CVE-2026-39846
(9.0 CRITICAL)

EPSS: 0.14%

updated 2026-04-08T16:16:27.537000

2 posts

SiYuan is a personal knowledge management system. Prior to 3.6.4, a malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer runs with nodeIntegration enabled and contextIs

CVE-2026-34045
(8.2 HIGH)

EPSS: 0.06%

updated 2026-04-08T16:16:24.043000

1 posts

Podman Desktop is a graphical tool for developing on containers and Kubernetes. Prior to 1.26.2, an unauthenticated HTTP server exposed by Podman Desktop allows any network attacker to remotely trigger denial-of-service conditions and extract sensitive information. By abusing missing connection limits and timeouts, an attacker can exhaust file descriptors and kernel memory, leading to application

CVE-2026-33229
(0 None)

EPSS: 0.00%

updated 2026-04-08T16:16:23.430000

2 posts

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integ

CVE-2026-31790
(7.5 HIGH)

EPSS: 0.01%

updated 2026-04-08T15:16:11.967000

1 posts

Issue summary: Applications using RSASVE key encapsulation to establish a secret encryption key can send contents of an uninitialized memory buffer to a malicious peer. Impact summary: The uninitialized buffer might contain sensitive data from the previous execution of the application process which leads to sensitive data leakage to an attacker. RSA_public_encrypt() returns the number of bytes w

CVE-2026-39847
(9.1 CRITICAL)

EPSS: 0.05%

updated 2026-04-08T11:57:19

2 posts

The RSGI static handler for Emmett's internal assets (`/__emmett__` paths) is vulnerable to path traversal attacks. An attacker can use `../` sequences (eg `/__emmett__/../rsgi/handlers.py`) to read arbitrary files outside the assets directory.

CVE-2026-35039
(9.1 CRITICAL)

EPSS: 0.02%

updated 2026-04-08T11:54:57

2 posts

_NOTE_: While the library exposes a mechanism which could introduce the vulnerability, this issue is created by developer-supplied code and not by the library itself. We will add a warning and some education for users around the possible issues however since the defaults work we will not be updating the library beyond that for this advisory. ## Impact Setting up a custom cacheKeyBuilder method w

CVE-2026-3535
(9.8 CRITICAL)

EPSS: 0.28%

updated 2026-04-08T09:31:42

2 posts

The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those

CVE-2026-25776
(9.8 CRITICAL)

EPSS: 0.05%

updated 2026-04-08T09:16:20.360000

2 posts

Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script.

CVE-2026-24913
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-08T06:31:38

1 posts

SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product.

CVE-2026-4003
(9.8 CRITICAL)

EPSS: 0.42%

updated 2026-04-08T06:31:38

2 posts

The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is su

CVE-2026-1346
(9.4 CRITICAL)

EPSS: 0.01%

updated 2026-04-08T03:32:18

3 posts

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to root due to execution with unnecessary privileges than required.

CVE-2026-4788
(8.4 HIGH)

EPSS: 0.01%

updated 2026-04-08T03:32:18

1 posts

IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files that could be read by a local user.

CVE-2026-3499
(8.8 HIGH)

EPSS: 0.02%

updated 2026-04-08T03:32:18

1 posts

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules,

CVE-2026-5726
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-08T03:16:07.700000

1 posts

ASDA-Soft Stack-based Buffer Overflow Vulnerability

CVE-2026-3296
(9.8 CRITICAL)

EPSS: 0.02%

updated 2026-04-08T02:16:04.067000

1 posts

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated atta

CVE-2026-3357
(8.8 HIGH)

EPSS: 0.07%

updated 2026-04-08T01:16:41.057000

1 posts

IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.

CVE-2026-39933(CVSS UNKNOWN)

EPSS: 0.05%

updated 2026-04-08T00:30:33

1 posts

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in The Wikimedia Foundation Mediawiki - GlobalWatchlist Extension allows Cross-Site Scripting (XSS).This issue affects non release branches.

CVE-2026-1342
(8.4 HIGH)

EPSS: 0.01%

updated 2026-04-08T00:30:32

2 posts

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts from outside of its control sphere.

