High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = …), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36. | 2026-04-06 | 10 | CVE-2026-34208 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-2gg9-6p7w-6cpj |
| Davidtavarez–CF Image Hosting Script | CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter. | 2026-04-12 | 9.8 | CVE-2019-25709 | ExploitDB-46094 Official Product Homepage Product Reference VulnCheck Advisory: CF Image Hosting Script 1.6.5 Unauthorized Database Access |
| Beijing Topsec Network Security Technology Co., Ltd.–Tianxin Internet Behavior Management System | Tianxin Internet Behavior Management System contains a command injection vulnerability in the Reporter component endpoint that allows unauthenticated attackers to execute arbitrary commands by supplying a crafted objClass parameter containing shell metacharacters and output redirection. Attackers can exploit this vulnerability to write malicious PHP files into the web root and achieve remote code execution with the privileges of the web server process. This vulnerability has been fixed in version NACFirmware_4.0.0.7_20210716.180815_topsec_0_basic.bin. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-01 (UTC). | 2026-04-07 | 9.8 | CVE-2021-4473 | https://www.cnvd.org.cn/flaw/show/CNVD-2021-41972 https://www.cnvd.org.cn/patchInfo/show/280166 https://cn-sec.com/archives/4631959.html https://avd.aliyun.com/detail?id=AVD-2021-890232 https://www.vulncheck.com/advisories/tianxin-internet-behavior-management-system-command-injection-via-toquery-php |
| Contemporary Controls–BASControl20 | An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T. | 2026-04-09 | 9.8 | CVE-2025-13926 | https://www.ccontrols.com/support/contacttech.htm https://www.cisa.gov/news-events/ics-advisories/icsa-26-099-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-099-01.json |
| SaturdayDrive–Ninja Forms – File Uploads | The Ninja Forms – File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘NF_FU_AJAX_Controllers_Uploads::handle_upload’ function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27. | 2026-04-07 | 9.8 | CVE-2026-0740 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0b606ded-ab50-486a-9337-97ee9f452f12?source=cve https://ninjaforms.com/extensions/file-uploads/ |
| IBM–Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required. | 2026-04-08 | 9.3 | CVE-2026-1346 | https://www.ibm.com/support/pages/node/7268253 |
| davidfcarr–Quick Playground | The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server. | 2026-04-09 | 9.8 | CVE-2026-1830 | https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39 https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail= |
| LibRaw–LibRaw | A heap-based buffer overflow vulnerability exists in the x3f_thumb_loader functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-20889 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2358 |
| LibRaw–LibRaw | A heap-based buffer overflow vulnerability exists in the HuffTable::initval functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-20911 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2330 |
| LibRaw–LibRaw | A heap-based buffer overflow vulnerability exists in the lossless_jpeg_load_raw functionality of LibRaw Commit 0b56545 and Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 9.8 | CVE-2026-21413 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2331 |
| Weaver Network Co., Ltd.–E-cology | Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC). | 2026-04-07 | 9.8 | CVE-2026-22679 | https://www.weaver.com.cn/cs/securityDownload.html# https://h4cker.zip/post/d5d211/ https://ti.qianxin.com/vulnerability/notice-detail/1760 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-rce-via-dubboapi-debug-endpoint |
| prosolution–ProSolution WP Client | The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘proSol_fileUploadProcess’ function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-04-08 | 9.8 | CVE-2026-2942 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3852aef6-42e7-4b71-a1ba-dd41284fd07b?source=cve https://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/public/class-prosolwpclient-public.php?rev=3331282#L993 https://plugins.trac.wordpress.org/changeset/3484577/prosolution-wp-client |
| Rukovoditel–Rukovoditel CRM | A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the ‘zd_echo’ GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions. The vulnerable code is: if (isset($_GET[‘zd_echo’])) exit($_GET[‘zd_echo’]); An unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim’s browser, potentially leading to session hijacking, credential theft, phishing, or account takeover. The issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection. | 2026-04-11 | 9.3 | CVE-2026-31845 | https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter – which only passes through Security::remove_XSS() (an HTML-only filter) – is concatenated directly into shell commands such as exec(“mv $source $target”). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 9.1 | CVE-2026-32892 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1 |
| wpeverest–Everest Forms Contact Form, Payment Form, Quiz, Survey & Custom Form Builder | The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP’s native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe unserialize() call processes the stored data without class restrictions. | 2026-04-08 | 9.8 | CVE-2026-3296 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2693ae37-790d-4b18-a9ec-054c8c27b8bc?source=cve https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/admin/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/trunk/includes/admin/views/html-admin-page-entries-view.php#L133 https://plugins.trac.wordpress.org/browser/everest-forms/tags/3.4.3/includes/evf-core-functions.php#L5594 https://plugins.trac.wordpress.org/changeset/3489938/everest-forms/tags/3.4.4/readme.txt?old=3464753&old_path=everest-forms%2Ftags%2F3.4.3%2Freadme.txt https://plugins.trac.wordpress.org/changeset?old_path=/everest-forms/tags/3.4.3&new_path=/everest-forms/tags/3.4.4 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user’s email can compute the reset token and change the victim’s password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 9.4 | CVE-2026-33707 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2 https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8 https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c |
| Juniper Networks–JSI LWC | A Use of Default Password vulnerability in the Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows an unauthenticated, network-based attacker to take full control of the device. vLWC software images ship with an initial password for a high privileged account. A change of this password is not enforced during the provisioning of the software, which can make full access to the system by unauthorized actors possible.This issue affects all versions of vLWC before 3.0.94. | 2026-04-09 | 9.8 | CVE-2026-33784 | https://kb.juniper.net/JSA107871 |
| Canonical–lxd | Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacker with can_edit permission on a VM instance in a restricted project can inject an AppArmor rule and a QEMU chardev configuration that bridges the LXD Unix socket into the guest VM, enabling privilege escalation to LXD cluster administrator and subsequently to host root. | 2026-04-09 | 9.1 | CVE-2026-34177 | VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf lxd: Prevent use of raw.apparmor and raw.qemu.conf when low level options are blocked |
| Canonical–lxd | In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticated remote attacker with instance-creation permission in a restricted project can craft a backup archive where backup.yaml carries restricted settings such as security.privileged=true or raw.lxc directives, bypassing all project restriction enforcement and allowing full host compromise. | 2026-04-09 | 9.1 | CVE-2026-34178 | Importing a crafted backup leads to project restriction bypass Import: Create backup config from index |
| Canonical–lxd | In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileges to cluster admin. | 2026-04-09 | 9.1 | CVE-2026-34179 | Update of type field in restricted TLS certificate allows privilege escalation to cluster admin Improve validation on certificate edit |
| Nextendweb–Smart Slider 3 Pro for WordPress | Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications. | 2026-04-09 | 9.8 | CVE-2026-34424 | https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/ https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/ |
| usebruno–bruno | Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1 | 2026-04-06 | 9.8 | CVE-2026-34841 | https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g https://github.com/axios/axios/issues/10604 https://github.com/usebruno/bruno/pull/7632 https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat |
| R-Project–RGui | RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution. | 2026-04-12 | 8.4 | CVE-2018-25258 | ExploitDB-46107 Official Product Homepage Product Reference VulnCheck Advisory: RGui 3.5.0 Local Buffer Overflow SEH DEP Bypass |
| Html5Videoplayer–HTML5 Video Player | HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process. | 2026-04-12 | 8.4 | CVE-2019-25689 | ExploitDB-46279 Official Product Homepage VulnCheck Advisory: HTML5 Video Player 1.2.5 Local Buffer Overflow Non-SEH |
| Faleemi–Faleemi Desktop Software | Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets. | 2026-04-12 | 8.4 | CVE-2019-25691 | ExploitDB-46269 Official Product Homepage VulnCheck Advisory: Faleemi Desktop Software 1.8 Local Buffer Overflow SEH DEP Bypass |
| r-project–R | R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field. | 2026-04-12 | 8.4 | CVE-2019-25695 | ExploitDB-46265 Official Product Homepage VulnCheck Advisory: R 3.4.4 Local Buffer Overflow Windows XP SP3 |
| VictorAlagwu–CMSsite | CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials. | 2026-04-12 | 8.2 | CVE-2019-25697 | ExploitDB-46259 Product Reference VulnCheck Advisory: CMSsite 1.0 SQL Injection via category.php |
| Divxtodvd–Easy Video to iPod Converter | Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the user registration field that allows local attackers to overwrite the structured exception handler. Attackers can input a crafted payload exceeding 996 bytes in the username field to trigger SEH overwrite and execute arbitrary code with user privileges. | 2026-04-12 | 8.4 | CVE-2019-25701 | ExploitDB-46255 Official Product Homepage Product Reference VulnCheck Advisory: Easy Video to iPod Converter 1.6.20 Local Buffer Overflow SEH |
| Sourceforge–Echo Mirage | Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and paste it into the action field through the Rules dialog to trigger the overflow and overwrite the return address. | 2026-04-12 | 8.4 | CVE-2019-25705 | ExploitDB-46216 Official Product Homepage Product Reference VulnCheck Advisory: Echo Mirage 3.1 Stack Buffer Overflow via Rules Action Field |
| Dolibarr–Dolibarr ERP-CRM | Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques. | 2026-04-12 | 8.2 | CVE-2019-25710 | ExploitDB-46095 Official Product Homepage Product Reference VulnCheck Advisory: Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter |
| Synology–Synology SSL VPN Client | A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user’s PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction. | 2026-04-10 | 8.1 | CVE-2021-47961 | Synology-SA-26:05 Synology SSL VPN Client |
| Adivaha–WordPress adivaha Travel Plugin | WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the ‘pid’ GET parameter. Attackers can send requests to the /mobile-app/v3/ endpoint with crafted ‘pid’ values using XOR-based payloads to extract sensitive database information or cause denial of service. | 2026-04-09 | 8.2 | CVE-2023-54359 | ExploitDB-51655 Official Product Homepage Product Reference VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 SQL Injection via pid |
| Juniper Networks–Apstra | A Key Exchange without Entity Authentication vulnerability in the SSH implementation of Juniper Networks Apstra allows a unauthenticated, MITM attacker to impersonate managed devices. Due to insufficient SSH host key validation an attacker can perform a machine-in-the-middle attack on the SSH connections from Apstra to managed devices, enabling an attacker to impersonate a managed device and capture user credentials. This issue affects all versions of Apstra before 6.1.1. | 2026-04-09 | 8.7 | CVE-2025-13914 | https://kb.juniper.net/JSA107862 |
| Qualcomm, Inc.–Snapdragon | Memory corruption when decoding corrupted satellite data files with invalid signature offsets. | 2026-04-06 | 8.8 | CVE-2025-47392 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| CactusThemes–VideoPro | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1. | 2026-04-10 | 8.1 | CVE-2025-58913 | https://patchstack.com/database/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve |
| Hitachi–JP1/IT Desktop Management 2 – Manager | Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 – Manager on Windows, JP1/IT Desktop Management 2 – Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 – Manager on Windows, JP1/IT Desktop Management – Manager on Windows, Job Management Partner 1/IT Desktop Management – Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 – Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 – Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 – Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management – Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management – Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. | 2026-04-07 | 8.8 | CVE-2025-65115 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html |
| IBM–Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere. | 2026-04-07 | 8.5 | CVE-2026-1342 | https://www.ibm.com/support/pages/node/7268253 |
| LibRaw–LibRaw | An integer overflow vulnerability exists in the deflate_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability. | 2026-04-07 | 8.1 | CVE-2026-20884 | https://talosintelligence.com/vulnerability_reports/TALOS-2026-2364 |
| Windmill Labs–Windmill CE (Community Edition) | Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities, the API does not enforce the Operator restriction on workspace endpoints, allowing an Operator to create and update scripts, flows, apps, and raw_apps. Since Operators can also execute scripts via the jobs API, this allows direct privilege escalation to remote code execution within the Windmill deployment. This vulnerability has existed since the introduction of the Operator role in version 1.56.0. | 2026-04-07 | 8.8 | CVE-2026-22683 | https://chocapikk.com/posts/2026/windfall-nextcloud-flow-windmill-rce/ https://github.com/Chocapikk/Windfall https://github.com/windmill-labs/windmill/releases/tag/v1.615.0 https://github.com/windmill-labs/windmill/commit/c621a74804f4f6e8318819c01e3a23a17698588b https://www.windmill.dev/ https://apps.nextcloud.com/apps/flow/releases |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST[‘test’] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 8.3 | CVE-2026-31939 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78 https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38 |
| danbilabs–Advanced Members for ACF | The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5. | 2026-04-08 | 8.8 | CVE-2026-3243 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22b63369-c6ea-42e9-bea3-d15837da7732?source=cve https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L57 https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266 https://plugins.trac.wordpress.org/browser/advanced-members/trunk/core/modules/class-avatar.php#L710 https://plugins.trac.wordpress.org/changeset/3479725/ https://plugins.trac.wordpress.org/changeset/3492372/ |
| Elastic–Logstash | Improper Limitation of a Pathname to a Restricted Directory (CWE-22) in Logstash can lead to arbitrary file write and potentially remote code execution via Relative Path Traversal (CAPEC-139). The archive extraction utilities used by Logstash do not properly validate file paths within compressed archives. An attacker who can serve a specially crafted archive to Logstash through a compromised or attacker-controlled update endpoint can write arbitrary files to the host filesystem with the privileges of the Logstash process. In certain configurations where automatic pipeline reloading is enabled, this can be escalated to remote code execution. | 2026-04-08 | 8.1 | CVE-2026-33466 | https://discuss.elastic.co/t/logstash-8-19-14-9-2-8-9-3-3-security-update-esa-2026-29/385816 |
| homarr-labs–homarr | Homarr is an open-source dashboard. Prior to 1.57.0, a DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in Homarr’s /auth/login page. The application improperly trusts a URL parameter (callbackUrl), which is passed to redirect and router.push. An attacker can craft a malicious link that, when opened by an authenticated user, performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. This vulnerability is fixed in 1.57.0. | 2026-04-06 | 8.8 | CVE-2026-33510 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-79pg-554g-rw82 |
| IBM–Langflow Desktop | IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. | 2026-04-08 | 8.8 | CVE-2026-3357 | https://www.ibm.com/support/pages/node/7268428 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP’s eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 8.8 | CVE-2026-33618 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b |
| lexiforest–curl_cffi | curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimate browser traffic, which may bypass certain network controls. This vulnerability is fixed in 0.15.0. | 2026-04-06 | 8.6 | CVE-2026-33752 | https://github.com/lexiforest/curl_cffi/security/advisories/GHSA-qw2m-4pqf-rmpp |
| Juniper Networks–Junos OS | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS on MX Series allows a local, authenticated user with low privileges to execute specific commands which will lead to a complete compromise of managed devices. Any user logged in, without requiring specific privileges, can issue ‘request csds’ CLI operational commands. These commands are only meant to be executed by high privileged or users designated for Juniper Device Manager (JDM) / Connected Security Distributed Services (CSDS) operations as they will impact all aspects of the devices managed via the respective MX. This issue affects Junos OS on MX Series: * 24.4 releases before 24.4R2-S3, * 25.2 releases before 25.2R2. This issue does not affect Junos OS releases before 24.4. | 2026-04-09 | 8.8 | CVE-2026-33785 | https://kb.juniper.net/JSA107872 |
| podman-desktop–podman-desktop | Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application crash or full host freeze. Additionally, verbose error responses disclose internal paths and system details (including usernames on Windows), aiding further exploitation. The issue requires no authentication or user interaction and is exploitable over the network. This vulnerability is fixed in 1.26.2. | 2026-04-07 | 8.2 | CVE-2026-34045 | https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-2q88-39rh-gxvv |
| OpenClaw–OpenClaw | OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions. | 2026-04-09 | 8.1 | CVE-2026-34512 | GitHub Security Advisory (GHSA-9p93-7j67-5pc2) Patch Commit VulnCheck Advisory: OpenClaw < 2026.3.25 – Improper Access Control in /sessions/:sessionKey/kill Endpoint |
| opnsense–core | OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense’s LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6. | 2026-04-09 | 8.2 | CVE-2026-34578 | https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54 https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e |
| Adobe–Acrobat Reader | Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-04-11 | 8.6 | CVE-2026-34621 | https://helpx.adobe.com/security/products/acrobat/apsb26-43.html |
| MontFerret–ferret | Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret’s IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths (a standard scraping pattern), the attacker controls both the destination path and the file content. This can lead to remote code execution via cron jobs, SSH authorized_keys, shell profiles, or web shells. This vulnerability is fixed in 2.0.0-alpha.4. | 2026-04-06 | 8.1 | CVE-2026-34783 | https://github.com/MontFerret/ferret/security/advisories/GHSA-j6v5-g24h-vg4j https://github.com/MontFerret/ferret/commit/160ebad6bd50f153453e120f6d909f5b83322917 |
| David Lingren–Media LIbrary Assistant | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34. | 2026-04-06 | 8.5 | CVE-2026-34885 | https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-sql-injection-vulnerability?_s_id=cve |
| adianti–Adianti Framework | Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access. | 2026-04-12 | 7.1 | CVE-2018-25257 | ExploitDB-46217 VulnCheck Advisory: Adianti Framework 5.5.0 and 5.6.0 SQL Injection via Profile |
| Resourcespace–ResourceSpace | ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data. | 2026-04-12 | 7.1 | CVE-2019-25693 | ExploitDB-46274 Official Product Homepage Product Reference VulnCheck Advisory: ResourceSpace 8.6 SQL Injection via collection_edit.php |
| Newsbull–Newsbull Haber Script | Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data. | 2026-04-12 | 7.1 | CVE-2019-25699 | ExploitDB-46266 Official Product Homepage Product Reference VulnCheck Advisory: Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter |
| Impresscms–ImpressCMS | ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the ‘bid’ parameter. Attackers can send POST requests to the admin.php endpoint with malicious ‘bid’ values containing SQL commands to extract sensitive database information. | 2026-04-12 | 7.1 | CVE-2019-25703 | ExploitDB-46239 Official Product Homepage Product Reference VulnCheck Advisory: ImpressCMS 1.3.11 SQL Injection via bid Parameter |
| Across–DR-810 | Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data. | 2026-04-12 | 7.5 | CVE-2019-25706 | ExploitDB-46132 Official Product Homepage VulnCheck Advisory: Across DR-810 ROM-0 Unauthenticated File Disclosure |
| Ebrigade–eBrigade ERP | eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ‘id’ parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the ‘id’ parameter to extract sensitive database information including table names and schema details. | 2026-04-12 | 7.1 | CVE-2019-25707 | ExploitDB-46117 Official Product Homepage Product Reference VulnCheck Advisory: eBrigade ERP 4.5 SQL Injection via pdf.php |
