Security Vulnerabilities
Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-05-07
Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.
CVSS Score
7.3
EPSS Score
0.0
Published
2026-05-07
GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.4.0, an unauthenticated remote BGP peer can trigger a fatal panic in GoBGP by sending a specially crafted BGP UPDATE message. When the server receives a message with inconsistent attribute lengths, it improperly handles the internal state transition to a "withdraw" action, leading to a nil pointer dereference in the AdjRib.Update function. This causes the entire GoBGP process to crash, resulting in a complete loss of service availability. This issue has been patched in version 4.5.0.
CVSS Score
7.5
EPSS Score
0.002
Published
2026-05-07
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in misp allows Stored XSS.
This issue affects MISP before 2.5.37.
A stored cross-site scripting vulnerability exists in the template element attribute handling logic. The application accepted arbitrary values for the TemplateElementAttribute type and category fields without validating them against the known MISP attribute type and category definitions. An attacker with permission to create or modify template element attributes could store a crafted type value.
This affects the old templating (not more accessible in 2.5.37) engine from MISP which will be removed in 2.5.38
CVSS Score
6.8
EPSS Score
0.0
Published
2026-05-07
GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. In version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP due to a nil pointer dereference. When a malformed BGP UPDATE message contains an unrecognized Path Attribute marked as "Well-known," the daemon fails to interrupt the message handling flow. This results in an illegal memory access and a full process crash (panic). This issue has been patched in version 4.4.0.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-05-07
GoBGP is an open source Border Gateway Protocol (BGP) implementation in the Go Programming Language. Prior to version 4.3.0, a remote Denial of Service (DoS) vulnerability exists in GoBGP where a malformed BGP UPDATE message can trigger a runtime error: index out of range panic. This occurs during the processing of 4-byte AS attributes when the message structure causes an internal slice index shift that is not properly handled. This issue has been patched in version 4.3.0.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-05-07
monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5.
CVSS Score
8.3
EPSS Score
0.0
Published
2026-05-07
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
CVSS Score
7.1
EPSS Score
0.001
Published
2026-05-07
Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to create or modify files on the docker container via path traversal.
CVSS Score
7.0
EPSS Score
0.001
Published
2026-05-07
Lack of user input validation in the file upload functionality of Open Notebook v1.8.3 allows the application user to access local files content from the docker container via path traversal.
CVSS Score
8.2
EPSS Score
0.001
Published
2026-05-07