CVE-2026-5747
(7.5 HIGH)

EPSS: 0.01%

updated 2026-04-08T00:16:05.657000

1 posts

An out-of-bounds write issue in the virtio PCI transport in Amazon Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires

CVE-2026-39397
(9.4 CRITICAL)

EPSS: 0.04%

updated 2026-04-08T00:15:54

1 posts

### Impact All `/api/puck/*` CRUD endpoint handlers registered by `createPuckPlugin()` called Payload's local API with the default `overrideAccess: true`, bypassing all collection-level access control. The `access` option passed to `createPuckPlugin()` and any `access` rules defined on Puck-registered collections were silently ignored on these endpoints. An unauthenticated remote attacker could:

CVE-2026-39356
(7.5 HIGH)

EPSS: 0.03%

updated 2026-04-08T00:14:59

1 posts

### Summary Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific `escapeName()` implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as `sql.identifier()`, `.as()`

CVE-2026-39376
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-08T00:12:27

1 posts

### Summary When `parse()` fetches a URL that returns an HTML page containing a `<meta http-equiv="refresh">` tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinite chain of HTML meta-refresh responses causes unbounded recursion, exhausting the Python call stack an

CVE-2026-39371
(8.1 HIGH)

EPSS: 0.01%

updated 2026-04-08T00:12:07

1 posts

**Summary** Server functions exported from `"use server"` files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send `SameSite=Lax` cookies on top-level GET requests. This affected all server functions -- both `serverAction()` handlers and b

1 repos

https://github.com/zebbernCVE/CVE-2026-39371

CVE-2026-39369
(7.6 HIGH)

EPSS: 0.05%

updated 2026-04-08T00:08:46

1 posts

## Summary `objects/aVideoEncoderReceiveImage.json.php` allowed an authenticated uploader to fetch attacker-controlled same-origin `/videos/...` URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path. The vulnerable GIF branch could be abused to read local files such as `/etc/passwd` or application source files and republish those bytes through a norm

CVE-2026-35533
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T22:16:56

1 posts

### Summary `mise` loads trust-control settings from a local project `.mise.toml` before the trust check runs. An attacker who can place a malicious `.mise.toml` in a repository can make that same file appear trusted and then reach dangerous directives such as `[env] _.source`, templates, hooks, or tasks. The strongest current variant is `trusted_config_paths = ["/"]`. I confirmed on current `v2

CVE-2026-32862
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T21:32:46

1 posts

There is a memory corruption vulnerability due to an out-of-bounds write in ResFileFactory::InitResourceMgr() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.

CVE-2026-32861
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T21:32:46

1 posts

There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVCLASS file in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvclass file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.

CVE-2026-32864
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T21:32:46

1 posts

There is a memory corruption vulnerability due to an out-of-bounds read in mgcore_SH_25_3!aligned_free() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.

CVE-2026-32863
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T21:32:46

1 posts

There is a memory corruption vulnerability due to an out-of-bounds read in sentry_transaction_context_set_operation() in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.

CVE-2026-29181
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-07T21:17:16.003000

1 posts

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is

CVE-2026-39361
(7.7 HIGH)

EPSS: 0.03%

updated 2026-04-07T20:16:29.837000

1 posts

OpenObserve is a cloud-native observability platform. In 0.70.3 and earlier, the validate_enrichment_url function in src/handler/http/request/enrichment_table/mod.rs fails to block IPv6 addresses because Rust's url crate returns them with surrounding brackets (e.g. "[::1]" not "::1"). An authenticated attacker can reach internal services blocked from external access. On cloud deployments this enab

CVE-2026-39329
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T20:16:29.047000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was identified in /EventNames.php in ChurchCRM. Authenticated users with AddEvent privileges can inject SQL via the newEvtTypeCntLst parameter during event type creation. The vulnerable flow reaches an ON DUPLICATE KEY UPDATE clause where unescaped user input is interpolated directly. This vulnerab

CVE-2026-39326
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T20:16:28.927000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyTypeEditor.php in ChurchCRM. Authenticated users with the role isMenuOptionsEnabled can inject arbitrary SQL statements through the Name and Description parameters and thus extract and modify information from the database. This vulnerability is fixed in 7.1.0.