| MyT–Project Management | MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data. | 2026-04-12 | 7.1 | CVE-2019-25713 | ExploitDB-46084 Official Product Homepage Product Reference VulnCheck Advisory: MyT-PM 1.5.1 SQL Injection via Charge[group_total] Parameter |
| Twitch–Twitch Studio | Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024. | 2026-04-06 | 7.8 | CVE-2024-14032 | https://www.iru.com/blog/twitch-privileged-helper https://help.twitch.tv/s/topic/0TO3a000000kZfYGAU/twitch-studio https://help.twitch.tv/s/article/recommended-software-for-broadcasting https://www.vulncheck.com/advisories/twitch-studio-launcherhelper-xpc-missing-authorization-to-root-file-write |
| WAGO–CC100 (0751-9×01) | An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on the device. | 2026-04-09 | 7.2 | CVE-2024-1490 | https://certvde.com/de/advisories/VDE-2024-008 https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2024-008.json |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service by sending repeated GraphQL queries. | 2026-04-08 | 7.5 | CVE-2025-12664 | HackerOne Bug Bounty Report #3377091 https://gitlab.com/gitlab-org/gitlab/-/work_items/579376 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH (Secure Shell) connections, and manipulation of trusted host information, posing a significant risk to the confidentiality, integrity, and availability of SSH communications via an insecure default configuration on Windows systems where the library automatically loads configuration files from the C:etc directory, which can be created and modified by unprivileged local users. | 2026-04-07 | 7.8 | CVE-2025-14821 | https://access.redhat.com/security/cve/CVE-2025-14821 RHBZ#2423148 https://www.libssh.org/2026/02/10/libssh-0-12-0-and-0-11-4-security-releases/ |
| Qualcomm, Inc.–Snapdragon | Memory corruption when buffer copy operation fails due to integer overflow during attestation report generation. | 2026-04-06 | 7.8 | CVE-2025-47389 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while preprocessing IOCTL request in JPEG driver. | 2026-04-06 | 7.8 | CVE-2025-47390 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while processing a frame request from user. | 2026-04-06 | 7.8 | CVE-2025-47391 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Cryptographic issue while copying data to a destination buffer without validating its size. | 2026-04-06 | 7.1 | CVE-2025-47400 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Case Themes–Case Theme User | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4. | 2026-04-10 | 7.5 | CVE-2025-5804 | https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve |
| Zootemplate–Cerato | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18. | 2026-04-10 | 7.1 | CVE-2025-58920 | https://patchstack.com/database/wordpress/theme/cerato/vulnerability/wordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.10 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an unauthenticated user to cause denial of service due to improper input validation of JSON payloads. | 2026-04-08 | 7.5 | CVE-2026-1092 | HackerOne Bug Bounty Report #3487030 https://gitlab.com/gitlab-org/gitlab/-/work_items/586479 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| IBM–Verify Identity Access Container | IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 allows an attacker to contact internal authentication endpoints which are protected by the Reverse Proxy. | 2026-04-08 | 7.2 | CVE-2026-1343 | https://www.ibm.com/support/pages/node/7268253 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in gnutls. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted ClientHello message with an invalid Pre-Shared Key (PSK) binder value during the TLS handshake. This can lead to a NULL pointer dereference, causing the server to crash and resulting in a remote Denial of Service (DoS) condition. | 2026-04-09 | 7.5 | CVE-2026-1584 | https://access.redhat.com/security/cve/CVE-2026-1584 RHBZ#2435258 |
| Qualcomm, Inc.–Snapdragon | Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans. | 2026-04-06 | 7.6 | CVE-2026-21367 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when retrieving output buffer with insufficient size validation. | 2026-04-06 | 7.8 | CVE-2026-21371 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when sending IOCTL requests with invalid buffer sizes during memcpy operations. | 2026-04-06 | 7.8 | CVE-2026-21372 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | 2026-04-06 | 7.8 | CVE-2026-21373 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when processing auxiliary sensor input/output control commands with insufficient buffer size validation. | 2026-04-06 | 7.8 | CVE-2026-21374 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing. | 2026-04-06 | 7.8 | CVE-2026-21375 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | 2026-04-06 | 7.8 | CVE-2026-21376 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver. | 2026-04-06 | 7.8 | CVE-2026-21378 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory. | 2026-04-06 | 7.8 | CVE-2026-21380 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection. | 2026-04-06 | 7.6 | CVE-2026-21381 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when handling power management requests with improperly sized input/output buffers. | 2026-04-06 | 7.8 | CVE-2026-21382 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Juniper Networks–Junos OS | A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system. When after a user has performed a specific ‘file link …’ CLI operation, another user commits (unrelated configuration changes), the first user can login as root. This issue affects Junos OS: * all versions before 23.2R2-S7, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R2. This issue does not affect versions 25.4R1 or later. | 2026-04-09 | 7.3 | CVE-2026-21916 | https://kb.juniper.net/JSA107807 |
| Dolibarr–Dolibarr ERP/CRM | Dolibarr ERP/CRM versions prior to 23.0.2 contain an authenticated remote code execution vulnerability in the dol_eval_standard() function that fails to apply forbidden string checks in whitelist mode and does not detect PHP dynamic callable syntax. Attackers with administrator privileges can inject malicious payloads through computed extrafields or other evaluation paths using PHP dynamic callable syntax to bypass validation and achieve arbitrary command execution via eval(). | 2026-04-07 | 7.2 | CVE-2026-22666 | https://jivasecurity.com/writeups/dolibarr-remote-code-execution-cve-2026-22666 https://github.com/Dolibarr/dolibarr/security/advisories/GHSA-vmvw-qq8w-wqhg https://github.com/Dolibarr/dolibarr/commit/6f425521b3e6f9f27eca05228e02093dbaa40dea https://github.com/Dolibarr/dolibarr/releases/tag/23.0.2 https://www.vulncheck.com/advisories/dolibarr-erp-crm-authenticated-rce-via-dol-eval-standard |
| HKUDS–OpenHarness | OpenHarness prior to commit 166fcfe contains an improper access control vulnerability in built-in file tools due to inconsistent parameter handling in permission enforcement, allowing attackers who can influence agent tool execution to read arbitrary local files outside the intended repository scope. Attackers can exploit the path parameter not being passed to the PermissionChecker in read_file, write_file, edit_file, and notebook_edit tools to bypass deny rules and access sensitive files such as configuration files, credentials, and SSH material, or create and overwrite files in restricted host paths in full_auto mode. | 2026-04-07 | 7.1 | CVE-2026-22682 | https://github.com/HKUDS/OpenHarness/pull/32 https://github.com/HKUDS/OpenHarness/commit/166fcfefb7614dbac51bd061f56542725b0298e9 https://www.vulncheck.com/advisories/openharness-improper-access-control-via-file-tools |
| VMware–Spring Cloud Gateway | When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases. | 2026-04-10 | 7.5 | CVE-2026-22750 | https://spring.io/security/cve-2026-22750 |
| Dell–Elastic Cloud Storage | Dell Elastic Cloud Storage, version 3.8.1.7 and prior, and Dell ObjectScale, versions prior to 4.1.0.3 and version 4.2.0.0, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to secret exposure. The attacker may be able to use the exposed secret to access the vulnerable system with privileges of the compromised account. | 2026-04-08 | 7.8 | CVE-2026-28261 | https://www.dell.com/support/kbdoc/en-us/000449325/dsa-2026-143-security-update-for-dell-objectscale-prior-to-4-1-0-3-and-4-2-0-0-insertion-of-sensitive-information-into-log-file-vulnerability |
| CouchCMS–CouchCMS | CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment. | 2026-04-10 | 7.2 | CVE-2026-29002 | https://gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1 https://www.couchcms.com/ https://www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-levels-list-parameter |
| glpi-project–glpi | GLPI is a free asset and IT management software package. From 10.0.0 to before 10.0.24 and 11.0.6, an authenticated user can perform a SQL injection via the logs export feature. This vulnerability is fixed in 10.0.24 and 11.0.6. | 2026-04-06 | 7.2 | CVE-2026-29047 | https://github.com/glpi-project/glpi/security/advisories/GHSA-3m49-qf92-vccr |
| open-telemetry–opentelemetry-go | OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0. | 2026-04-07 | 7.5 | CVE-2026-29181 | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475 |
| Tinyproxy Project–Tinyproxy | Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against “chunked”, even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unauthenticated remote attacker can cause Tinyproxy to misinterpret the request as having no body. In this state, Tinyproxy sets content_length.client to -1, skips pull_client_data_chunked(), forwards request headers upstream, and transitions into relay_connection() raw TCP forwarding while unread body data remains buffered. This leads to inconsistent request state between Tinyproxy and backend servers. RFC-compliant backends (e.g., Node.js, Nginx) will continue waiting for chunked body data, causing connections to hang indefinitely. This behavior enables application-level denial of service through backend worker exhaustion. Additionally, in deployments where Tinyproxy is used for request-body inspection, filtering, or security enforcement, the unread body may be forwarded without proper inspection, resulting in potential security control bypass. | 2026-04-07 | 7.5 | CVE-2026-31842 | Upstream issue report and reproduction details Tinyproxy upstream project RFC 7230: transfer-coding names are case-insensitive |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-31940 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9 https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.7 | CVE-2026-31941 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265 https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead |
| chartbrew–chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, “updateAny”, “chart”) without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller’s team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0. | 2026-04-10 | 7.7 | CVE-2026-32252 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1 |
| Red Hat–mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay’s container image upload process. An authenticated user with push access to any repository on the registry can interfere with image uploads in progress by other users, including those in repositories they do not have access to. This could allow the attacker to read, modify, or cancel another user’s in-progress image upload. | 2026-04-08 | 7.1 | CVE-2026-32589 | https://access.redhat.com/security/cve/CVE-2026-32589 RHBZ#2446963 |
| Red Hat–mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay’s handling of resumable container image layer uploads. The upload process stores intermediate data in the database using a format that, if tampered with, could allow an attacker to execute arbitrary code on the Quay server. | 2026-04-08 | 7.1 | CVE-2026-32590 | https://access.redhat.com/security/cve/CVE-2026-32590 RHBZ#2446964 |
| NI–LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32860 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-project-library-file-parsing-memory-corruption-vulnerability-in-ni-labview.html |
| NI–LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvclass file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32861 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/lv-class-file-parsing-memory-corruption-vulnerability-in-ni-labview.html |
| NI–LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32862 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32863 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| NI–LabVIEW | There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW. This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions. | 2026-04-07 | 7.8 | CVE-2026-32864 | https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/2026/memory-corruption-vulnerabilities-in-ni-labview.html |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student’s grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-32894 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98 https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151 https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-32930 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6 https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-32931 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4 https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3 |
| aces–Loris | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1. | 2026-04-08 | 7.5 | CVE-2026-33350 | https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh |
| Elastic–Kibana | Incorrect Authorization (CWE-863) in Kibana can lead to information disclosure via Privilege Abuse (CAPEC-122). A user with limited Fleet privileges can exploit an internal API endpoint to retrieve sensitive configuration data, including private keys and authentication tokens, that should only be accessible to users with higher-level settings privileges. The endpoint composes its response by fetching full configuration objects and returning them directly, bypassing the authorization checks enforced by the dedicated settings APIs. | 2026-04-08 | 7.7 | CVE-2026-33461 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-24/385812 |
| distribution–distribution | Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled realm URL. This vulnerability is fixed in 3.1.0. | 2026-04-06 | 7.5 | CVE-2026-33540 | https://github.com/distribution/distribution/security/advisories/GHSA-3p65-76g6-3w7r |
| themeum–Tutor LMS eLearning and online course solution | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner’s profile (`$order_data->user_id`) without verifying the requester’s identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`. | 2026-04-10 | 7.5 | CVE-2026-3360 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059 https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user’s Learning Path progress – including score, status, completion, and time – without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user’s Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.1 | CVE-2026-33702 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654 https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 7.1 | CVE-2026-33704 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 7.1 | CVE-2026-33706 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) – rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 – 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 7.5 | CVE-2026-33710 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39 https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09 https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d |
| saleor–saleor | Saleor is an e-commerce platform. From 2.0.0 to before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118, Saleor supports query batching by submitting multiple GraphQL operations in a single HTTP request as a JSON array but wasn’t enforcing any upper limit on the number of operations. This allowed an unauthenticated attacker to send a single HTTP request many operations (bypassing the per query complexity limit) to exhaust resources. This vulnerability is fixed in 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118. | 2026-04-08 | 7.5 | CVE-2026-33756 | https://github.com/saleor/saleor/security/advisories/GHSA-24jw-f244-qfpp https://github.com/saleor/saleor/commit/7be352fa8c35875d6e66d36493ca7c14c101bd64 https://github.com/saleor/saleor/commit/cdb66da97abb7c86939e384914cd8d9194f378e8 https://github.com/saleor/saleor/commit/d6a94e95bd77f3f733fa66afd1b1ac72e863ca2a https://github.com/saleor/saleor/commit/e42aa4d6e588982e78942b033af051c8ec8f43fa https://github.com/saleor/saleor/commit/f0371bdd4cafcc841f1a9e7049cead6133bf7464 |
| Juniper Networks–CTP OS | A Weak Password Requirements vulnerability in the password management function of Juniper Networks CTP OS might allow an unauthenticated, network-based attacker to exploit weak passwords of local accounts and potentially take full control of the device. The password management menu enables the administrator to set password complexity requirements, but these settings are not saved. The issue can be verified with the menu option “Show password requirements”. Failure to enforce the intended requirements can lead to weak passwords being used, which significantly increases the likelihood that an attacker can guess these and subsequently attain unauthorized access. This issue affects CTP OS versions 9.2R1 and 9.2R2. | 2026-04-09 | 7.4 | CVE-2026-33771 | https://kb.juniper.net/JSA107864 |
| Juniper Networks–Junos OS | An Improper Validation of Syntactic Correctness of Input vulnerability in the IPsec library used by kmd and iked of Juniper Networks Junos OS on SRX Series and MX Series allows an unauthenticated, network-based attacker to cause a complete Denial-of-Service (DoS). If an affected device receives a specifically malformed first ISAKMP packet from the initiator, the kmd/iked process will crash and restart, which momentarily prevents new security associations (SAs) for from being established. Repeated exploitation of this vulnerability causes a complete inability to establish new VPN connections. This issue affects Junos OS on SRX Series and MX Series: * all versions before 22.4R3-S9, * 23.2 version before 23.2R2-S6, * 23.4 version before 23.4R2-S7, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S3, * 25.2 versions before 25.2R1-S2, 25.2R2. | 2026-04-09 | 7.5 | CVE-2026-33778 | https://kb.juniper.net/JSA107868 |
| Juniper Networks–Junos OS Evolved | A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device. A local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component. This issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202: * All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 22.3R3-S3-EVO, * 22.4-EVO versions before 22.4R3-S2-EVO, * 23.2-EVO versions before 23.2R2-EVO. | 2026-04-09 | 7.8 | CVE-2026-33788 | https://kb.juniper.net/JSA107806 |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition. During NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart. This issue cannot be triggered using IPv4 nor other IPv6 traffic. This issue affects Junos OS on SRX Series: * all versions before 21.2R3-S10, * all versions of 21.3, * from 21.4 before 21.4R3-S12, * all versions of 22.1, * from 22.2 before 22.2R3-S8, * all versions of 22.4, * from 22.4 before 22.4R3-S9, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2-S3, * from 25.2 before 25.2R1-S2, 25.2R2. | 2026-04-09 | 7.5 | CVE-2026-33790 | https://kb.juniper.net/JSA107874 |
| Juniper Networks–Junos OS | An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system. When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation. This issue affects Junos OS: * All versions before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R1-S2, 24.2R2, * from 24.4 before 24.4R1-S2, 24.4R2; Junos OS Evolved: * All versions before 22.4R3-S7-EVO, * from 23.2 before 23.2R2-S4-EVO, * from 23.4 before 23.4R2-S6-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO. | 2026-04-09 | 7.8 | CVE-2026-33793 | https://kb.juniper.net/JSA103142 |
| Juniper Networks–Junos OS | An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of Service (DoS). An attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS: * 25.2 versions before 25.2R2 This issue doesn’t not affected Junos OS versions before 25.2R1. This issue affects Junos OS Evolved: * 25.2-EVO versions before 25.2R2-EVO This issue doesn’t not affected Junos OS Evolved versions before 25.2R1-EVO. eBGP and iBGP are affected. IPv4 and IPv6 are affected. | 2026-04-09 | 7.4 | CVE-2026-33797 | https://kb.juniper.net/JSA107850 |
| shamimmoeen–WCAPF Ajax Product Filter for WooCommerce | WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the ‘post-author’ parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-04-08 | 7.5 | CVE-2026-3396 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ee0a762e-9159-4dab-a7be-9cbe332effb1?source=cve https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L739 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L689 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L81 https://plugins.trac.wordpress.org/browser/wc-ajax-product-filter/trunk/includes/class-wcapf-product-filter.php#L65 https://plugins.trac.wordpress.org/changeset/3484080/ |
| @fedify–fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1. | 2026-04-06 | 7.5 | CVE-2026-34148 | https://github.com/fedify-dev/fedify/security/advisories/GHSA-gm9m-gwc4-hwgp https://github.com/fedify-dev/fedify/releases/tag/1.10.5 https://github.com/fedify-dev/fedify/releases/tag/1.9.6 https://github.com/fedify-dev/fedify/releases/tag/2.0.8 https://github.com/fedify-dev/fedify/releases/tag/2.1.1 |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a misaligned memory write vulnerability exists in LossyDctDecoder_execute() in src/lib/OpenEXRCore/internal_dwa_decoder.h:749. When decoding a DWA or DWAB-compressed EXR file containing a FLOAT-type channel, the decoder performs an in-place HALF→FLOAT conversion by casting an unaligned uint8_t * row pointer to float * and writing through it. Because the row buffer may not be 4-byte aligned, this constitutes undefined behavior under the C standard and crashes immediately on architectures that enforce alignment (ARM, RISC-V, etc.). On x86 it is silently tolerated at runtime but remains exploitable via compiler optimizations that assume aligned access. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | 7.1 | CVE-2026-34379 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-w88v-vqhq-5p24 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| aces–Loris | LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1. | 2026-04-08 | 7.5 | CVE-2026-34392 | https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f |
