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44457 - Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
Published: Wed, 13 May 2026 16:16:57 +0000
CVE ID :CVE-2026-44457
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, Cache Middleware does not skip caching for responses that declare per-user variance via Vary: Authorization or Vary: Cookie. As a result, a response cached for one authenticated user may be served to subsequent requests from different users. This vulnerability is fixed in 4.12.18.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44456 - Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
Published: Wed, 13 May 2026 16:16:57 +0000
CVE ID :CVE-2026-44456
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, bodyLimit() does not reliably enforce maxSize for requests without a usable Content-Length (e.g. Transfer-Encoding: chunked). Oversized requests can reach handlers and return 200 instead of 413. This vulnerability is fixed in 4.12.16.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44455 - Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
Published: Wed, 13 May 2026 16:16:57 +0000
CVE ID :CVE-2026-44455
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44432 - urllib3: Decompression-bomb safeguards bypassed in parts of the streaming API
Published: Wed, 13 May 2026 16:16:57 +0000
CVE ID :CVE-2026-44432
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :urllib3 is an HTTP client library for Python. From 2.6.0 to before 2.7.0, urllib3 could decompress the whole response instead of the requested portion (1) during the second HTTPResponse.read(amt=N) call when the response was decompressed using the official Brotli library or (2) when HTTPResponse.drain_conn() was called after the response had been read and decompressed partially (compression algorithm did not matter here). These issues could cause urllib3 to fully decode a small amount of highly compressed data in a single operation. This could result in excessive resource consumption (high CPU usage and massive memory allocation for the decompressed data) on the client side. This vulnerability is fixed in 2.7.0.
Severity: 8.9 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44431 - urllib3: Sensitive headers forwarded across origins in proxied low-level redirects
Published: Wed, 13 May 2026 16:16:57 +0000
CVE ID :CVE-2026-44431
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :urllib3 is an HTTP client library for Python. From 1.23 to before 2.7.0, cross-origin redirects followed from the low-level API via ProxyManager.connection_from_url().urlopen(..., assert_same_host=False) still forward these sensitive headers. This vulnerability is fixed in 2.7.0.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44295 - protobufjs-cli: Code injection in pbjs static output from crafted schema names
Published: Wed, 13 May 2026 16:16:56 +0000
CVE ID :CVE-2026-44295
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When generating static JavaScript from a crafted schema or JSON descriptor, certain namespace, enum, service, or derived full names could be written into the generated output without sufficient sanitization. This vulnerability is fixed in 1.2.1 and 2.0.2.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44294 - protobufjs: Denial of service from crafted field names in generated code
Published: Wed, 13 May 2026 16:16:56 +0000
CVE ID :CVE-2026-44294
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript property accessors from schema-controlled field and oneof names. Certain control characters in field names were not escaped before being embedded into generated function bodies. A crafted schema or JSON descriptor could therefore cause generated encode, decode, verify, or conversion functions to fail during compilation. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44293 - protobufjs: Code injection through bytes field defaults in generated toObject code
Published: Wed, 13 May 2026 16:16:56 +0000
CVE ID :CVE-2026-44293
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated JavaScript for toObject conversion could include an unsafe expression derived from a schema-controlled bytes field default value. A crafted descriptor with a non-string default value for a bytes field could cause attacker-controlled code to be emitted into the generated conversion function. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44292 - protobufjs: Prototype injection in generated message constructors
Published: Wed, 13 May 2026 16:16:56 +0000
CVE ID :CVE-2026-44292
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs generated message constructors copied enumerable properties from a provided properties object without filtering the __proto__ key. If an application constructed a message from an attacker-controlled plain object, an own enumerable __proto__ property could alter the prototype of that individual message instance. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44291 - protobufjs: Code generation gadget after prototype pollution
Published: Wed, 13 May 2026 16:16:55 +0000
CVE ID :CVE-2026-44291
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs used plain objects with inherited prototypes for internal type lookup tables used by generated encode and decode functions. If Object.prototype had already been polluted, those lookup tables could resolve attacker-controlled inherited properties as valid protobuf type information. This could cause attacker-controlled strings to be emitted into generated JavaScript code. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44290 - protobufjs: Process-wide denial of service through unsafe option paths
Published: Wed, 13 May 2026 16:16:55 +0000
CVE ID :CVE-2026-44290
Published : May 13, 2026, 4:16 p.m. | 50 minutes ago
Description :protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs allowed certain schema option paths to traverse through inherited object properties while applying options. A crafted protobuf schema or JSON descriptor could cause option handling to write to properties on global JavaScript constructors, corrupting process-wide built-in functionality. This vulnerability is fixed in 7.5.6 and 8.0.2.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