CVE-2026-39317
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T20:16:28.580000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user to extract sensitive data from the database. This vulnerability is fixed in 7.1.0.

CVE-2026-32860
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T20:16:24.040000

1 posts

There is a memory corruption vulnerability due to an out-of-bounds write when loading a corrupted LVLIB file in NI LabVIEW.  This vulnerability may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .lvlib file. This vulnerability affects NI LabVIEW 2026 Q1 (26.1.0) and prior versions.

CVE-2026-35464
(7.5 HIGH)

EPSS: 0.08%

updated 2026-04-07T20:00:07

1 posts

## Summary The fix for CVE-2026-33509 (GHSA-r7mc-x6x7-cqxx) added an `ADMIN_ONLY_OPTIONS` set to block non-admin users from modifying security-critical config options. The `storage_folder` option is not in this set and passes the existing path restriction because the Flask session directory is outside both PKGDIR and userdir. A user with SETTINGS and ADD permissions can redirect downloads to the

CVE-2026-35463
(8.8 HIGH)

EPSS: 0.26%

updated 2026-04-07T19:59:57

1 posts

### Summary The `ADMIN_ONLY_OPTIONS` protection mechanism restricts security-critical configuration values (reconnect scripts, SSL certs, proxy credentials) to admin-only access. However, this protection is **only applied to core config options**, not to plugin config options. The `AntiVirus` plugin stores an executable path (`avfile`) in its config, which is passed directly to `subprocess.Popen(

CVE-2026-35457
(8.2 HIGH)

EPSS: 0.04%

updated 2026-04-07T19:59:52

1 posts

### Summary The rendezvous server stores pagination cookies without bounds. An unauthenticated peer can repeatedly issue `DISCOVER` requests and force unbounded memory growth. ### Details Pagination state is stored in: ```rs HashMap<Cookie, HashSet<RegistrationId>> ``` On `Message::Discover`: ``` remote peer → DISCOVER → handle_request → registrations.get(...) → new cookie generated → cookie

CVE-2026-5735
(9.8 CRITICAL)

EPSS: 0.04%

updated 2026-04-07T19:16:48.023000

1 posts

Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2 and Thunderbird < 149.0.2.

CVE-2026-24146
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-07T18:31:45

1 posts

NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash. A successful exploit of this vulnerability might lead to denial of service.

CVE-2026-24175
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-07T18:31:45

1 posts

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. A successful exploit of this vulnerability might lead to denial of service.

CVE-2026-24450
(8.1 HIGH)

EPSS: 0.04%

updated 2026-04-07T18:31:35

1 posts

An integer overflow vulnerability exists in the uncompressed_fp_dng_load_raw functionality of LibRaw Commit 8dc68e2. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2026-39340
(8.1 HIGH)

EPSS: 0.03%

updated 2026-04-07T18:16:46.010000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration functionality for managing property type categories (People → Person Properties / Family Properties). The vulnerability was introduced when legacyFilterInput() which both strips HTML and escapes SQL — was replaced with sanitizeText(), whic

CVE-2026-39337
(10.0 CRITICAL)

EPSS: 0.27%

updated 2026-04-07T18:16:45.630000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server compromise. The "$dbPassword" variable is not sanitized. This vulnerability exists due to an incomplete fix

CVE-2026-39333
(8.7 HIGH)

EPSS: 0.03%

updated 2026-04-07T18:16:44.997000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, he FindFundRaiser.php endpoint reflects user-supplied input (DateStart and DateEnd) into HTML input field attributes without proper output encoding for the HTML attribute context. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user. This constitutes a

CVE-2026-39327
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T18:16:43.883000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /MemberRoleChange.php in ChurchCRM 7.0.5. Authenticated users with the role Manage Groups & Roles (ManageGroups) can inject arbitrary SQL statements through the NewRole parameter and thus extract and modify information from the database. This vulnerability is fixed in 7.1.