| go-vikunja–vikunja | Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0. | 2026-04-10 | 7.4 | CVE-2026-34727 | https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg |
| HDFGroup–hdf5 | HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-free. The freed object is referenced in a memmove call from H5T__conv_struct. The original object was allocated by H5D__typeinfo_init_phase3 and freed by H5D__typeinfo_term. | 2026-04-09 | 7.8 | CVE-2026-34734 | https://github.com/HDFGroup/hdf5/security/advisories/GHSA-w7v2-9cmr-pwwj |
| Analytify–Under Construction, Coming Soon & Maintenance Mode | Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1. | 2026-04-07 | 7.5 | CVE-2026-34896 | https://patchstack.com/database/wordpress/plugin/under-construction-maintenance-mode/vulnerability/wordpress-under-construction-coming-soon-maintenance-mode-plugin-2-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Analytify–Simple Social Media Share Buttons | Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0. | 2026-04-07 | 7.5 | CVE-2026-34904 | https://patchstack.com/database/wordpress/plugin/simple-social-buttons/vulnerability/wordpress-simple-social-media-share-buttons-plugin-6-2-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Dynalon–MDwiki | MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim’s browser context. | 2026-04-12 | 6.1 | CVE-2017-20239 | ExploitDB-46097 VulnCheck Advisory: MDwiki Cross-Site Scripting via Location Hash Parameter |
| NSauditor–SpotFTP Password Recover | SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code. | 2026-04-12 | 6.2 | CVE-2019-25711 | ExploitDB-46088 VulnCheck Advisory: SpotFTP Password Recover 2.4.2 Denial of Service via Name Field |
| NSauditor–BlueAuditor | BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trigger a denial of service by entering a 256-byte buffer of repeated characters in the Key registration field, causing the application to crash during registration processing. | 2026-04-12 | 6.2 | CVE-2019-25712 | ExploitDB-46087 VulnCheck Advisory: BlueAuditor 1.7.2.0 Buffer Overflow Denial of Service via Registration Key |
| Synology–Synology SSL VPN Client | A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure. | 2026-04-10 | 6.5 | CVE-2021-47960 | Synology-SA-26:05 Synology SSL VPN Client |
| Adivaha–WordPress adivaha Travel Plugin | WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims’ browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54358 | ExploitDB-51663 Official Product Homepage Product Reference VulnCheck Advisory: WordPress adivaha Travel Plugin 2.3 Reflected XSS via isMobile |
| Jlexart–Joomla JLex Review | Joomla JLex Review 6.0.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the review_id URL parameter. Attackers can craft malicious links containing JavaScript payloads that execute in victims’ browsers when clicked, enabling session hijacking or credential theft. | 2026-04-09 | 6.1 | CVE-2023-54360 | ExploitDB-51645 Official Product Homepage Product Reference VulnCheck Advisory: Joomla JLex Review 6.0.1 Reflected XSS via review_id Parameter |
| Thethinkery–Joomla iProperty Real Estate | Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54361 | ExploitDB-51640 Official Product Homepage Product Reference VulnCheck Advisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword |
| Virtuemart–Cart | Joomla VirtueMart Shopping-Cart 4.0.12 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft malicious URLs containing script payloads in the keyword parameter of the product-variants endpoint to execute arbitrary JavaScript in victim browsers and steal session tokens or credentials. | 2026-04-09 | 6.1 | CVE-2023-54362 | ExploitDB-51631 Official Product Homepage Product Reference VulnCheck Advisory: Joomla VirtueMart Shopping-Cart 4.0.12 Reflected XSS via keyword |
| Solidres–Joomla Solidres | Joomla Solidres 2.13.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating multiple GET parameters including show, reviews, type_id, distance, facilities, categories, prices, location, and Itemid. Attackers can craft malicious URLs containing JavaScript payloads in these parameters to steal session tokens, login credentials, or manipulate site content when victims visit the crafted links. | 2026-04-09 | 6.1 | CVE-2023-54363 | ExploitDB-51638 Official Product Homepage Product Reference VulnCheck Advisory: Joomla Solidres 2.13.3 Reflected XSS via Multiple Parameters |
| Hikashop–Joomla HikaShop | Joomla HikaShop 4.7.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating GET parameters in the product filter endpoint. Attackers can craft malicious URLs containing XSS payloads in the from_option, from_ctrl, from_task, or from_itemid parameters to steal session tokens or login credentials when victims visit the link. | 2026-04-09 | 6.1 | CVE-2023-54364 | ExploitDB-51629 Official Product Homepage Product Reference VulnCheck Advisory: Joomla HikaShop 4.7.4 Reflected XSS via Product Filter |
| IBM–Concert | IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack. | 2026-04-07 | 6.2 | CVE-2025-13044 | https://www.ibm.com/support/pages/node/7268620 |
| elemntor–Elementor Website Builder more than just a page builder | The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2025-14732 | https://www.wordfence.com/threat-intel/vulnerabilities/id/20232d70-72b2-47b7-ac7e-ad07892864ef?source=cve https://plugins.trac.wordpress.org/browser/elementor/trunk/modules/wp-rest/classes/elementor-post-meta.php#L67 https://plugins.trac.wordpress.org/changeset?old_path=/elementor/tags/3.35.5&new_path=/elementor/tags/3.35.6 |
| Juniper Networks–Junos OS | A Missing Authentication for Critical Function vulnerability in command processing of Juniper Networks Junos OS allows a privileged local attacker to gain access to line cards running Junos OS Evolved as root. This issue affects systems running Junos OS using Linux-based line cards. Affected line cards include: * MPC7, MPC8, MPC9, MPC10, MPC11 * LC2101, LC2103 * LC480, LC4800, LC9600 * MX304 (built-in FPC) * MX-SPC3 * SRX5K-SPC3 * EX9200-40XS * FPC3-PTX-U2, FPC3-PTX-U3 * FPC3-SFF-PTX * LC1101, LC1102, LC1104, LC1105 This issue affects Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S6, * from 23.4 before 23.4R2-S6, * from 24.2 before 24.2R2-S3, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2. | 2026-04-08 | 6.7 | CVE-2025-30650 | https://github.com/orangecertcc/security-research/security/advisories/GHSA-fwhc-gh5m-v8fq https://kb.juniper.net/JSA107863 |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when accessing freed memory due to concurrent fence deregistration and signal handling. | 2026-04-06 | 6.5 | CVE-2025-47374 | https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2026-bulletin.html |
| Siklu–EtherHaul 8010 | Siklu EtherHaul 8010 siklu-uimage-nxp-enc-10_6_2-18707-ea552dc00b devices have a static root password. | 2026-04-08 | 6.4 | CVE-2025-57175 | https://semaja2.net/2025/04/30/siklu-eh-firmware-decryption/ |
| Red Hat–Red Hat Ansible Automation Platform 2 | A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This vulnerability allows an attacker to add a new user with any arbitrary UID, including UID 0, gaining full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57847 | https://access.redhat.com/security/cve/CVE-2025-57847 RHBZ#2391092 |
| Red Hat–Multicluster Engine for Kubernetes | A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57851 | https://access.redhat.com/security/cve/CVE-2025-57851 RHBZ#2391104 |
| Red Hat–Red Hat Web Terminal | A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57853 | https://access.redhat.com/security/cve/CVE-2025-57853 RHBZ#2391106 |
| Red Hat–Red Hat OpenShift Update Service | A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-57854 | https://access.redhat.com/security/cve/CVE-2025-57854 RHBZ#2391107 |
| Red Hat–Red Hat Process Automation 7 | A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2026-04-08 | 6.4 | CVE-2025-58713 | https://access.redhat.com/security/cve/CVE-2025-58713 RHBZ#2394419 |
| Juniper Networks–Junos OS Evolved | A Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in the advanced forwarding toolkit (evo-aftmand/evo-pfemand) of Juniper Networks Junos OS Evolved on PTX Series or QFX5000 Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).An attacker sending crafted multicast packets will cause line cards running evo-aftmand/evo-pfemand to crash and restart or non-line card devices to crash and restart. Continued receipt and processing of these packets will sustain the Denial of Service (DoS) condition. This issue affects Junos OS Evolved PTX Series: * All versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-EVO, * from 24.2 before 24.2R2-EVO, * from 24.4 before 24.4R2-EVO. This issue affects Junos OS Evolved on QFX5000 Series: * 22.2-EVO version before 22.2R3-S7-EVO, * 22.4-EVO version before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved on QFX5000 Series versions before: 21.2R2-S1-EVO, 21.2R3-EVO, 21.3R2-EVO, 21.4R1-EVO, and 22.1R1-EVO. | 2026-04-09 | 6.5 | CVE-2025-59969 | https://kb.juniper.net/JSA103159 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to cause denial of service to the GitLab instance due to improper input validation in GraphQL queries. | 2026-04-08 | 6.5 | CVE-2026-1101 | HackerOne Bug Bounty Report #3460228 https://gitlab.com/gitlab-org/gitlab/-/work_items/586488 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| usystemsgmbh–Webling | The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the ‘webling_admin_save_form’ and ‘webling_admin_save_memberlist’ functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin. | 2026-04-10 | 6.4 | CVE-2026-1263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe0d-0709-4fa2-9294-393ddcd05b22?source=cve https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Form_List.php#L122 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Memberlist_List.php#L115 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_form.php#L2 https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_memberlist.php#L2 https://plugins.trac.wordpress.org/changeset?old_path=%2Fwebling/tags/3.9.0&new_path=%2Fwebling/tags/3.9.1 |
| magicplugins–Magic Conversation For Gravity Forms | The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘magic-conversation’ shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-1396 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc425c4a-cb4e-4f50-b85b-8c4c7778c073?source=cve https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/trunk/main.php#L1627 https://plugins.trac.wordpress.org/browser/magic-conversation-for-gravity-forms/tags/3.0.96/main.php#L1627 https://plugins.trac.wordpress.org/changeset/3482359/magic-conversation-for-gravity-forms/trunk/main.php |
| realmag777–BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. | 2026-04-08 | 6.5 | CVE-2026-1672 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b5faa-1a29-4fa7-9146-d782adce0b1f?source=cve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L782 https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/ |
| wpeverest–User Registration & Membership Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the ‘membership_ids[]’ parameter in all versions up to, and including, 5.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-04-08 | 6.5 | CVE-2026-1865 | https://www.wordfence.com/threat-intel/vulnerabilities/id/07c79459-66b8-4c93-a1cd-6e3ede95643f?source=cve https://plugins.trac.wordpress.org/changeset/3469042/user-registration |
| n/a–Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. | Use of Default Cryptographic Key in the hardware for some Intel(R) Pentium(R) Processor Silver Series, Intel(R) Celeron(R) Processor J Series, Intel(R) Celeron(R) Processor N Series may allow an escalation of privilege. Hardware reverse engineer adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via physical access when attack requirements are present with special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (high), integrity (high) and availability (none) impacts. | 2026-04-08 | 6.6 | CVE-2026-20709 | https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00609.html |
| Juniper Networks–Junos Space | An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Juniper Networks Junos Space allows an attacker to inject script tags in the list filter field that, when visited by another user, enables the attacker to execute commands with the target’s permissions, including an administrator. This issue affects all versions of Junos Space before 24.1R5 Patch V3. | 2026-04-09 | 6.1 | CVE-2026-21904 | https://kb.juniper.net/JSA106003 |
| Juniper Networks–JSI LWC | A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root. The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system. This issue affects all JSI vLWC versions before 3.0.94. | 2026-04-09 | 6.7 | CVE-2026-21915 | https://kb.juniper.net/JSA106016 |
| Juniper Networks–Junos OS | An Incorrect Synchronization vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a network-based attacker with low privileges to cause a complete Denial-of-Service (DoS) of the management plane. When NETCONF sessions are quickly established and disconnected, a locking issue causes mgd processes to hang in an unusable state. When the maximum number of mgd processes has been reached, no new logins are possible. This leads to the inability to manage the device and requires a power-cycle to recover. This issue can be monitored by checking for mgd processes in lockf state in the output of ‘show system processes extensive’: user@host> show system processes extensive | match mgd <pid> root 20 0 501M 4640K lockf 1 0:01 0.00% mgd If the system still can be accessed (either via the CLI or as root, which might still be possible as last resort as this won’t invoke mgd), mgd processes in this state can be killed with ‘request system process terminate <PID>’ from the CLI or with ‘kill -9 <PID>’ from the shell. This issue affects: Junos OS: * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S3, 24.4R2; This issue does not affect Junos OS versions before 23.4R1; Junos OS Evolved: * 23.4 versions before 23.4R2-S5-EVO, * 24.2 versions before 24.2R2-S1-EVO, * 24.4 versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue does not affect Junos OS Evolved versions before 23.4R1-EVO; | 2026-04-09 | 6.5 | CVE-2026-21919 | https://kb.juniper.net/JSA106019 |
| addfunc–AddFunc Head & Footer Code | The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or escaping. While the plugin restricts its own metabox and save handler to administrators via `current_user_can(‘manage_options’)`, it does not use `register_meta()` with an `auth_callback` to protect these meta keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via the WordPress Custom Fields interface that execute when an administrator previews or views the post. | 2026-04-10 | 6.4 | CVE-2026-2305 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9b-4b73-988e-085eaa7474c6?source=cve https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L63 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L74 https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L85 https://plugins.trac.wordpress.org/changeset?old_path=%2Faddfunc-head-footer-code/tags/2.3&new_path=%2Faddfunc-head-footer-code/tags/2.4 |
| blubrry–PowerPress Podcasting plugin by Blubrry | The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘powerpress’ and ‘podcast’ shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-2988 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de25459d-9e19-4e3e-982f-0b34fa89dc30?source=cve https://plugins.trac.wordpress.org/changeset/3473781/powerpress |
| fernandobt–List category posts | The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘catlist’ shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-09 | 6.4 | CVE-2026-3005 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a93ff8a-364f-4ec4-9c32-208c7a3e1fc1?source=cve https://plugins.trac.wordpress.org/browser/list-category-posts/trunk/include/lcp-thumbnail.php#L95 https://plugins.trac.wordpress.org/changeset/3482733/ |
| uniquecodergmailcom–Pinterest Site Verification plugin using Meta Tag | The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_var’ parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3142 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ccb7534-b588-4bdd-9627-0e38c0ee5e8a?source=cve https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/trunk/PinterestMetaTagSiteVerification.php#L160 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L172 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L180 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L92 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L132 https://plugins.trac.wordpress.org/browser/pinterest-site-verification/tags/1.8/PinterestMetaTagSiteVerification.php#L214 |
| wpchill–Strong Testimonials | The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3239 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88d769cd-bea8-42e4-80a8-a77c0699b50c?source=cve https://plugins.trac.wordpress.org/changeset/3470120/strong-testimonials |
| posimyththemes–The Plus Addons for Elementor Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce | The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 6.4 | CVE-2026-3311 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6367c5fc-f664-4105-a1b7-a93fb0a2392b?source=cve https://plugins.trac.wordpress.org/changeset/3473275/the-plus-addons-for-elementor-page-builder |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user’s learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 6.5 | CVE-2026-33141 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80 |
| pi-hole–web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, a reflected DOM-based XSS vulnerability in taillog.js allows an unauthenticated attacker to inject arbitrary HTML into the Pi-hole admin interface by crafting a malicious URL. The file query parameter is interpolated into an innerHTML assignment without escaping. Because the Content-Security-Policy is missing the form-action directive, injected <form> elements can exfiltrate credentials to an external origin. This vulnerability is fixed in 6.5. | 2026-04-06 | 6.1 | CVE-2026-33403 | https://github.com/pi-hole/web/security/advisories/GHSA-7xqw-r9pr-qv59 |
| Elastic–Kibana | Server-Side Request Forgery (CWE-918) in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data. | 2026-04-08 | 6.8 | CVE-2026-33458 | https://discuss.elastic.co/t/kibana-9-3-3-security-update-esa-2026-28/385815 |
| Elastic–Kibana | Uncontrolled Resource Consumption (CWE-400) in Kibana can lead to denial of service via Excessive Allocation (CAPEC-130). An authenticated user with access to the automatic import feature can submit specially crafted requests with excessively large input values. When multiple such requests are sent concurrently, the backend services become unstable, resulting in service disruption and deployment unavailability for all users. | 2026-04-08 | 6.5 | CVE-2026-33459 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-26/385814 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 6.5 | CVE-2026-33708 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999 https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2 |
| pi-hole–pi-hole | Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1. | 2026-04-06 | 6.4 | CVE-2026-33727 | https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 6.5 | CVE-2026-33736 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9 https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109 |
| trailofbits–rfc3161-client | rfc3161-client is a Python library implementing the Time-Stamp Protocol (TSP) described in RFC 3161. Prior to 1.0.6, an Authorization Bypass vulnerability in rfc3161-client’s signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an attacker can append a spoofed certificate matching the target common_name and Extended Key Usage (EKU) requirements. This tricks the library into verifying these authorization rules against the forged certificate while validating the cryptographic signature against an actual trusted TSA (such as FreeTSA), thereby bypassing the intended TSA authorization pinning entirely. This vulnerability is fixed in 1.0.6. | 2026-04-08 | 6.2 | CVE-2026-33753 | https://github.com/trailofbits/rfc3161-client/security/advisories/GHSA-3xxc-pwj6-jgrj |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the configured firewall filter and access the control-plane of the device. On MX platforms with MPC10, MPC11, LC4800 or LC9600 line cards, and MX304, firewall filters applied on a loopback interface lo0.n (where n is a non-0 number) don’t get executed when lo0.n is in the global VRF / default routing-instance. An affected configuration would be: user@host# show configuration interfaces lo0 | display set set interfaces lo0 unit 1 family inet filter input <filter-name> where a firewall filter is applied to a non-0 loopback interface, but that loopback interface is not referred to in any routing-instance (RI) configuration, which implies that it’s used in the default RI. The issue can be observed with the CLI command: user@device> show firewall counter filter <filter_name> not showing any matches. This issue affects Junos OS on MX Series: * all versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2, * 24.4 versions before 24.4R2. | 2026-04-09 | 6.5 | CVE-2026-33774 | https://kb.juniper.net/JSA107865 |
| Juniper Networks–Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the BroadBand Edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS). If the authentication packet-type option is configured and a received packet does not match that packet type, the memory leak occurs. When all memory available to bbe-smgd has been consumed, no new subscribers will be able to login. The memory utilization of bbe-smgd can be monitored with the following show command: user@host> show system processes extensive | match bbe-smgd The below log message can be observed when this limit has been reached: bbesmgd[<PID>]: %DAEMON-3-SMD_DPROF_RSMON_ERROR: Resource unavailability, Reason: Daemon Heap Memory exhaustion This issue affects Junos OS on MX Series: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S5, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R2. | 2026-04-09 | 6.5 | CVE-2026-33775 | https://kb.juniper.net/JSA107821 |
