Dalfox: Unauthenticated Arbitrary File Read with Out-of-Band Exfiltration via `custom-payload-file` in Dalfox Server Mode

Published 2026-05-27 by GitHub_M

Dalfox: Unauthenticated Remote Code Execution via `found-action` in Dalfox Server Mode

Published 2026-05-27 by GitHub_M

Dalfox: Unauthenticated Arbitrary File Create/Append via `output` Option in Dalfox Server Mode

Published 2026-05-27 by GitHub_M

Dalfox: Unauthenticated Remote DoS via Closed-Channel Write in `ParameterAnalysis` (server mode)

Published 2026-05-27 by GitHub_M

Cinny: Access token disclosure via invalidated emoji pack avatar URL in service worker

Published 2026-05-27 by GitHub_M

Arbitrary Command Injection via Browser Developer Console in TP-Link Archer BE450 and BE7200

Published 2026-05-27 by TPLink

BentoML: Dockerfile command injection via docker.base_image

Published 2026-05-27 by GitHub_M

BentoML: Dockerfile command injection via envs[*].name in bentofile.yaml

Published 2026-05-27 by GitHub_M

Frappe HR: Permission Bypass in HRMS Leave Details API

Published 2026-05-27 by GitHub_M

elFinder: SQL Injection MySQL Volume Driver (elFinderVolumeMySQL)

Published 2026-05-27 by GitHub_M