kpatsakis/CVE-2026-36834 Out-of-bounds array read in LibRaw Create: 2026-06-27 06:52:08 +0000 UTC Push: 2026-06-27 06:52:08 +0000 UTC |

gh1mau/masta-cve-2026-48907 cve-2026-48907 scanner Create: 2026-06-27 04:48:09 +0000 UTC Push: 2026-06-27 04:48:10 +0000 UTC |

MobiusM/CVE-2026-43499 CVE-2026-43499 PoC Create: 2026-06-27 04:09:11 +0000 UTC Push: 2026-06-27 05:04:04 +0000 UTC |

HORKimhab/CVE-2026-46331 CVE-2026-46331 - Draft Create: 2026-06-27 03:54:14 +0000 UTC Push: 2026-06-27 03:54:14 +0000 UTC |

0xBlackash/CVE-2026-8932 CVE-2026-8932 Create: 2026-06-26 22:21:07 +0000 UTC Push: 2026-06-26 22:21:08 +0000 UTC |

reactivezero/CVE-2026-20251 CVE-2026-20251 — Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8) | ReactiveZero Security Research Create: 2026-06-26 21:12:30 +0000 UTC Push: 2026-06-26 21:12:34 +0000 UTC |

sec0x/CVE-2026-43503 Create: 2026-06-26 21:01:39 +0000 UTC Push: 2026-06-26 21:01:57 +0000 UTC |

00lucasm/CVE-2025-58434-Flowiseai-Auth-Bypass-PoC Flowiseai Flowise Auth Bypass Vulnerability Proof of Concept Create: 2026-06-26 20:41:15 +0000 UTC Push: 2026-06-26 21:17:52 +0000 UTC |

0xBlackash/CVE-2026-46331 CVE-2026-46331 Create: 2026-06-26 18:57:23 +0000 UTC Push: 2026-06-26 18:57:24 +0000 UTC |

fevar54/CVE-2026-20253-Splunk-Enterprise-Pre-Auth-RCE- Create: 2026-06-26 18:13:31 +0000 UTC Push: 2026-06-26 18:13:32 +0000 UTC |

xxconi/CVE-2026-12415-or-CVE-2026-12416.py CVE-2026-12415-or-CVE-2026-12416.py Create: 2026-06-26 18:12:20 +0000 UTC Push: 2026-06-26 18:12:42 +0000 UTC |

Polosss/By-Poloss..-..CVE-2026-39938 Cacti <= 1.2.30 Create: 2026-06-26 17:27:57 +0000 UTC Push: 2026-06-26 17:27:58 +0000 UTC |

n0bitaemon/CVE-2026-26980-PoC Ghost CMS Content API Blind SQL Injection Create: 2026-06-26 16:50:28 +0000 UTC Push: 2026-06-26 16:50:28 +0000 UTC |

hacbs-release-tests/collectors-no-cve-6d20b03c Create: 2026-06-26 14:24:42 +0000 UTC Push: 2026-06-26 14:25:22 +0000 UTC |

0xmrma/CVE-2026-46558 Plane’s V2 asset subsystem trusted workspace slugs and asset UUIDs without enforcing the right membership checks, which let one authenticated user read, copy, delete, and overwrite assets in other workspaces. Create: 2026-06-26 12:57:38 +0000 UTC Push: 2026-06-26 12:57:38 +0000 UTC |

0xmrma/CVE-2026-45806 Penpot's remote image import let an authenticated file editor turn a normal media convenience feature into backend-origin SSRF because attacker-controlled URLs crossed into a redirect-following server fetch path without destination filtering. Create: 2026-06-26 12:50:43 +0000 UTC Push: 2026-06-26 12:50:43 +0000 UTC |

0xmrma/CVE-2026-42089 A local package installation helper trusted caller-supplied package names too much. In yeoman-environment, missing generators could be installed without user confirmation, turning attacker-controlled project metadata into a package-install and code-execution path. Create: 2026-06-26 12:47:30 +0000 UTC Push: 2026-06-26 12:47:30 +0000 UTC |

0xmrma/CVE-2026-34207 The SSRF filter checked hostname text, but the actual destination was decided later by DNS. That gap let attacker-controlled Webhook URLs reach loopback, metadata, and private network targets. Create: 2026-06-26 12:45:41 +0000 UTC Push: 2026-06-26 12:45:42 +0000 UTC |

0xmrma/CVE-2026-34213 A low-privileged Docmost user could supply a victim attachmentId to the generic upload endpoint and overwrite another page's stored attachment inside the same workspace. Create: 2026-06-26 12:43:11 +0000 UTC Push: 2026-06-26 12:43:12 +0000 UTC |

0xmrma/CVE-2026-34212 Docmost accepted a javascript: URL inside an attachment node, preserved it through storage and rendering, and turned it back into a clickable anchor in the Docmost origin. Create: 2026-06-26 12:41:41 +0000 UTC Push: 2026-06-26 12:41:42 +0000 UTC |