| Juniper Networks–Junos OS | An Improper Following of a Certificate’s Chain of Trust vulnerability in J-Web of Juniper Networks Junos OS on SRX Series allows a PITM to intercept the communication of the device and get access to confidential information and potentially modify it. When an SRX device is provisioned to connect to Security Director (SD) cloud, it doesn’t perform sufficient verification of the received server certificate. This allows a PITM to intercept the communication between the SRX and SD cloud and access credentials and other sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S9, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7, * 24.2 versions before 24.2R2-S3, * 24.4 versions before 24.4R2-S2, * 25.2 versions before 25.2R1-S2, 25.2R2. | 2026-04-09 | 6.5 | CVE-2026-33779 | https://kb.juniper.net/JSA107823 |
| Juniper Networks–Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a memory leak ultimately leading to a Denial of Service (DoS). In an EVPN-MPLS scenario, routes learned from remote multi-homed Provider Edge (PE) devices are programmed as ESI routes. Due to a logic issue in the l2ald memory management, memory allocated for these routes is not released when there is churn for these routes. As a result, memory leaks in the l2ald process which will ultimately lead to a crash and restart of l2ald. Use the following command to monitor the memory consumption by l2ald: user@device> show system process extensive | match “PID|l2ald” This issue affects: Junos OS: * all versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2; Junos OS Evolved: * all versions before 22.4R3-S5-EVO, * 23.2 versions before 23.2R2-S3-EVO, * 23.4 versions before 23.4R2-S4-EVO, * 24.2 versions before 24.2R2-EVO. | 2026-04-09 | 6.5 | CVE-2026-33780 | https://kb.juniper.net/JSA107819 |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated, adjacent attacker to cause a complete Denial of Service (DoS). On EX4k, and QFX5k platforms configured as service-provider edge devices, if L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resulting in the device to not pass traffic anymore until it is manually recovered with a restart.This issue affects Junos OS: * 24.4 releases before 24.4R2, * 25.2 releases before 25.2R1-S1, 25.2R2. This issue does not affect Junos OS releases before 24.4R1. | 2026-04-09 | 6.5 | CVE-2026-33781 | https://kb.juniper.net/JSA107869 |
| Juniper Networks–Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the DHCP daemon (jdhcpd) of Juniper Networks Junos OS on MX Series, allows an adjacent, unauthenticated attacker to cause a memory leak, that will eventually cause a complete Denial-of-Service (DoS). In a DHCPv6 over PPPoE, or DHCPv6 over VLAN with Active lease query or Bulk lease query scenario, every subscriber logout will leak a small amount of memory. When all available memory has been exhausted, jdhcpd will crash and restart which causes a complete service impact until the process has recovered. The memory usage of jdhcpd can be monitored with: user@host> show system processes extensive | match jdhcpd This issue affects Junos OS: * all versions before 22.4R3-S1, * 23.2 versions before 23.2R2, * 23.4 versions before 23.4R2. | 2026-04-09 | 6.5 | CVE-2026-33782 | https://kb.juniper.net/JSA107820 |
| Juniper Networks–Junos OS Evolved | A Function Call With Incorrect Argument Type vulnerability in the sensor interface of Juniper Networks Junos OS Evolved on PTX Series allows a network-based, authenticated attacker with low privileges to cause a complete Denial of Service (DoS). If colored SRTE policy tunnels are provisioned via PCEP, and gRPC is used to monitor traffic in these tunnels, evo-aftmand crashes and doesn’t restart which leads to a complete and persistent service impact. The system has to be manually restarted to recover. The issue is seen only when the Originator ASN field in PCEP contains a value larger than 65,535 (32-bit ASN). The issue is not reproducible when SRTE policy tunnels are statically configured. This issue affects Junos OS Evolved on PTX Series: * all versions before 22.4R3-S9-EVO, * 23.2 versions before 23.2R2-S6-EVO, * 23.4 versions before 23.4R2-S7-EVO, * 24.2 versions before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S2-EVO, * 25.2 versions before 25.2R1-S2-EVO, 25.2R2-EVO. | 2026-04-09 | 6.5 | CVE-2026-33783 | https://kb.juniper.net/JSA107870 |
| Juniper Networks–Junos OS | An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system. Certain ‘set system’ commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system. This issue affects: Junos OS: * all versions before 22.4R3-S8, * from 23.2 before 23.2R2-S5, * from 23.4 before 23.4R2-S7, * from 24.2 before 24.2R2-S2, * from 24.4 before 24.4R2, * from 25.2 before 25.2R2; Junos OS Evolved: * all versions before 22.4R3-S8-EVO, * from 23.2 before 23.2R2-S5-EVO, * from 23.4 before 23.4R2-S7-EVO, * from 24.2 before 24.2R2-S2-EVO, * from 24.4 before 24.4R2-EVO, * from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO. | 2026-04-09 | 6.7 | CVE-2026-33791 | https://kb.juniper.net/JSA107875 |
| danny-avila–LibreChat | LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the execute_code sandbox when persisting code-generated artifacts. On deployments using the default local file strategy, a malicious artifact filename containing traversal sequences (for example, ../../../../../app/client/dist/poc.txt) is concatenated into the server-side destination path and written with fs.writeFileSync() without sanitization. This gives any user who can trigger execute_code an arbitrary file write primitive as the LibreChat server user. This vulnerability is fixed in 0.8.4. | 2026-04-07 | 6.3 | CVE-2026-34371 | https://github.com/danny-avila/LibreChat/security/advisories/GHSA-qrm5-r67f-6692 |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.4.0 to before 3.4.9, a missing bounds check on the dataWindow attribute in EXR file headers allows an attacker to trigger a signed integer overflow in generic_unpack(). By setting dataWindow.min.x to a large negative value, OpenEXRCore computes an enormous image width, which is later used in a signed integer multiplication that overflows, causing the process to terminate with SIGILL via UBSan. This vulnerability is fixed in 3.4.9. | 2026-04-06 | 6.5 | CVE-2026-34378 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-v76p-4qvv-vh4g https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| vllm-project–vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 6.5 | CVE-2026-34755 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pq5c-rjhq-qp7p |
| vllm-project–vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionRequest Pydantic models, an unauthenticated attacker can send a single HTTP request with an astronomically large n value. This completely blocks the Python asyncio event loop and causes immediate Out-Of-Memory crashes by allocating millions of request object copies in the heap before the request even reaches the scheduling queue. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 6.5 | CVE-2026-34756 | https://github.com/vllm-project/vllm/security/advisories/GHSA-3mwp-wvh9-7528 https://github.com/vllm-project/vllm/pull/37952 https://github.com/vllm-project/vllm/commit/b111f8a61f100fdca08706f41f29ef3548de7380 |
| electron–electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener’s browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler’s overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected. Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-07 | 6 | CVE-2026-34765 | https://github.com/electron/electron/security/advisories/GHSA-f3pv-wv63-48×8 |
| burlingtonbytes–WP Blockade Visual Page Builder | The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook ‘wp-blockade-shortcode-render’ that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied ‘shortcode’ parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, privilege escalation, or other impacts depending on what shortcodes are registered on the site (e.g., shortcodes from other plugins that display sensitive data, perform actions, or include files). | 2026-04-08 | 6.5 | CVE-2026-3480 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f159aac-092b-4655-9d97-a496ac01738c?source=cve https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L393 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L361 https://plugins.trac.wordpress.org/browser/wp-blockade/trunk/wp-blockade.php#L112 https://plugins.trac.wordpress.org/browser/wp-blockade/tags/0.9.14/wp-blockade.php#L112 |
| David Lingren–Media LIbrary Assistant | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in David Lingren Media LIbrary Assistant allows Stored XSS.This issue affects Media LIbrary Assistant: from n/a through 3.34. | 2026-04-06 | 6.5 | CVE-2026-34897 | https://patchstack.com/database/wordpress/plugin/media-library-assistant/vulnerability/wordpress-media-library-assistant-plugin-3-34-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Red Hat–mirror registry for Red Hat OpenShift | A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation. | 2026-04-08 | 5.3 | CVE-2025-14243 | https://access.redhat.com/security/cve/CVE-2025-14243 RHBZ#2419829 |
| inisev–BackupBliss Backup & Migration with Free Cloud Storage | The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the ‘initializeOfflineAjax’ function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin’s JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion. | 2026-04-07 | 5.3 | CVE-2025-14944 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a2a41a15-0743-48cc-8c92-7cb839fa5847?source=cve https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/offline.php#L29 https://plugins.trac.wordpress.org/browser/backup-backup/trunk/includes/ajax_offline.php#L112 https://plugins.trac.wordpress.org/changeset?old=3386897&old_path=backup-backup%2Ftags%2F2.0.0%2Fincludes%2Foffline.php&new=3449635&new_path=backup-backup%2Ftags%2F2.1.0%2Fincludes%2Foffline.php |
| johanaarstein–AM LottiePlayer | The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-04-08 | 5.4 | CVE-2025-1794 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef2f1ad1-1e2e-4b56-b16c-d87956b142ad?source=cve https://plugins.trac.wordpress.org/browser/am-lottieplayer/tags/3.5.0/includes/upload-thumbnail.php |
| Hitachi–JP1/IT Desktop Management 2 – Manager | Buffer Overflow Vulnerability in JP1/IT Desktop Management 2 – Manager on Windows, JP1/IT Desktop Management 2 – Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 – Manager on Windows, JP1/IT Desktop Management – Manager on Windows, Job Management Partner 1/IT Desktop Management – Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows, Job Management Partner 1/Software Distribution Manager on Windows, Job Management Partner 1/Software Distribution Client on Windows.This issue affects JP1/IT Desktop Management 2 – Manager: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; JP1/IT Desktop Management 2 – Operations Director: from 13-50 before 13-50-02, from 13-11 before 13-11-04, from 13-10 before 13-10-07, from 13-01 before 13-01-07, from 13-00 before 13-00-05, from 12-60 before 12-60-12, from 10-50 through 12-50-11; Job Management Partner 1/IT Desktop Management 2 – Manager: from 10-50 through 10-50-11; JP1/IT Desktop Management – Manager: from 09-50 through 10-10-16; Job Management Partner 1/IT Desktop Management – Manager: from 09-50 through 10-10-16; JP1/NETM/DM Manager: from 09-00 through 10-20-02; JP1/NETM/DM Client: from 09-00 through 10-20-02; Job Management Partner 1/Software Distribution Manager: from 09-00 through 09-51-13; Job Management Partner 1/Software Distribution Client: from 09-00 through 09-51-13. | 2026-04-07 | 5.5 | CVE-2025-65116 | https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2026-118/index.html |
| vsourz1td–Advanced Contact form 7 DB | The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the ‘vsz_cf7_save_setting_callback’ function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-08 | 5.4 | CVE-2026-0811 | https://www.wordfence.com/threat-intel/vulnerabilities/id/88097744-d2f5-4ae5-aa71-0f4a0decd911?source=cve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L885 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 18.0.0 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that in Code Quality reports could have allowed an authenticated user to leak IP addresses of users viewing the report via specially crafted content. | 2026-04-08 | 5.7 | CVE-2026-1516 | HackerOne Bug Bounty Report #3514461 https://gitlab.com/gitlab-org/gitlab/-/work_items/587893 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| wpmudev–Hustle Email Marketing, Lead Generation, Optins, Popups | The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘hustle_module_converted’ AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics. | 2026-04-07 | 5.3 | CVE-2026-2263 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047 https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311 https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11 |
| OCS Inventory–OCS Inventory NG Server | OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft requests with malicious User-Agent values that are stored without sanitation and rendered with insufficient encoding in the web console, leading to arbitrary JavaScript execution in the browsers of authenticated users viewing the statistics dashboard. | 2026-04-06 | 5.4 | CVE-2026-22675 | https://github.com/OCSInventory-NG/OCSInventory-Server/pull/483 https://github.com/OCSInventory-NG/OCSInventory-Server/commit/78faf2ca8b897141ba4d337d75692ab8e405bd4e https://www.vulncheck.com/advisories/ocs-inventory-ng-server-stored-xss-via-user-agent |
| Volcengine–OpenViking | OpenViking versions prior to 0.3.3 contain a missing authorization vulnerability in the task polling endpoints that allows unauthorized attackers to enumerate or retrieve background task metadata created by other users. Attackers can access the /api/v1/tasks and /api/v1/tasks/{task_id} routes without authentication to expose task type, task status, resource identifiers, archive URIs, result payloads, and error information, potentially causing cross-tenant interference in multi-tenant deployments. | 2026-04-07 | 5.3 | CVE-2026-22680 | https://github.com/volcengine/OpenViking/releases/tag/v0.3.3 https://github.com/volcengine/OpenViking/pull/1182 https://github.com/volcengine/OpenViking/commit/8c1c3f3608364ee0bb0e45f73478771a68aebdf5 https://www.vulncheck.com/advisories/openviking-missing-authorization-via-task-polling |
| HDFGroup–hdf5 | HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition in the H5T__ref_mem_setnull method. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems. | 2026-04-10 | 5.5 | CVE-2026-29043 | https://github.com/HDFGroup/hdf5/security/advisories/GHSA-qm2m-5g5w-2277 |
| smub–Charitable Donation Plugin for WordPress Fundraising with Recurring Donations & More | The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment. | 2026-04-07 | 5.3 | CVE-2026-3177 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve https://plugins.trac.wordpress.org/changeset/3485023/charitable |
| Red Hat–mirror registry for Red Hat OpenShift | A flaw was found in Red Hat Quay’s Proxy Cache configuration feature. When an organization administrator configures an upstream registry for proxy caching, Quay makes a network connection to the specified registry hostname without verifying that it points to a legitimate external service. An attacker with organization administrator privileges could supply a crafted hostname to force the Quay server to make requests to internal network services, cloud infrastructure endpoints, or other resources that should not be accessible from the Quay application. | 2026-04-08 | 5.2 | CVE-2026-32591 | https://access.redhat.com/security/cve/CVE-2026-32591 RHBZ#2446965 |
| opensourcepos–opensourcepos | Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Daily Sales management table. The customer_name column is configured with escape: false in the bootstrap-table column configuration, causing customer names to be rendered as raw HTML. An attacker with customer management permissions can inject arbitrary JavaScript into a customer’s first_name or last_name field, which executes in the browser of any user viewing the Daily Sales page. This vulnerability is fixed in 3.4.3. | 2026-04-07 | 5.4 | CVE-2026-32712 | https://github.com/opensourcepos/opensourcepos/security/advisories/GHSA-hcfr-9hfv-mcwp |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher’s browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | 5.4 | CVE-2026-32893 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276 |
| Microsoft–Microsoft Edge for Android | User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | 2026-04-10 | 5.4 | CVE-2026-33119 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| pi-hole–web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, configuration values from the /api/config endpoint are placed directly into HTML value=”” attributes without escaping in settings-advanced.js, enabling HTML attribute injection. A double quote in any config value breaks out of the attribute context. JavaScript execution is blocked by the server’s CSP (script-src ‘self’), but injected attributes can alter element styling for UI redressing. The primary attack vector is importing a malicious teleporter backup, which bypasses per-field server-side validation. This vulnerability is fixed in 6.5. | 2026-04-06 | 5.4 | CVE-2026-33406 | https://github.com/pi-hole/web/security/advisories/GHSA-9rfm-c5g6-538p |
| themeum–Tutor LMS eLearning and online course solution | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber’s dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability. | 2026-04-11 | 5.4 | CVE-2026-3358 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989 https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8 https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38. | 2026-04-10 | 5.3 | CVE-2026-33705 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8×28-px57 https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 5.3 | CVE-2026-33737 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3 |
| Juniper Networks–Junos OS | An Incorrect Initialization of Resource vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX Series and QFX Series device allows an unauthenticated, network-based attacker to cause an integrity impact to downstream networks. When the same family inet or inet6 filter is applied on an IRB interface and on a physical interface as egress filter on EX4100, EX4400, EX4650 and QFX5120 devices, only one of the two filters will be applied, which can lead to traffic being sent out one of these interfaces which should have been blocked. This issue affects Junos OS on EX Series and QFX Series: * 23.4 version 23.4R2-S6, * 24.2 version 24.2R2-S3. No other Junos OS versions are affected. | 2026-04-09 | 5.8 | CVE-2026-33773 | https://kb.juniper.net/JSA107815 |
| Juniper Networks–Junos OS | A Missing Authorization vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a local user with low privileges to read sensitive information. A local user with low privileges can execute the CLI command ‘show mgd’ with specific arguments which will expose sensitive information. This issue affects Junos OS: * all versions before 22.4R3-S8, * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S6, * 24.2 versions before 24.2R2-S4, * 24.4 versions before 24.4R2-S1, * 25.2 version before 25.2R1-S2, 25.2R2; Junos OS Evolved: * all versions before 23.2R2-S6-EVO, * 23.4 version before 23.4R2-S6-EVO, * 24.2 version before 24.2R2-S4-EVO, * 24.4 versions before 24.4R2-S1-EVO, * 25.2 versions before 25.2R2-EVO. | 2026-04-09 | 5.5 | CVE-2026-33776 | https://kb.juniper.net/JSA107866 |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific ‘show chassis’ CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1600, SRX2300 and SRX4300: * 24.4 versions before 24.4R1-S3, 24.4R2. This issue does not affect Junos OS versions before 24.4R1. | 2026-04-09 | 5.5 | CVE-2026-33786 | https://kb.juniper.net/JSA107810 |
| Juniper Networks–Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privileges to cause a complete Denial of Service (DoS). When a specific ‘show chassis’ CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again. This issue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600: * 23.2 versions before 23.2R2-S6, * 23.4 versions before 23.4R2-S7 * 24.2 versions before 24.2R2-S2, * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S1, 25.2R2. | 2026-04-09 | 5.5 | CVE-2026-33787 | https://kb.juniper.net/JSA107873 |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, a signed integer overflow exists in undo_pxr24_impl() in src/lib/OpenEXRCore/internal_pxr24.c at line 377. The expression (uint64_t)(w * 3) computes w * 3 as a signed 32-bit integer before casting to uint64_t. When w is large, this multiplication constitutes undefined behavior under the C standard. On tested builds (clang/gcc without sanitizers), two’s-complement wraparound commonly occurs, and for specific values of w the wrapped result is a small positive integer, which may allow the subsequent bounds check to pass incorrectly. If the check is bypassed, the decoding loop proceeds to write pixel data through dout, potentially extending far beyond the allocated output buffer. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | 5.9 | CVE-2026-34380 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-q3v8-hw4m-59w5 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| vllm-project–vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.16.0 to before 0.19.0, a server-side request forgery (SSRF) vulnerability in download_bytes_from_url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target internal services (e.g. cloud metadata endpoints or internal HTTP APIs) reachable from the vLLM host. This vulnerability is fixed in 0.19.0. | 2026-04-06 | 5.4 | CVE-2026-34753 | https://github.com/vllm-project/vllm/security/advisories/GHSA-pf3h-qjgv-vcpr |
| pnggroup–libpng | LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57. | 2026-04-09 | 5.1 | CVE-2026-34757 | https://github.com/pnggroup/libpng/security/advisories/GHSA-6fr7-g8h7-v645 https://github.com/pnggroup/libpng/issues/836 https://github.com/pnggroup/libpng/issues/837 https://github.com/pnggroup/libpng/commit/398cbe3df03f4e11bb031e07f416dfdde3684e8a https://github.com/pnggroup/libpng/commit/55d20aaa322c9274491cda82c5cd4f99b48c6bcc |
| projectzealous01–PZ Frontend Manager | The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the ‘dataType’ parameter is set to ‘delete’, the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions. Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary WordPress users (including administrators) by sending a crafted request to the AJAX endpoint. | 2026-04-08 | 5.3 | CVE-2026-3477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90d8e345-b549-493b-a84b-abe56ab42a04?source=cve https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L331 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L292 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/trunk/admin/includes/ajax-hooks.php#L290 https://plugins.trac.wordpress.org/browser/pz-frontend-manager/tags/1.0.6/admin/includes/ajax-hooks.php#L290 |
| Eniture technology–LTL Freight Quotes Worldwide Express Edition | Missing Authorization vulnerability in Eniture technology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.2.1. | 2026-04-07 | 5.3 | CVE-2026-34899 | https://patchstack.com/database/wordpress/plugin/ltl-freight-quotes-worldwide-express-edition/vulnerability/wordpress-ltl-freight-quotes-worldwide-express-edition-plugin-5-2-1-broken-access-control-vulnerability?_s_id=cve |
| OceanWP–Ocean Extra | Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3. | 2026-04-07 | 5.4 | CVE-2026-34903 | https://patchstack.com/database/wordpress/plugin/ocean-extra/vulnerability/wordpress-ocean-extra-plugin-2-5-3-broken-access-control-vulnerability?_s_id=cve |
| Heatmiser–Heatmiser Wifi Thermostat | Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent. | 2026-04-12 | 4.3 | CVE-2019-25708 | ExploitDB-46100 VulnCheck Advisory: Heatmiser Wifi Thermostat 1.7 Cross-Site Request Forgery |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users’ email addresses via certain GraphQL queries. | 2026-04-08 | 4.3 | CVE-2025-9484 | GitLab Issue #565363 HackerOne Bug Bounty Report #3303810 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| vsourz1td–Advanced Contact form 7 DB | The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘vsz_cf7_export_to_excel’ function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file. | 2026-04-08 | 4.3 | CVE-2026-0814 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5e3de1a4-a534-475b-9138-2337755b0288?source=cve https://plugins.trac.wordpress.org/browser/advanced-cf7-db/tags/2.0.9/admin/class-advanced-cf7-db-admin.php#L1507 https://plugins.trac.wordpress.org/changeset/3497481/advanced-cf7-db |
| realmag777–BEAR Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link. | 2026-04-08 | 4.3 | CVE-2026-1673 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1e4e8960-b0c1-4dbb-ba97-e45b88fb06c0?source=cve https://plugins.trac.wordpress.org/browser/woo-bulk-editor/trunk/index.php#L1474 https://plugins.trac.wordpress.org/changeset/3457263/ https://plugins.trac.wordpress.org/changeset/3465138/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab EE affecting all versions from 11.3 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with developer-role permissions to modify protected environment settings due to improper authorization checks in the API. | 2026-04-08 | 4.3 | CVE-2026-1752 | HackerOne Bug Bounty Report #3533545 https://gitlab.com/gitlab-org/gitlab/-/work_items/588413 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| arubadev–Aruba HiSpeed Cache | The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-04-10 | 4.3 | CVE-2026-1924 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d2230151-fde2-43d6-8bff-0d2ffd559ab3?source=cve https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L632 https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L631 https://plugins.trac.wordpress.org/changeset?old_path=%2Faruba-hispeed-cache/tags/3.0.4&new_path=%2Faruba-hispeed-cache/tags/3.0.5 |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to access confidential issues assigned to other users via CSV export due to insufficient authorization checks. | 2026-04-08 | 4.3 | CVE-2026-2104 | HackerOne Bug Bounty Report #3541476 https://gitlab.com/gitlab-org/gitlab/-/work_items/589021 https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/ |
| idealwebdesignlk–Whole Enquiry Cart for WooCommerce | The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woowhole_success_msg’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-04-08 | 4.4 | CVE-2026-2838 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc14a98-1df8-480b-bae3-5ec057b498af?source=cve https://plugins.trac.wordpress.org/browser/whole-cart-enquiry/trunk/admin.php#L53 |
| homarr-labs–homarr | Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0. | 2026-04-06 | 4.2 | CVE-2026-32602 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker’s server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | 2026-04-10 | 4.7 | CVE-2026-32932 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0 https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b |
| Microsoft–Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2026-04-10 | 4.3 | CVE-2026-33118 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
| Elastic–Kibana | Incorrect Authorization (CWE-863) in Kibana can lead to cross-space information disclosure via Privilege Abuse (CAPEC-122). A user with Fleet agent management privileges in one Kibana space can retrieve Fleet Server policy details from other spaces through an internal enrollment endpoint. The endpoint bypasses space-scoped access controls by using an unscoped internal client, returning operational identifiers, policy names, management state, and infrastructure linkage details from spaces the user is not authorized to access. | 2026-04-08 | 4.3 | CVE-2026-33460 | https://discuss.elastic.co/t/kibana-8-19-14-9-2-8-9-3-3-security-update-esa-2026-25/385813 |
| themeum–Tutor LMS eLearning and online course solution | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler’s `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs. | 2026-04-11 | 4.3 | CVE-2026-3371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252 https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Mattermost–Mattermost | Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610 | 2026-04-09 | 3.7 | CVE-2026-21388 | MMSA-2026-00610 |
| Dell–PowerProtect Agent | Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2026-04-08 | 3.3 | CVE-2026-28264 | https://www.dell.com/support/kbdoc/en-us/000447277/dsa-2026-158-security-update-dell-powerprotect-data-manager-for-multiple-security-vulnerabilities |
| pi-hole–web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js (Network page) and charts.js/index.js (Dashboard chart tooltips). While upstream validation in dnsmasq and FTL blocks HTML characters via normal DHCP/DNS paths, the web UI performs no output escaping – an inconsistency with other fields in the same file that are properly escaped. This vulnerability is fixed in 6.5. | 2026-04-06 | 3.4 | CVE-2026-33404 | https://github.com/pi-hole/web/security/advisories/GHSA-px6w-85wp-ww9v |
| pi-hole–web | Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, the formatInfo() function in queries.js renders data.upstream, data.client.ip, and data.ede.text into HTML without escaping when a user expands a query row in the Query Log, enabling stored HTML injection. JavaScript execution is blocked by the server’s CSP (script-src ‘self’). The same fields are properly escaped in the table view (rowCallback), confirming the omission was an oversight. This vulnerability is fixed in 6.5. | 2026-04-06 | 3.1 | CVE-2026-33405 | https://github.com/pi-hole/web/security/advisories/GHSA-jx8x-mj2r-62vq |
| OpenStack–Keystone | An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user’s S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected. | 2026-04-10 | 3.5 | CVE-2026-33551 | https://bugs.launchpad.net/keystone/+bug/2142138 https://security.openstack.org/ossa/OSSA-2026-005.html |
| harttle–liquidjs | LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3. | 2026-04-08 | 3.7 | CVE-2026-34166 | https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25 https://github.com/harttle/liquidjs/releases/tag/v10.25.3 |
| electron–electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-06 | 2.3 | CVE-2026-34764 | https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp |
| electron–electron | Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5. | 2026-04-07 | 2.8 | CVE-2026-34781 | https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4×64 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2. | 2026-04-10 | not yet calculated | CVE-2025-66447 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446 |
| n/a–Stakeholder-Specific Vulnerability Categorization (SSVC) | QD 20230821 is vulnerable to Server-side request forgery (SSRF) via a crafted request | 2026-04-08 | not yet calculated | CVE-2023-46945 | https://qd-today.github.io/qd/ https://gist.github.com/kurokoleung/5b36b2013a54adadcce79967d3e4f056 |
| n/a–Koha 23.05.10 | Koha Library before 23.05.10 fails to sanitize user-controllable filenames prior to unzipping, leading to remote code execution. The line “qx/unzip $filename -d $dirname/;” in upload-cover-image.pl is vulnerable to command injection via shell metacharacters because input data can be controlled by an attacker and is directly included in a system command, i.e., an attack can occur via malicious filenames after uploading a .zip file and clicking Process Images. | 2026-04-07 | not yet calculated | CVE-2024-36057 | https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md https://github.com/hacklantic/Research/tree/main/CVE-2024-36057 https://koha-community.org/koha-22-05-22-released/ |
| n/a–Koha 23.05.10 | The Send Basket functionality in Koha Library before 23.05.10 is susceptible to Time-Based SQL Injection because it fails to sanitize the POST parameter bib_list in /cgi-bin/koha/opac-sendbasket.pl, allowing library users to read arbitrary data from the database. | 2026-04-07 | not yet calculated | CVE-2024-36058 | https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_10.md https://gitlab.com/koha-community/Koha/-/blob/23.05.x/misc/release_notes/release_notes_23_05_11.md https://koha-community.org/koha-22-05-22-released/ https://github.com/hacklantic/Research/tree/main/CVE-2024-36058 |
| Unknown–YML for Yandex Market | The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process. | 2026-04-10 | not yet calculated | CVE-2025-14545 | https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/ |
| Canonical–Ubuntu | In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user’s plaintext Wi-Fi password, in the attached logs. | 2026-04-09 | not yet calculated | CVE-2025-14551 | noble backport – stop logging network config and identity data Stop logging identity data and network secrets |
| Mitsubishi Electric Corporation–GENESIS64 | Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. | 2026-04-08 | not yet calculated | CVE-2025-14815 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf https://jvn.jp/vu/JVNVU90646130/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 |
| Mitsubishi Electric Corporation–GENESIS64 | Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system. | 2026-04-08 | not yet calculated | CVE-2025-14816 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 https://jvn.jp/vu/JVNVU90646130/ |
| Semtech–LR1110 | An improper access control vulnerability exists in Semtech LoRa LR11xxx transceivers running early versions of firmware where the memory write command accessible via the physical SPI interface fails to enforce write protection on the program call stack. An attacker with physical access to the SPI interface can overwrite stack memory to hijack program control flow and achieve limited arbitrary code execution. However, the impact is limited to the active attack session: the device’s secure boot mechanism prevents persistent firmware modification, the crypto engine isolates cryptographic keys from direct firmware access, and all modifications are lost upon device reboot or loss of physical access. | 2026-04-07 | not yet calculated | CVE-2025-14857 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Semtech–LR1110 | The Semtech LR11xx LoRa transceivers running early versions of firmware contains an information disclosure vulnerability in its firmware validation functionality. When a host issues a firmware validity check command via the SPI interface, the device decrypts the provided encrypted firmware package block-by-block to validate its integrity. However, the last decrypted firmware block remains uncleared in memory after the validation process completes. An attacker with access to the SPI interface can subsequently issue memory read commands to retrieve the decrypted firmware contents from this residual memory, effectively bypassing the firmware encryption protection mechanism. The attack requires physical access to the device’s SPI interface. | 2026-04-07 | not yet calculated | CVE-2025-14858 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Semtech–LR1110 | The Semtech LR11xx LoRa transceivers implement secure boot functionality using digital signatures to authenticate firmware. However, the implementation uses a non-standard cryptographic hashing algorithm that is vulnerable to second preimage attacks. An attacker with physical access to the device can exploit this weakness to generate a malicious firmware image with a hash collision, bypassing the secure boot verification mechanism and installing arbitrary unauthorized firmware on the device. | 2026-04-07 | not yet calculated | CVE-2025-14859 | https://www.semtech.com/company/security/security-bulletins/sem-psa-2026-001 |
| Canonical–Ubuntu | In Ubuntu, ubuntu-desktop-provision version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, ubuntu-desktop-provision could include the user’s password hash in the attached logs. | 2026-04-09 | not yet calculated | CVE-2025-15480 | feat: don’t log identity data (noble backport) feat: don’t log identity data |
| Unknown–Popup Box | The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend. | 2026-04-07 | not yet calculated | CVE-2025-15611 | https://wpscan.com/vulnerability/089ea763-2421-4089-a220-251421f7f226/ |
| Ping Identity–PingIDM | An insufficient granularity of access control vulnerability exists in PingIDM (formerly ForgeRock Identity Management) where administrators cannot properly configure access rules for Remote Connector Servers (RCS) running in client mode. This means attackers can spoof a client-mode RCS (if one exists) to intercept and/or modify an identity’s security-relevant properties, such as passwords and account recovery information. This issue is exploitable only when an RCS is configured to run in client mode. | 2026-04-07 | not yet calculated | CVE-2025-20628 | https://backstage.forgerock.com/knowledge/advisories/article/a14305629?rev=_newest https://backstage.pingidentity.com/downloads/browse/idm/featured |
| Nokia–MantaRay NM | Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Symptom Collector application. | 2026-04-07 | not yet calculated | CVE-2025-24817 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24817/ |
| Nokia–MantaRay NM | Nokia MantaRay NM is vulnerable to an OS command injection vulnerability due to improper neutralization of special elements used in an OS command in Log Search application. | 2026-04-07 | not yet calculated | CVE-2025-24818 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24818/ |
| Nokia–MantaRay NM | Nokia MantaRay NM is vulnerable to a Relative Path Traversal vulnerability due to improper validation of input parameter on the file system in Software Manager application. | 2026-04-07 | not yet calculated | CVE-2025-24819 | https://www.nokia.com/we-are-nokia/security/product-security-advisory/cve-2025-24819/ |
| Checkmk GmbH–Checkmk | Local privilege escalation in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows a site user to escalate their privileges to root, by manipulating files in the site context that are processed when the `omd` administrative command is run by root. | 2026-04-07 | not yet calculated | CVE-2025-39666 | https://checkmk.com/werk/18891 |
| n/a–OwnTone – open source (audio) media server | owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking. | 2026-04-10 | not yet calculated | CVE-2025-44560 | https://github.com/owntone/owntone-server/issues/1873 https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3 |
| D-Link[.]com — D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the ip parameter in the ip_position_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45057 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fx parameter in the jingx_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45058 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8300 | D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fn parameter in the tgfile_htm function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-08 | not yet calculated | CVE-2025-45059 | https://www.dlink.com/en/security-bulletin/ https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DI-8300 https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| www[.]rrweb[.]io/ — rrwebplayer | A cross-site scripting (XSS) vulnerability in rrweb-snapshot before v2.0.0-alpha.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-04-09 | not yet calculated | CVE-2025-45806 | https://github.com/rrweb-io/rrweb https://github.com/rrweb-io/rrweb/tree/master/packages/rrweb-snapshot https://github.com/rrweb-io/rrweb/issues/1817 |
| Google–Android | In importWrappedKey of KMKeymasterApplet.java, there is a possible way access keys that should be restricted due to improper input validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-04-06 | not yet calculated | CVE-2025-48651 | https://source.android.com/docs/security/bulletin/2026/2026-04-01 |
| n/a–n/a | Jizhicms v2.5.4 is vulnerable to Server-Side Request Forgery (SSRF) in User Evaluation, Message, and Comment modules. | 2026-04-09 | not yet calculated | CVE-2025-50228 | https://github.com/Cherry-toto/jizhicms https://www.jizhicms.cn https://github.com/Cherry-toto/jizhicms/issues/104 |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of user input in the qj.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50644 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A vulnerability has been discovered in D-Link DI-8003 16.07.26A1, which can lead to a buffer overflow when the s parameter in the pppoe_list_opt.asp endpoint is manipulated. By sending a crafted request with an excessively large value for the s parameter, an attacker can trigger a buffer overflow condition. | 2026-04-08 | not yet calculated | CVE-2025-50645 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to insufficient input validation on the name parameter in the /qos_type_asp.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50646 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1, specifically in the handling of the wans parameter in the qos.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50647 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate input validation in the /tggl.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50648 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper input validation in the vlan_name parameter in the /shut_set.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50649 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to inadequate validation of input size in the routes_static parameter in the /router.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50650 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | An issue in D-Link DI-8003 16.07.26A1 related to improper handling of the id parameter in the /saveparm_usb.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50652 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name and mem parameters in the /time_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50653 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper validation of the id parameter in the /thd_member.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50654 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /thd_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50655 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the pid parameter in the /trace.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50657 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the custom_error parameter in the /user.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50659 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_member.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50660 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /url_rule.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, en, ips, u, time, act, rpri, and log. | 2026-04-08 | not yet calculated | CVE-2025-50661 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /url_group.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50662 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the name parameter in the /usb_paswd.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50663 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /user_group.asp endpoint. The attacker can exploit this vulnerability by sending a crafted HTTP GET request with parameters name, mem, pri, and attr. | 2026-04-08 | not yet calculated | CVE-2025-50664 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of input parameters in the /web_keyword.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request via the name, en, time, mem_gb2312, and mem_utf8 parameters. | 2026-04-08 | not yet calculated | CVE-2025-50665 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of multiple parameters in the /web_post.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in parameters such as name, en, user_id, log, and time. | 2026-04-08 | not yet calculated | CVE-2025-50666 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the iface parameter in the /wan_line_detection.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50667 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the s parameter in the /web_list_opt.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50668 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 and DI-8003G 19.12.10A1 due to improper handling of the wan_ping parameter in the /wan_ping.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50669 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_bwr.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request in the name, qq, and time parameters. | 2026-04-08 | not yet calculated | CVE-2025-50670 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /xwgl_ref.asp endpoint. An attacker can exploit this vulnerability by sending a crafted HTTP GET request with excessively long strings in parameters name, en, user_id, shibie_name, time, act, log, and rpri. | 2026-04-08 | not yet calculated | CVE-2025-50671 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of parameters in the /yyxz_dlink.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50672 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | A buffer overflow vulnerability exists in D-Link DI-8003 16.07.26A1 due to improper handling of the http_lanport parameter in the /webgl.asp endpoint. | 2026-04-08 | not yet calculated | CVE-2025-50673 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| Tendacn[.]com — AC6 WiFi Router | Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetCfm function via the funcname, funcpara1, and funcpara2 parameters. | 2026-04-08 | not yet calculated | CVE-2025-52221 | https://github.com/faqiadegege/IoTVuln/blob/main/tendaAc6_formSetCfm_funcname_overflow/detail.md https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| D-Link[.]com — D-Link DI-8003 | D-Link DI-8003 v16.07.26A1, DI-8500 v16.07.26A1; DI-8003G v17.12.21A1, DI-8200G v17.12.20A1, DI-8200 v16.07.26A1, DI-8400 v16.07.26A1, DI-8004w v16.07.26A1, DI-8100 v16.07.26A1, and DI-8100G v17.12.20A1 were discovered to contain a buffer overflow via the rd_en, rd_auth, rd_acct, http_hadmin, http_hadminpwd, rd_key, and rd_ip parameters in the radius_asp function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-04-08 | not yet calculated | CVE-2025-52222 | https://www.dlink.com/en/security-bulletin/ https://github.com/xiaotea/iot-vulnerability-collection/blob/main/README.md |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 1 of 2. | 2026-04-07 | not yet calculated | CVE-2025-52908 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52908/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Incorrect Handling of the NL80211 vendor command leads to a buffer overflow via a certain ioctl message, issue 2 of 2. | 2026-04-07 | not yet calculated | CVE-2025-52909 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-52909/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-54324 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54324/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SMS RP-DATA messages. | 2026-04-06 | not yet calculated | CVE-2025-54328 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor amd Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a double free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. | 2026-04-06 | not yet calculated | CVE-2025-54601 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54601/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930, and W1000. Improper synchronization on a global variable leads to a use-after-free. An attacker can trigger a race condition by invoking an ioctl function concurrently from multiple threads. | 2026-04-06 | not yet calculated | CVE-2025-54602 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54602/ |
| n/a–GenieACS | In GenieACS 1.2.13, an unauthenticated access vulnerability exists in the NBI API endpoint. | 2026-04-07 | not yet calculated | CVE-2025-56015 | https://github.com/genieacs/genieacs/ https://github.com/e1st/CVE-2025-56015 |
| Apache Software Foundation–Apache Airflow | When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at logout. Users who are concerned about the logout scenario and possibility of intercepting the tokens, should upgrade to Airflow 3.2+ Users are recommended to upgrade to version 3.2.0, which fixes this issue. | 2026-04-09 | not yet calculated | CVE-2025-57735 | https://github.com/apache/airflow/pull/61339 https://github.com/apache/airflow/pull/56633 https://lists.apache.org/thread/ovn8mpd8zkc604hojt7x3wsw3kc60x98 |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem (Exynos 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400, and Modem 5410). The absence of proper input validation leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-57834 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54328/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper memory initialization results in an illegal memory access, causing a system crash via a malformed RRCReconfiguration message. | 2026-04-06 | not yet calculated | CVE-2025-57835 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57835/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect handling of LTE MAC packets containing many MAC Control Elements (CEs) leads to baseband crashes. | 2026-04-06 | not yet calculated | CVE-2025-58349 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58349/ |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in USIM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Improper handling of SIM card proactive commands leads to a Denial of Service. | 2026-04-06 | not yet calculated | CVE-2025-59440 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59440/ |
| n/a–n/a | An open redirect in Ascertia SigningHub User v10.0 allows attackers to redirect users to a malicious site via a crafted URL. | 2026-04-06 | not yet calculated | CVE-2025-61166 | https://linkedin.com/in/thakur-nikhil https://medium.com/@rajput.thakur/malicious-open-redirection-cve-2025-61166-bf5d708cd241 |
| Apache Software Foundation–Apache DolphinScheduler | An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are recommended to upgrade to: * version ≥ 3.2.0 if using 3.1.x As a temporary workaround, users who cannot upgrade immediately may restrict the exposed management endpoints by setting the following environment variable: “` MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,metrics,prometheus “` Alternatively, add the following configuration to the application.yaml file: “` management: endpoints: web: exposure: include: health,metrics,prometheus “` This issue has been reported as CVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796 | 2026-04-09 | not yet calculated | CVE-2025-62188 | https://lists.apache.org/thread/ffrmkcwgr2lcz0f5nnnyswhpn3fytsvo https://www.cve.org/CVERecord?id=CVE-2023-48796 |
| axios–axios | Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0. | 2026-04-09 | not yet calculated | CVE-2025-62718 | https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5 https://github.com/axios/axios/pull/10661 https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df https://datatracker.ietf.org/doc/html/rfc1034#section-3.1 https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2 https://github.com/axios/axios/releases/tag/v1.15.0 |
| Semiconductor[.]Samsung[.]com — Mobile Processor & Wearable Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI and UDL values when processing an SMS TP-UD packet. | 2026-04-07 | not yet calculated | CVE-2025-62818 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-62818/ |
| n/a–LimeSurvey | A Reflected Cross-Site Scripting (XSS) affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance() function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user. | 2026-04-09 | not yet calculated | CVE-2025-63238 | https://github.com/LimeSurvey/LimeSurvey/commit/80769a677dc82ddb1fcced4af19bd959d583208d https://gist.github.com/masquerad3r/f913ab479e8de2ad71987ef98a088fb5 |
| n/a–n/a | An issue in JXL 9 Inch Car Android Double Din Player Android v12.0 allows attackers to force the infotainment system into accepting falsified GPS signals as legitimate, resulting in the device reporting an incorrect or static location. | 2026-04-07 | not yet calculated | CVE-2025-69515 | http://jxl.com https://github.com/thorat-shubham/JXL_Infotainment_CVE-2025-69515/blob/main/README.md |
| n/a–n/a | An issue was discovered in Kiamo before 8.4 allowing authenticated administrative attackers to execute arbitrary PHP code on the server. | 2026-04-09 | not yet calculated | CVE-2025-70364 | http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70364-Kiamo.md |
| Kiamo[.]com — Kiamo | A stored cross-site scripting (XSS) vulnerability exists in Kiamo before 8.4 due to improper output encoding of user-supplied input in administrative interfaces. An authenticated administrative user can inject arbitrary JavaScript code that is executed in the browser of users viewing the affected pages. | 2026-04-09 | not yet calculated | CVE-2025-70365 | http://kiamo.com https://github.com/hackvens/blog.hackvens.fr/blob/main/_posts/advisories/2025-12-23-CVE-2025-70365-Kiamo.md |
| n/a– Limesurvey | Cross Site Scripting vulnerability in Limesurvey v.6.15.20+251021 allows a remote attacker to execute arbitrary code via the Box[title] and box[url] parameters. | 2026-04-09 | not yet calculated | CVE-2025-70797 | https://gist.github.com/masquerad3r/772ddbfbd9fd95754f4873bcb202146d https://github.com/LimeSurvey/LimeSurvey/pull/4356 |
| n/a–n/a | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the login function and the authentication mechanism | 2026-04-09 | not yet calculated | CVE-2025-70810 | https://github.com/ariefibis https://www.linkedin.com/in/mohammed-a-6a2548112/ https://gist.github.com/ariefibis/80e306765c23d6fac1584dbb76822e30 |
| n/a–n/a | Cross Site Request Forgery vulnerability in Phpbb phbb3 v.3.3.15 allows a local attacker to execute arbitrary code via the Admin Control Panel icon management functionality. | 2026-04-09 | not yet calculated | CVE-2025-70811 | https://github.com/ariefibis https://www.linkedin.com/in/mohammed-a-6a2548112/ https://github.com/ariefibis/PHPBB/security/advisories/GHSA-56pv-xg3w-6822 |
| n/a–Yaffa | yaffa v2.0.0 is vulnerable to Cross Site Scripting (XSS). An attacker can inject malicious JavaScript into the “Add Account Group” function on the account-group page, allowing execution of arbitrary script in the context of users who view the affected page. | 2026-04-07 | not yet calculated | CVE-2025-70844 | https://github.com/kantorge/yaffa https://github.com/J4cky1028/vulnerability-research/tree/main/CVE-2025-70844 |
| n/a–n/a | Dual DHCP DNS Server 8.01 improperly accepts and caches UDP DNS responses without validating that the response originates from a legitimate configured upstream DNS server. The implementation matches responses primarily by TXID and inserts results into the cache, enabling a remote attacker to inject forged responses and poison the DNS cache, potentially redirecting victims to attacker-controlled destinations. | 2026-04-07 | not yet calculated | CVE-2025-71058 | https://sourceforge.net/projects/dhcp-dns-server/ https://github.com/FPokerFace/Security-Advisory/tree/main/CVE-2025-71058 |
| Google–Android | In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-04-06 | not yet calculated | CVE-2026-0049 | https://source.android.com/docs/security/bulletin/2026/2026-04-01 |
| Pegasystems–Pega Robot Studio | An arbitrary file-write vulnerability in Pega Browser Extension (PBE) affects Pega Robotic Automation version 22.1 or R25 users who are running automations that work with Google Chrome or Microsoft Edge. A bad actor could create a website that includes malicious code. The vulnerability could occur if a Robot Runtime user navigates to the malicious website. | 2026-04-07 | not yet calculated | CVE-2026-1078 | https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note |
| Pegasystems–Pega Browser Extension (PBE) | A native messaging host vulnerability in Pega Browser Extension (PBE) affects users of all versions of Pega Robotic Automation who have installed Pega Browser Extension. A bad actor could create a website that contains malicious code that targets PBE. The vulnerability could occur if a user navigates to this website. The malicious website could then present an unexpected message box. | 2026-04-07 | not yet calculated | CVE-2026-1079 | https://support.pega.com/support-doc/pega-security-advisory-a26-vulnerability-remediation-note |
| parisneo–parisneo/lollms | In parisneo/lollms version 2.1.0, the application’s session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0. | 2026-04-07 | not yet calculated | CVE-2026-1114 | https://huntr.com/bounties/608b2a3b-2225-438e-9e61-ffbfdec2ed89 https://github.com/parisneo/lollms/commit/a3b2b82b84d537a9da63e63a370a6a8ad55fed34 |
| parisneo–parisneo/lollms | A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0. | 2026-04-10 | not yet calculated | CVE-2026-1115 | https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a |
| parisneo–parisneo/lollms | A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user’s browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks. | 2026-04-12 | not yet calculated | CVE-2026-1116 | https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a |
| parisneo–parisneo/lollms | An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password. | 2026-04-08 | not yet calculated | CVE-2026-1163 | https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b |
| Python Software Foundation–CPython | CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host. | 2026-04-10 | not yet calculated | CVE-2026-1502 | https://github.com/python/cpython/pull/146212 https://github.com/python/cpython/issues/146211 https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/ https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69 |
| huggingface–huggingface/transformers | A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3. | 2026-04-07 | not yet calculated | CVE-2026-1839 | https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485 https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396 |
| Unknown–Link Whisper Free | The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates. | 2026-04-07 | not yet calculated | CVE-2026-1900 | https://wpscan.com/vulnerability/dc10b627-7981-4c53-bc9d-e87418f3fcfc/ |
| MediaTek, Inc.–MediaTek chipset | In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01106496; Issue ID: MSV-4467. | 2026-04-07 | not yet calculated | CVE-2026-20431 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.–MediaTek chipset | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461. | 2026-04-07 | not yet calculated | CVE-2026-20432 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.–MediaTek chipset | In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460. | 2026-04-07 | not yet calculated | CVE-2026-20433 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| MediaTek, Inc.–MediaTek chipset | In sec boot, there is a possible out of bounds write due to an integer overflow. This could lead to local denial of service, if an attacker has physical access to the device, with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09963054; Issue ID: MSV-3899. | 2026-04-07 | not yet calculated | CVE-2026-20446 | https://corp.mediatek.com/product-security-bulletin/April-2026 |
| Rocket.Chat–Rocket.Chat | An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint. | 2026-04-10 | not yet calculated | CVE-2026-22560 | https://hackerone.com/reports/3418031 https://github.com/RocketChat/Rocket.Chat/pull/38994 |
| The Wikimedia Foundation–Mediawiki – Wikilove Extension | Improper neutralization of alternate XSS syntax vulnerability in The Wikimedia Foundation Mediawiki – Wikilove Extension allows Cross-Site Scripting (XSS).The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. | 2026-04-07 | not yet calculated | CVE-2026-22711 | https://phabricator.wikimedia.org/T416502 https://gerrit.wikimedia.org/r/q/Iab86209478a044504f5a6aea0d8c3d14f21c48b3 |
| OpenPLC_V3–OpenPLC_V3 | OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API. | 2026-04-09 | not yet calculated | CVE-2026-28205 | https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10 |
| OpenSSL–OpenSSL | Issue summary: Applications using AES-CFB128 encryption or decryption on systems with AVX-512 and VAES support can trigger an out-of-bounds read of up to 15 bytes when processing partial cipher blocks. Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not written to output. The vulnerable code path is only reached when processing partial blocks (when a previous call left an incomplete block and the current call provides fewer bytes than needed to complete it). Additionally, the input buffer must be positioned at a page boundary with the following page unmapped. CFB mode is not used in TLS/DTLS protocols, which use CBC, GCM, CCM, or ChaCha20-Poly1305 instead. For these reasons the issue was assessed as Low severity according to our Security Policy. Only x86-64 systems with AVX-512 and VAES instruction support are affected. Other architectures and systems without VAES support use different code paths that are not affected. OpenSSL FIPS module in 3.6 version is affected by this issue. | 2026-04-07 | not yet calculated | CVE-2026-28386 | OpenSSL Advisory 3.6.2 git commit |
| OpenSSL–OpenSSL | Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side. Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage. By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as ‘unusable’ any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable. The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records. No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28387 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL–OpenSSL | Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing. Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application. When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference. Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28388 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL–OpenSSL | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28389 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL–OpenSSL | Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen. Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service. When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing. Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-28390 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)–Emocheck | Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck. | 2026-04-10 | not yet calculated | CVE-2026-28704 | https://www.jpcert.or.jp/press/2026/PR20260410.html https://github.com/JPCERTCC/EmoCheck/ https://jvn.jp/en/jp/JVN00263243/ |
| Erlang–OTP | Incorrect Authorization vulnerability in Erlang OTP (inets modules) allows unauthenticated access to CGI scripts protected by directory rules when served via script_alias. When script_alias maps a URL prefix to a directory outside DocumentRoot, mod_auth evaluates directory-based access controls against the DocumentRoot-relative path while mod_cgi executes the script at the ScriptAlias-resolved path. This path mismatch allows unauthenticated access to CGI scripts that directory rules were meant to protect. This vulnerability is associated with program files lib/inets/src/http_server/mod_alias.erl, lib/inets/src/http_server/mod_auth.erl, and lib/inets/src/http_server/mod_cgi.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to inets from 5.10 until 9.6.2, 9.3.2.4 and 9.1.0.6. | 2026-04-07 | not yet calculated | CVE-2026-28808 | https://github.com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f https://cna.erlef.org/cves/CVE-2026-28808.html https://osv.dev/vulnerability/EEF-CVE-2026-28808 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/8fc71ac6af4fbcc54103bec2983ef22e82942688 https://github.com/erlang/otp/commit/9dfa0c51eac97866078e808dec2183cb7871ff7c |
| Erlang–OTP | Generation of Predictable Numbers or Identifiers vulnerability in Erlang/OTP kernel (inet_res, inet_db modules) allows DNS Cache Poisoning. The built-in DNS resolver (inet_res) uses a sequential, process-global 16-bit transaction ID for UDP queries and does not implement source port randomization. Response validation relies almost entirely on this ID, making DNS cache poisoning practical for an attacker who can observe one query or predict the next ID. This conflicts with RFC 5452 recommendations for mitigating forged DNS answers. inet_res is intended for use in trusted network environments and with trusted recursive resolvers. Earlier documentation did not clearly state this deployment assumption, which could lead users to deploy the resolver in environments where spoofed DNS responses are possible. This vulnerability is associated with program files lib/kernel/src/inet_db.erl and lib/kernel/src/inet_res.erl. This issue affects OTP from OTP 17.0 until OTP 28.4.2, 27.3.4.10 and 26.2.5.19 corresponding to kernel from 3.0 until 10.6.2, 10.2.7.4 and 9.2.4.11. | 2026-04-07 | not yet calculated | CVE-2026-28810 | https://github.com/erlang/otp/security/advisories/GHSA-v884-5jg5-whj8 https://cna.erlef.org/cves/CVE-2026-28810.html https://osv.dev/vulnerability/EEF-CVE-2026-28810 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/36f23c9d2cc54afe83671dd7343596d7972839a5 https://github.com/erlang/otp/commit/dd15e8eb03548c5e55e9915f0e91389ec6bad9fd https://github.com/erlang/otp/commit/b057a9d995017b1be50d6dc02edd52382f3231b8 |
| Apache Software Foundation–Apache Tomcat | Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-29129 | https://lists.apache.org/thread/r4h1t6f8xhxsxfm6c2z5cprolsosho3f |
| Apache Software Foundation–Apache Tomcat | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-29145 | https://lists.apache.org/thread/yz5fxmhd2j43wgqykssdo7kltws57jfz |
| Apache Software Foundation–Apache Tomcat | Padding Oracle vulnerability in Apache Tomcat’s EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-29146 | https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w |
| n/a–n/a | PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php. | 2026-04-10 | not yet calculated | CVE-2026-29861 | https://github.com/amanyadav78/CVE-2026-29861 |
| Entechtaiwan[.]com – PowerStrip | The pstrip64.sys driver in EnTech Taiwan PowerStrip <=3.90.736 allows local users to escalate privileges to SYSTEM via a crafted IOCTL request enabling unprivileged users to map arbitrary physical memory into their address space and modify critical kernel structures. | 2026-04-09 | not yet calculated | CVE-2026-29923 | https://entechtaiwan.com/util/ps.shtm https://packetstorm.news/files/id/218394/ |
| n/a– OpenAirInterface | OpenAirInterface Version 2.2.0 has a Buffer Overflow vulnerability in processing UplinkNASTransport containing Authentication Response containing a NAS PDU with oversize response (For example 100 byte). The response is decoded by AMF and passed to the AUSF component for verification. AUSF crashes on receiving this oversize response. This can prohibit users from further registration and verification and can cause Denial of Services (DoS). | 2026-04-08 | not yet calculated | CVE-2026-30075 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues?show=eyJpaWQiOiI2IiwiZnVsbF9wYXRoIjoib2FpL2NuNWcvb2FpLWNuNWctYXVzZiIsImlkIjo1NDE5fQ%3D%3D https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-ausf/-/issues/6 |
| n/a– OpenAirInterface | OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message specification requires InitiatingMessage but sent with successfulOutcome. | 2026-04-06 | not yet calculated | CVE-2026-30078 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/74 https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/merge_requests/414 |
| n/a– OpenAirInterface | In OpenAirInterface V2.2.0 AMF, Out of sequence messages causes incorrect state transition during UE registration procedure. This allows authentication to be bypassed completely. If a SecurityModeComplete message is sent after InitialUERegistration, a registration reject is received followed by a registration accept! This leads the UE to be registered without proper authentication. | 2026-04-07 | not yet calculated | CVE-2026-30079 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/77 |
| n/a– OpenAirInterface | OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context can lead to the possibility of replay attack. | 2026-04-08 | not yet calculated | CVE-2026-30080 | https://gitlab.eurecom.fr/oai/cn5g/oai-cn5g-amf/-/issues/78 |
| chartbrew–chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5. | 2026-04-10 | not yet calculated | CVE-2026-30232 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1 |
| n/a– Daylight Studio FuelCMS | Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module. | 2026-04-07 | not yet calculated | CVE-2026-30460 | https://github.com/daylightstudio/FUEL-CMS/ http://daylight.com http://fuelcms.com https://pentest-tools.com/PTT-2025-027-Improper-Authorization.pdf |
| Ms4w[.]com — GatewayGeo Mapserver | A Dynamic-link Library Injection vulnerability in GatewayGeo MapServer for Windows version 5 allows attackers to escalate privileges via a crafted executable. | 2026-04-09 | not yet calculated | CVE-2026-30478 | https://ms4w.com https://github.com/penjaminTester/Research/tree/main/CVE-2026-30478 |
| Ms4w[.]com — GatewayGeo Mapserver | A Dynamic-link Library Injection vulnerability in OSGeo Project MapServer before v8.0 allows attackers to execute arbitrary code via a crafted executable. | 2026-04-09 | not yet calculated | CVE-2026-30479 | https://mapserver.org/index.html https://github.com/penjaminTester/Research/tree/main/CVE-2026-30479 |
| Aziot[.]life — AZIOT 1 Node Smart Switch | An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch (16amp)- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from the serial console without authentication. | 2026-04-06 | not yet calculated | CVE-2026-30613 | http://aziot.com https://github.com/dumbermore/tuya/blob/main/README.md |
| TP-Link Systems Inc.–AX53 v1.0 | A stack-based buffer overflow in the tmpServer module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to trigger a segmentation fault and potentially execute arbitrary code via a specially crafted configuration file. Successful exploitation may cause a crash and could allow arbitrary code execution, enabling modification of device state, exposure of sensitive data, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30814 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.–AX53 v1.0 | An OS command injection vulnerability in the OpenVPN module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute system commands when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow modification of configuration files, disclosure of sensitive information, or further compromise of device integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30815 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.–AX53 v1.0 | An external control of configuration vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary file when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30816 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.–AX53 v1.0 | An external configuration control vulnerability in the OpenVPN module of TP-Link AX53 v1.0 allows an authenticated adjacent attacker to read arbitrary files when a malicious configuration file is processed. Successful exploitation may allow unauthorized access to arbitrary files on the device, potentially exposing sensitive information.This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30817 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| TP-Link Systems Inc.–AX53 v1.0 | An OS command injection vulnerability in the dnsmasq module of TP-Link Archer AX53 v1.0 allows an authenticated adjacent attacker to execute arbitrary code when a specially crafted configuration file is processed due to insufficient input validation. Successful exploitation may allow the attacker to modify device configuration, access sensitive information, or further compromise system integrity. This issue affects AX53 v1.0: before 1.7.1 Build 20260213. | 2026-04-08 | not yet calculated | CVE-2026-30818 | https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/us/support/faq/5055/ |
| n/a–n/a | A Server-Side Request Forgery (SSRF) vulnerability exists in the Print Format functionality of ERPNext v16.0.1 and Frappe Framework v16.1.1, where user-supplied HTML is insufficiently sanitized before being rendered into PDF. When generating PDFs from user-controlled HTML content, the application allows the inclusion of HTML elements such as <iframe> that reference external resources. The PDF rendering engine automatically fetches these resources on the server side. An attacker can abuse this behavior to force the server to make arbitrary HTTP requests to internal services, including cloud metadata endpoints, potentially leading to sensitive information disclosure. | 2026-04-08 | not yet calculated | CVE-2026-31017 | http://frappe.com https://github.com/PhDg1410/CVE/tree/main/CVE-2026-31017 |
| n/a–n/a | A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution. | 2026-04-08 | not yet calculated | CVE-2026-31040 | https://github.com/SepineTam/stata-mcp/issues/20 https://github.com/SepineTam/stata-mcp/pull/21 https://github.com/SepineTam/stata-mcp/commit/52413ce https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0 |
| n/a–n/a | A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline. | 2026-04-06 | not yet calculated | CVE-2026-31053 | https://github.com/rizinorg/rizin/issues/5753 https://github.com/rizinorg/rizin/pull/5795 |
| n/a– Aggressive HiPER Router 1200GW | UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the timeRangeName parameter of the formConfigDnsFilterGlobal function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31058 | https://github.com/zxq0408/Vul202601/blob/main/2.md |
| n/a– Aggressive HiPER Router 520W | A remote command execution (RCE) vulnerability in the /goform/formDia component of UTT Aggressive HiPER 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. | 2026-04-06 | not yet calculated | CVE-2026-31059 | https://github.com/zxq0408/Vul202601/blob/main/9.md |
| n/a– Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the notes parameter of the formGroupConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31060 | https://github.com/zxq0408/Vul202601/blob/main/5.md |
| n/a– Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the timestart parameter of the ConfigAdvideo function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31061 | https://github.com/zxq0408/Vul202601/blob/main/1.md |
| n/a– Aggressive HiPER Router 510W | UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the filename parameter of the formFtpServerDirConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31062 | https://github.com/zxq0408/Vul202601/blob/main/7.md |
| n/a– Aggressive HiPER Router 1200GW | UTT Aggressive HiPER 1200GW v2.5.3-170306 was discovered to contain a buffer overflow in the pools parameter of the formArpBindConfig function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31063 | https://github.com/zxq0408/Vul202601/blob/main/4.md |
| n/a– Aggressive HiPER Router 520W | UTT Aggressive 520W v3v1.7.7-180627 was discovered to contain a buffer overflow in the addCommand parameter of the formConfigCliForEngineerOnly function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31065 | https://github.com/zxq0408/Vul202601/blob/main/8.md |
| n/a– Aggressive HiPER Router 810G | UTT Aggressive HiPER 810G v3v1.7.7-171114 was discovered to contain a buffer overflow in the selDateType parameter of the formTaskEdit function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-04-06 | not yet calculated | CVE-2026-31066 | https://github.com/zxq0408/Vul202601/blob/main/6.md |
| n/a– UTT Aggressive 520W | A remote command execution (RCE) vulnerability in the /goform/formReleaseConnect component of UTT Aggressive 520W v3v1.7.7-180627 allows attackers to execute arbitrary commands via a crafted string. | 2026-04-06 | not yet calculated | CVE-2026-31067 | https://github.com/zxq0408/Vul202601/blob/main/10.md |
| n/a– Kaleris YMS | Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated attackers with only the shipping/receiving role to view the truck’s dashboard resources. | 2026-04-06 | not yet calculated | CVE-2026-31150 | https://kaleris.com/solutions/yard-management/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31150 |
| n/a– Kaleris YMS | An issue in the login mechanism of Kaleris YMS v7.2.2.1 allows attackers to bypass login verification to access the application ‘s resources. | 2026-04-06 | not yet calculated | CVE-2026-31151 | https://kaleris.com/solutions/yard-management/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31151 |
| Bynder[.]com — Bynder v0.1.394 | A stored cross-site scripting (XSS) vulnerability in Bynder v0.1.394 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2026-04-06 | not yet calculated | CVE-2026-31153 | https://www.bynder.com/en/ https://github.com/Henkel-CyberVM/CVEs/tree/main/CVE-2026-31153 |
| Totolink[.]net — A3300R router | An issue was discovered in ToToLink A3300R firmware v17.0.0cu.557_B20221024 allowing attackers to execute arbitrary commands via the stun-pass parameter to /cgi-bin/cstecgi.cgi. | 2026-04-09 | not yet calculated | CVE-2026-31170 | https://github.com/Svigo-o/TOTOLINK-Vul/tree/main/totolink-a3300r-stun-pass-cmd-injection |
| Altenar[.]com — Sportsbook Software Platform SB2 v.2.0 | Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter | 2026-04-10 | not yet calculated | CVE-2026-31262 | https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt |
| n/a–n/a | megagao production_ssm v1.0 contains an authorization bypass vulnerability in the user addition functionality. The insert() method in UserController.java lacks authentication checks, allowing unauthenticated attackers to create super administrator accounts by directly accessing the /user/insert endpoint. This leads to complete system compromise. | 2026-04-07 | not yet calculated | CVE-2026-31271 | https://github.com/clockw1se0v0/Vul/blob/main/production_ssm/Unauthorized.md |
| n/a–n/a | MRCMS 3.1.2 contains an access control vulnerability. The save() method in src/main/java/org/marker/mushroom/controller/UserController.java lacks proper authorization validation, enabling direct addition of super administrator accounts without authentication. | 2026-04-07 | not yet calculated | CVE-2026-31272 | https://github.com/clockw1se0v0/Vul/blob/main/MRCMS/Unauthorized.md |
| n/a– Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Content field. | 2026-04-06 | not yet calculated | CVE-2026-31313 | http://feehi.com https://github.com/liufee/cms/issues/80 |
| n/a– Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Page Sign parameter. | 2026-04-06 | not yet calculated | CVE-2026-31350 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/82 |
| n/a– Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the creation/editing module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title parameter. | 2026-04-06 | not yet calculated | CVE-2026-31351 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/81 |
| n/a– Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the Role Management module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Role Name parameter. | 2026-04-06 | not yet calculated | CVE-2026-31352 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/83 |
| n/a– Feehi CMS | An authenticated stored cross-site scripting (XSS) vulnerability in the Category module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | 2026-04-06 | not yet calculated | CVE-2026-31353 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/84 |
| n/a– Feehi CMS | Multiple authenticated stored cross-site scripting (XSS) vulnerabilities in the Permissions module of Feehi CMS v2.1.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Group, Category or Description parameters. | 2026-04-06 | not yet calculated | CVE-2026-31354 | https://github.com/liufee/cms https://github.com/liufee/cms/issues/85 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: media: dvb-net: fix OOB access in ULE extension header tables The ule_mandatory_ext_handlers[] and ule_optional_ext_handlers[] tables in handle_one_ule_extension() are declared with 255 elements (valid indices 0-254), but the index htype is derived from network-controlled data as (ule_sndu_type & 0x00FF), giving a range of 0-255. When htype equals 255, an out-of-bounds read occurs on the function pointer table, and the OOB value may be called as a function pointer. Add a bounds check on htype against the array size before either table is accessed. Out-of-range values now cause the SNDU to be discarded. | 2026-04-06 | not yet calculated | CVE-2026-31405 | https://git.kernel.org/stable/c/29ef43ceb121d67b87f4cbb08439e4e9e732eff8 https://git.kernel.org/stable/c/1a6da3dbb9985d00743073a1cc1f96e59f5abc30 https://git.kernel.org/stable/c/145e50c2c700fa52b840df7bab206043997dd18e https://git.kernel.org/stable/c/8bde543d2a5f935ba2a6a6325a2e02f8a9256fbe https://git.kernel.org/stable/c/f2b65dcb78c8990e4c68a906627433be1fe38a92 https://git.kernel.org/stable/c/24d87712727a5017ad142d63940589a36cd25647 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: Fix work re-schedule after cancel in xfrm_nat_keepalive_net_fini() After cancel_delayed_work_sync() is called from xfrm_nat_keepalive_net_fini(), xfrm_state_fini() flushes remaining states via __xfrm_state_delete(), which calls xfrm_nat_keepalive_state_updated() to re-schedule nat_keepalive_work. The following is a simple race scenario: cpu0 cpu1 cleanup_net() [Round 1] ops_undo_list() xfrm_net_exit() xfrm_nat_keepalive_net_fini() cancel_delayed_work_sync(nat_keepalive_work); xfrm_state_fini() xfrm_state_flush() xfrm_state_delete(x) __xfrm_state_delete(x) xfrm_nat_keepalive_state_updated(x) schedule_delayed_work(nat_keepalive_work); rcu_barrier(); net_complete_free(); net_passive_dec(net); llist_add(&net->defer_free_list, &defer_free_list); cleanup_net() [Round 2] rcu_barrier(); net_complete_free() kmem_cache_free(net_cachep, net); nat_keepalive_work() // on freed net To prevent this, cancel_delayed_work_sync() is replaced with disable_delayed_work_sync(). | 2026-04-06 | not yet calculated | CVE-2026-31406 | https://git.kernel.org/stable/c/32d0f44c2f14d60fe8e920e69a28c11051543ec1 https://git.kernel.org/stable/c/2255ed6adbc3100d2c4a83abd9d0396d04b87792 https://git.kernel.org/stable/c/21f2fc49ca6faa393c31da33b8a4e6c41fc84c13 https://git.kernel.org/stable/c/daf8e3b253aa760ff9e96c7768a464bc1d6b3c90 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: add missing netlink policy validations Hyunwoo Kim reports out-of-bounds access in sctp and ctnetlink. These attributes are used by the kernel without any validation. Extend the netlink policies accordingly. Quoting the reporter: nlattr_to_sctp() assigns the user-supplied CTA_PROTOINFO_SCTP_STATE value directly to ct->proto.sctp.state without checking that it is within the valid range. [..] and: … with exp->dir = 100, the access at ct->master->tuplehash[100] reads 5600 bytes past the start of a 320-byte nf_conn object, causing a slab-out-of-bounds read confirmed by UBSAN. | 2026-04-06 | not yet calculated | CVE-2026-31407 | https://git.kernel.org/stable/c/0fbae1e74493d5a160a70c51aeba035d8266ea7d https://git.kernel.org/stable/c/f900e1d77ee0ef87bfb5ab3fe60f0b3d8ad5ba05 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix use-after-free in sco_recv_frame() due to missing sock_hold sco_recv_frame() reads conn->sk under sco_conn_lock() but immediately releases the lock without holding a reference to the socket. A concurrent close() can free the socket between the lock release and the subsequent sk->sk_state access, resulting in a use-after-free. Other functions in the same file (sco_sock_timeout(), sco_conn_del()) correctly use sco_sock_hold() to safely hold a reference under the lock. Fix by using sco_sock_hold() to take a reference before releasing the lock, and adding sock_put() on all exit paths. | 2026-04-06 | not yet calculated | CVE-2026-31408 | https://git.kernel.org/stable/c/b0a7da0e3f7442545f071499beb36374714bb9de https://git.kernel.org/stable/c/45aaca995e4a7a05b272a58e7ab2fff4f611b8f1 https://git.kernel.org/stable/c/108b81514d8f2535eb16651495cefb2250528db3 https://git.kernel.org/stable/c/7197462e90b8ce15caa1ae15d4bc2bb8cd21b11e https://git.kernel.org/stable/c/e76e8f0581ef555eacc11dbb095e602fb30a5361 https://git.kernel.org/stable/c/598dbba9919c5e36c54fe1709b557d64120cb94b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: unset conn->binding on failed binding request When a multichannel SMB2_SESSION_SETUP request with SMB2_SESSION_REQ_FLAG_BINDING fails ksmbd sets conn->binding = true but never clears it on the error path. This leaves the connection in a binding state where all subsequent ksmbd_session_lookup_all() calls fall back to the global sessions table. This fix it by clearing conn->binding = false in the error path. | 2026-04-06 | not yet calculated | CVE-2026-31409 | https://git.kernel.org/stable/c/d073870dab8f6dadced81d13d273ff0b21cb7f4e https://git.kernel.org/stable/c/6ebef4a220a1ebe345de899ebb9ae394206fe921 https://git.kernel.org/stable/c/89afe5e2dbea6e9d8e5f11324149d06fa3a4efca https://git.kernel.org/stable/c/9feb2d1bf86d9e5e66b8565f37f8d3a7d281a772 https://git.kernel.org/stable/c/6260fc85ed1298a71d24a75d01f8b2e56d489a60 https://git.kernel.org/stable/c/282343cf8a4a5a3603b1cb0e17a7083e4a593b03 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: use volume UUID in FS_OBJECT_ID_INFORMATION Use sb->s_uuid for a proper volume identifier as the primary choice. For filesystems that do not provide a UUID, fall back to stfs.f_fsid obtained from vfs_statfs(). | 2026-04-06 | not yet calculated | CVE-2026-31410 | https://git.kernel.org/stable/c/ce00616bc1df675bfdacc968f2bf7c51f4669227 https://git.kernel.org/stable/c/3d80ebe6d1b7bc9ad20fd9b0c1a0c56d804f8a0a https://git.kernel.org/stable/c/c283a6ffe6d5d6e5594d991286b9ce15951572e1 https://git.kernel.org/stable/c/3a64125730cabc34fccfbc230c2667c2e14f7308 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, … }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3 | 2026-04-08 | not yet calculated | CVE-2026-31411 | https://git.kernel.org/stable/c/c96549d07dfdd51aadf0722cfb40711574424840 https://git.kernel.org/stable/c/1c8bda3df028d5e54134077dcd09f46ca8cfceb5 https://git.kernel.org/stable/c/3e1a8b00095246a9a2b46b57f6d471c6d3c00ed2 https://git.kernel.org/stable/c/e3f80666c2739296c3b69a127300455c43aa1067 https://git.kernel.org/stable/c/21c303fec138c002f90ed33bce60e807d53072bb https://git.kernel.org/stable/c/69d3f9ee5489e6e8b66defcfa226e91d82393297 https://git.kernel.org/stable/c/440c9a5fc477a8ee259d8bf669531250b8398651 https://git.kernel.org/stable/c/ae88a5d2f29b69819dc7b04086734439d074a643 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks() The `check_command_size_in_blocks()` function calculates the data size in bytes by left shifting `common->data_size_from_cmnd` by the block size (`common->curlun->blkbits`). However, it does not validate whether this shift operation will cause an integer overflow. Initially, the block size is set up in `fsg_lun_open()` , and the `common->data_size_from_cmnd` is set up in `do_scsi_command()`. During initialization, there is no integer overflow check for the interaction between two variables. So if a malicious USB host sends a SCSI READ or WRITE command requesting a large amount of data (`common->data_size_from_cmnd`), the left shift operation can wrap around. This results in a truncated data size, which can bypass boundary checks and potentially lead to memory corruption or out-of-bounds accesses. Fix this by using the check_shl_overflow() macro to safely perform the shift and catch any overflows. | 2026-04-10 | not yet calculated | CVE-2026-31412 | https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5 https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3 https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR maybe_fork_scalars() is called for both BPF_AND and BPF_OR when the source operand is a constant. When dst has signed range [-1, 0], it forks the verifier state: the pushed path gets dst = 0, the current path gets dst = -1. For BPF_AND this is correct: 0 & K == 0. For BPF_OR this is wrong: 0 | K == K, not 0. The pushed path therefore tracks dst as 0 when the runtime value is K, producing an exploitable verifier/runtime divergence that allows out-of-bounds map access. Fix this by passing env->insn_idx (instead of env->insn_idx + 1) to push_stack(), so the pushed path re-executes the ALU instruction with dst = 0 and naturally computes the correct result for any opcode. | 2026-04-12 | not yet calculated | CVE-2026-31413 | https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4 https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7 https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455 https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5 |
| OpenSSL–OpenSSL | Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms. Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior. If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow. Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary. | 2026-04-07 | not yet calculated | CVE-2026-31789 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| OpenSSL–OpenSSL | Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes written on success and -1 on error. The affected code tests only whether the return value is non-zero. As a result, if RSA encryption fails, encapsulation can still return success to the caller, set the output lengths, and leave the caller to use the contents of the ciphertext buffer as if a valid KEM ciphertext had been produced. If applications use EVP_PKEY_encapsulate() with RSA/RSASVE on an attacker-supplied invalid RSA public key without first validating that key, then this may cause stale or uninitialized contents of the caller-provided ciphertext buffer to be disclosed to the attacker in place of the KEM ciphertext. As a workaround calling EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate() will mitigate the issue. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.1 and 3.0 are affected by this issue. | 2026-04-07 | not yet calculated | CVE-2026-31790 | OpenSSL Advisory 3.6.2 git commit 3.5.6 git commit 3.4.5 git commit 3.3.7 git commit 3.0.20 git commit |
| Sonatype–Nexus Repository | A vulnerability in the task management component of Sonatype Nexus Repository versions 3.22.1 through 3.90.2 allows an authenticated attacker with task creation permissions to execute arbitrary code, bypassing the nexus.scripts.allowCreation security control. | 2026-04-08 | not yet calculated | CVE-2026-3199 | https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50615414548499 |
| Erlang–OTP | Improper Certificate Validation vulnerability in Erlang OTP public_key (pubkey_ocsp module) allows OCSP designated-responder authorization bypass via missing signature verification. The OCSP response validation in public_key:pkix_ocsp_validate/5 does not verify that a CA-designated responder certificate was cryptographically signed by the issuing CA. Instead, it only checks that the responder certificate’s issuer name matches the CA’s subject name and that the certificate has the OCSPSigning extended key usage. An attacker who can intercept or control OCSP responses can create a self-signed certificate with a matching issuer name and the OCSPSigning EKU, and use it to forge OCSP responses that mark revoked certificates as valid. This affects SSL/TLS clients using OCSP stapling, which may accept connections to servers with revoked certificates, potentially transmitting sensitive data to compromised servers. Applications using the public_key:pkix_ocsp_validate/5 API directly are also affected, with impact depending on usage context. This vulnerability is associated with program files lib/public_key/src/pubkey_ocsp.erl and program routines pubkey_ocsp:is_authorized_responder/3. This issue affects OTP from OTP 27.0 until OTP 28.4.2 and 27.3.4.10 corresponding to public_key from 1.16 until 1.20.3 and 1.17.1.2, and ssl from 11.2 until 11.5.4 and 11.2.12.7. | 2026-04-07 | not yet calculated | CVE-2026-32144 | https://github.com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm https://cna.erlef.org/cves/CVE-2026-32144.html https://osv.dev/vulnerability/EEF-CVE-2026-32144 https://www.erlang.org/doc/system/versions.html#order-of-versions https://github.com/erlang/otp/commit/ac7ff528be857c5d35eb29c7f24106e3a16d4891 https://github.com/erlang/otp/commit/49033a6d93a5be0ee0dce04e1fb8b4ae7de1e0c0 |
| Gleam–Gleam | Improper path validation vulnerability in the Gleam compiler’s handling of git dependencies allows arbitrary file system modification during dependency download. Dependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation. This vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files. This issue affects Gleam from 1.9.0-rc1 until 1.15.3 and 1.16.0-rc1. | 2026-04-11 | not yet calculated | CVE-2026-32146 | https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j https://cna.erlef.org/cves/CVE-2026-32146.html https://osv.dev/vulnerability/EEF-CVE-2026-32146 https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf https://github.com/gleam-lang/gleam/commit/55bb36e6d7febfbbc48c4d001e0ae13eb0312d78 |
| Go standard library–crypto/x509 | During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls. | 2026-04-08 | not yet calculated | CVE-2026-32280 | https://go.dev/cl/758320 https://go.dev/issue/78282 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4947 |
| Go standard library–crypto/x509 | Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. | 2026-04-08 | not yet calculated | CVE-2026-32281 | https://go.dev/cl/758061 https://go.dev/issue/78281 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4946 |
| Go standard library–internal/syscall/unix | On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root. The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation. | 2026-04-08 | not yet calculated | CVE-2026-32282 | https://go.dev/cl/763761 https://go.dev/issue/78293 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4864 |
| Go standard library–crypto/tls | If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service. This only affects TLS 1.3. | 2026-04-08 | not yet calculated | CVE-2026-32283 | https://go.dev/cl/763767 https://go.dev/issue/78334 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4870 |
| Go standard library–archive/tar | tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the “old GNU sparse map” format. | 2026-04-08 | not yet calculated | CVE-2026-32288 | https://go.dev/cl/763766 https://go.dev/issue/78301 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4869 |
| Go standard library–html/template | Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied. These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities. | 2026-04-08 | not yet calculated | CVE-2026-32289 | https://go.dev/cl/763762 https://go.dev/issue/78331 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4865 |
| Apache Software Foundation–Apache Cassandra | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue. | 2026-04-07 | not yet calculated | CVE-2026-32588 | https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc |
| Apache Software Foundation–Apache Tomcat | Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-32990 | https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7 |
| Apache Software Foundation–Apache OpenMeetings | Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-33005 | https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7 |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. `MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2026-04-07 | not yet calculated | CVE-2026-33033 | Django security archive Django releases announcements Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30. ASGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading `HttpRequest.body`, allowing remote attackers to load an unbounded request body into memory. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Superior for reporting this issue. | 2026-04-07 | not yet calculated | CVE-2026-33034 | Django security archive Django releases announcements Django security releases issued: 6.0.4, 5.2.13, and 4.2.30 |
| Six Apart Ltd.–Movable Type | Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement. | 2026-04-08 | not yet calculated | CVE-2026-33088 | https://movabletype.org/news/2026/04/mt-907-released.html https://www.sixapart.jp/movabletype/news/2026/04/08-1100.html https://jvn.jp/en/jp/JVN66473735/ |
| Acronis–Acronis True Image OEM | Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902. | 2026-04-10 | not yet calculated | CVE-2026-33092 | SEC-9407 |
| Apache Software Foundation–Apache ActiveMQ Client | Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided “key” value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3. | 2026-04-07 | not yet calculated | CVE-2026-33227 | https://activemq.apache.org/security-advisories.data/CVE-2026-33227-announcement.txt |
| xwiki–xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don’t recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1. | 2026-04-08 | not yet calculated | CVE-2026-33229 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9 https://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63 https://jira.xwiki.org/browse/XWIKI-23698 https://jira.xwiki.org/browse/XWIKI-23702 |
| Apache Software Foundation–Apache OpenMeetings | Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn’t changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-33266 | https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66 |
| ICZ Corporation–MATCHA INVOICE | Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the product. As a result, arbitrary code may be executed on the server. | 2026-04-08 | not yet calculated | CVE-2026-33273 | https://oss.icz.co.jp/news/?p=1386 https://jvn.jp/en/jp/JVN33581068/ |
| OpenIdentityPlatform–OpenAM | Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter after CVE-2021-35464. An unauthenticated attacker can achieve arbitrary command execution on the server by sending a crafted serialized Java object as the jato.clientSession GET/POST parameter to any JATO ViewBean endpoint whose JSP contains <jato:form> tags (e.g., the Password Reset pages). This vulnerability is fixed in 16.0.6. | 2026-04-07 | not yet calculated | CVE-2026-33439 | https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-2cqq-rpvq-g5qj |
| Checkmk GmbH–Checkmk | Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins. | 2026-04-10 | not yet calculated | CVE-2026-33455 | https://checkmk.com/werk/17988 |
| Checkmk GmbH–Checkmk | Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description. | 2026-04-10 | not yet calculated | CVE-2026-33456 | https://checkmk.com/werk/17989 |
| Checkmk GmbH–Checkmk | Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value. | 2026-04-10 | not yet calculated | CVE-2026-33457 | https://checkmk.com/werk/17990 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38. | 2026-04-10 | not yet calculated | CVE-2026-33698 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51 |
| chamilo–chamilo-lms | Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3. | 2026-04-10 | not yet calculated | CVE-2026-33703 | https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27×6-c5c7-gpf5 |
| Go standard library–crypto/x509 | When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool. | 2026-04-08 | not yet calculated | CVE-2026-33810 | https://go.dev/cl/763763 https://go.dev/issue/78332 https://groups.google.com/g/golang-announce/c/0uYbvbPZRWU https://pkg.go.dev/vuln/GO-2026-4866 |
| github.com/jackc/pgx/v5–github.com/jackc/pgx/v5/pgproto3 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | 2026-04-07 | not yet calculated | CVE-2026-33815 | https://pkg.go.dev/vuln/GO-2026-4771 |
| github.com/jackc/pgx/v5–github.com/jackc/pgx/v5/pgproto3 | Memory-safety vulnerability in github.com/jackc/pgx/v5. | 2026-04-07 | not yet calculated | CVE-2026-33816 | https://pkg.go.dev/vuln/GO-2026-4772 |
| Mlflow–Mlflow | MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1 | 2026-04-07 | not yet calculated | CVE-2026-33865 | https://github.com/mlflow/mlflow/pull/21435 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors |
| Mlflow–Mlflow | MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to access. This issue affects MLflow version through 3.10.1 | 2026-04-07 | not yet calculated | CVE-2026-33866 | https://github.com/mlflow/mlflow/pull/21708 https://cert.pl/en/posts/2026/04/CVE-2026-33865/ https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors |
| Apache Software Foundation–Apache OpenMeetings | Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-34020 | https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db |
| flatpak–flatpak | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the Flatpak portal accepts paths in the sandbox-expose options which can be app-controlled symlinks pointing at arbitrary paths. Flatpak run mounts the resolved host path in the sandbox. This gives apps access to all host files and can be used as a primitive to gain code execution in the host context. This vulnerability is fixed in 1.16.4. | 2026-04-07 | not yet calculated | CVE-2026-34078 | https://github.com/flatpak/flatpak/security/advisories/GHSA-cc2q-qc34-jprg |
| flatpak–flatpak | Flatpak is a Linux application sandboxing and distribution framework. Prior to 1.16.4, the caching for ld.so removes outdated cache files without properly checking that the app controlled path to the outdated cache is in the cache directory. This allows Flatpak apps to delete arbitrary files on the host. This vulnerability is fixed in 1.16.4. | 2026-04-07 | not yet calculated | CVE-2026-34079 | https://github.com/flatpak/flatpak/security/advisories/GHSA-p29x-r292-46pp |
| flatpak–xdg-dbus-proxy | xdg-dbus-proxy is a filtering proxy for D-Bus connections. Prior to 0.1.7, a policy parser vulnerability allows bypassing eavesdrop restrictions. The proxy checks for eavesdrop=true in policy rules but fails to handle eavesdrop =’true’ (with a space before the equals sign) and similar cases. Clients can intercept D-Bus messages they should not have access to. This vulnerability is fixed in 0.1.7. | 2026-04-07 | not yet calculated | CVE-2026-34080 | https://github.com/flatpak/xdg-dbus-proxy/security/advisories/GHSA-vjp5-hjfm-7677 |
| Hydrosystem–Control System | Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed in Hydrosystem Control System version 9.8.5 | 2026-04-09 | not yet calculated | CVE-2026-34184 | https://cert.pl/posts/2026/04/CVE-2026-4901/ https://www.hydrosystem.poznan.pl/ |
| Hydrosystem–Control System | Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control System version 9.8.5 | 2026-04-09 | not yet calculated | CVE-2026-34185 | https://cert.pl/posts/2026/04/CVE-2026-4901/ https://www.hydrosystem.poznan.pl/ |
| Apache Software Foundation–Apache ActiveMQ Broker | Improper Input Validation, Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport’s brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring’s ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker’s JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue | 2026-04-07 | not yet calculated | CVE-2026-34197 | https://activemq.apache.org/security-advisories.data/CVE-2026-34197-announcement.txt |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36. | 2026-04-06 | not yet calculated | CVE-2026-34211 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-8pfc-jjgw-6g26 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36. | 2026-04-06 | not yet calculated | CVE-2026-34217 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-hg73-4w7g-q96w |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other’s tickets) could see fields which are not intended for customers – including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34248 | https://github.com/zammad/zammad/security/advisories/GHSA-prww-84vh-w978 |
| Sonatype–Nexus Repository | A reflected cross-site scripting vulnerability exists in Sonatype Nexus Repository versions 3.0.0 through 3.90.2 that allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim’s browser through a specially crafted URL. Exploitation requires user interaction. | 2026-04-08 | not yet calculated | CVE-2026-3438 | https://help.sonatype.com/en/sonatype-nexus-repository-3-91-0-release-notes.html https://support.sonatype.com/hc/en-us/articles/50609137161363 |
| scoder–lupa | Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attribute_filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitrary code execution. | 2026-04-06 | not yet calculated | CVE-2026-34444 | https://github.com/scoder/lupa/security/advisories/GHSA-69v7-xpr6-6gjm |
| Python Software Foundation–CPython | When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use “validate=True” to enable stricter processing of base64 data. | 2026-04-10 | not yet calculated | CVE-2026-3446 | https://github.com/python/cpython/pull/145267 https://github.com/python/cpython/issues/145264 https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/ https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474 https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa |
| Apache Software Foundation–Apache Log4j Core | The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender’s configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34477 | https://github.com/apache/logging-log4j2/pull/4075 https://logging.apache.org/security.html#CVE-2026-34477 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4 |
| Apache Software Foundation–Apache Log4j Core | Apache Log4j Core’s Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34478 | https://github.com/apache/logging-log4j2/pull/4074 https://logging.apache.org/security.html#CVE-2026-34478 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt |
| Apache Software Foundation–Apache Log4j 1 to Log4j 2 bridge | The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge. | 2026-04-10 | not yet calculated | CVE-2026-34479 | https://github.com/apache/logging-log4j2/pull/4078 https://logging.apache.org/security.html#CVE-2026-34479 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on |
| Apache Software Foundation–Apache Log4j Core | Apache Log4j Core’s XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j’s internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output. | 2026-04-10 | not yet calculated | CVE-2026-34480 | https://github.com/apache/logging-log4j2/pull/4077 https://logging.apache.org/security.html#CVE-2026-34480 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb |
| Apache Software Foundation–Apache Log4j JSON Template Layout | Apache Log4j’s JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue. | 2026-04-10 | not yet calculated | CVE-2026-34481 | https://github.com/apache/logging-log4j2/pull/4080 https://logging.apache.org/security.html#CVE-2026-34481 https://logging.apache.org/cyclonedx/vdr.xml https://logging.apache.org/log4j/2.x/manual/json-template-layout.html https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv |
| Apache Software Foundation–Apache Tomcat | Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34483 | https://lists.apache.org/thread/j1w7304yonlr8vo1tkb5nfs7od1y228b |
| Apache Software Foundation–Apache Tomcat | Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34486 | https://lists.apache.org/thread/9510k5p5zdvt9pkkgtyp85mvwxo2qrly |
| Apache Software Foundation–Apache Tomcat | Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue. | 2026-04-09 | not yet calculated | CVE-2026-34487 | https://lists.apache.org/thread/4xpkwolpkrj8v5xzp5nyovtlqp3y850h |
| Apache Software Foundation–Apache Tomcat | CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue. | 2026-04-09 | not yet calculated | CVE-2026-34500 | https://lists.apache.org/thread/7rcl4zdxryc8hy3htyfyxkbqpxjtfdl2 |
| Apache Software Foundation–Apache Airflow | Apache Airflow versions 3.0.0 through 3.1.8 DagRun wait endpoint returns XCom result values even to users who only have DAG Run read permissions, such as the Viewer role.This behavior conflicts with the FAB RBAC model, which treats XCom as a separate protected resource, and with the security model documentation that defines the Viewer role as read-only. Airflow uses the FAB Auth Manager to manage access control on a per-resource basis. The Viewer role is intended to be read-only by default, and the security model documentation defines Viewer users as those who can inspect DAGs without accessing sensitive execution results. Users are recommended to upgrade to Apache Airflow 3.2.0 which resolves this issue. | 2026-04-09 | not yet calculated | CVE-2026-34538 | https://github.com/apache/airflow/pull/64415 https://lists.apache.org/thread/9mq3msqhmgjwdzbr6bgthj4brb3oz9fl |
| randombit–botan | Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1. | 2026-04-07 | not yet calculated | CVE-2026-34580 | https://github.com/randombit/botan/security/advisories/GHSA-v782-6fq4-q827 |
| randombit–botan | Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1. | 2026-04-07 | not yet calculated | CVE-2026-34582 | https://github.com/randombit/botan/security/advisories/GHSA-pxcj-9ppx-g86g |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.1.0 to before 3.2.7, 3.3.9, and 3.4.9, internal_exr_undo_piz() advances the working wavelet pointer with signed 32-bit arithmetic. Because nx, ny, and wcount are int, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | not yet calculated | CVE-2026-34588 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| AcademySoftwareFoundation–openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. From 3.2.0 to before 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated rowBlock backing store. This vulnerability is fixed in 3.2.7, 3.3.9, and 3.4.9. | 2026-04-06 | not yet calculated | CVE-2026-34589 | https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9 https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9 |
| Checkmk GmbH–Checkmk | Insufficient sanitization of dashboard dashlet title links in Checkmk 2.2.0 (EOL), Checkmk 2.3.0 before 2.3.0p46, Checkmk 2.4.0 before 2.4.0p25, and Checkmk 2.5.0 (beta) before 2.5.0b3 allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks by tricking a victim into clicking a crafted dashlet title link on a shared dashboard. | 2026-04-07 | not yet calculated | CVE-2026-3466 | https://checkmk.com/werk/19033 https://www.vulncheck.com/advisories/checkmk-stored-cross-site-scripting-in-dashlet-title |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: … URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34718 | https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9fc7-jhf3 |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses – only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34719 | https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75 |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34720 | https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7 |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34721 | https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34722 | https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8 |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34723 | https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727 |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34724 | https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-jg8f-4j94 |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4. | 2026-04-08 | not yet calculated | CVE-2026-34782 | https://github.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q |
| zammad–zammad | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1. | 2026-04-08 | not yet calculated | CVE-2026-34837 | https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8 |
n/a