CVE-2026-39323
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T18:16:43.240000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where the Name and Description POST parameters are sanitized only with strip_tags() before direct concatenation into SQL queries. This allows authenticated users with "Manage Properties" permission to execute arbitrary SQL commands including data

CVE-2026-39319
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T18:16:42.950000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, a second order SQL injection vulnerability was found in the endpoint /FundRaiserEditor.php in ChurchCRM. A user has to be authenticated but doesn't need any privileges. These users can inject arbitrary SQL statements through the iCurrentFundraiser PHP session parameter and thus extract and modify information from the database. T

CVE-2026-35576
(8.7 HIGH)

EPSS: 0.03%

updated 2026-04-07T18:16:42.273000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.0.0, a stored cross-site scripting (XSS) vulnerability exists in ChurchCRM within the Person Property Management subsystem. This issue persists in versions patched for CVE-2023-38766 and allows an authenticated user to inject arbitrary JavaScript code via dynamically assigned person properties. The malicious payload is persistently s

CVE-2026-35575
(8.0 HIGH)

EPSS: 0.04%

updated 2026-04-07T18:16:42.077000

1 posts

ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically when an administrator views the page. This enables attackers to steal the administrator’s session cookies, potentially lead

CVE-2026-35573
(9.1 CRITICAL)

EPSS: 0.24%

updated 2026-04-07T18:16:41.760000

1 posts

ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary files and achieve remote code execution by overwriting Apache .htaccess configuration files. The vulnerability exists in src/ChurchCRM/Backup/RestoreJob.php. The $rawUploadedFile['name'] parameter is

CVE-2026-24173
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-07T18:16:39.787000

1 posts

NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server. A successful exploit of this vulnerability might lead to denial of service.

CVE-2026-34148
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-07T18:04:11

1 posts

### Summary `@fedify/fedify` follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and

CVE-2025-57834
(7.5 HIGH)

EPSS: 0.08%

updated 2026-04-07T17:31:20.270000

1 posts

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem (Exynos 980, 850, 990, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 1680, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400, and Modem 5410). The absence of proper input validation leads to a Denial of Service.

CVE-2025-54328
(10.0 CRITICAL)

EPSS: 0.05%

updated 2026-04-07T17:28:19.270000

1 posts

An issue was discovered in SMS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. A Stack-based Buffer Overflow occurs while parsing SMS RP-DATA messages.

CVE-2026-35485
(7.5 HIGH)

EPSS: 0.37%

updated 2026-04-07T17:16:31.243000

1 posts

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load_grammar() allows reading any file on the server filesystem with no extension restriction. Gradio does not server-side validate dropdown values, so an attacker can POST directory traversal payloads (e.g., ../../../etc/passwd) via the API and

CVE-2026-35042
(7.5 HIGH)

EPSS: 0.01%

updated 2026-04-07T17:16:29.590000

2 posts

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.

CVE-2026-24660
(8.1 HIGH)

EPSS: 0.04%

updated 2026-04-07T17:16:27.583000

1 posts

A heap-based buffer overflow vulnerability exists in the x3f_load_huffman functionality of LibRaw Commit d20315b. A specially crafted malicious file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2026-35394
(8.3 HIGH)

EPSS: 0.04%

updated 2026-04-07T16:16:25.893000

1 posts

Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.

CVE-2026-26026
(9.1 CRITICAL)

EPSS: 0.04%

updated 2026-04-07T16:03:34.597000

1 posts

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, template injection by an administrator lead to RCE. This vulnerability is fixed in 11.0.6.

CVE-2026-26263
(8.1 HIGH)

EPSS: 0.03%

updated 2026-04-07T16:02:38.350000

1 posts

GLPI is a free asset and IT management software package. From 11.0.0 to before 11.0.6, an unauthenticated time-based blind SQL injection exists in GLPI's Search engine. This vulnerability is fixed in 11.0.6.

CVE-2026-20432
(8.0 HIGH)

EPSS: 0.05%

updated 2026-04-07T15:31:49

1 posts

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01406170; Issue ID: MSV-4461.

CVE-2026-5373
(8.1 HIGH)

EPSS: 0.03%

updated 2026-04-07T15:30:58

1 posts

An issue that allowed all-organization administrators to promote accounts to superuser status has been resolved. This is an instance of CWE-269: Improper Privilege Management, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N (8.1 High). This issue was fixed in version 4.0.260202.0 of the runZero Platform.

CVE-2026-22679
(9.8 CRITICAL)

EPSS: 0.31%

updated 2026-04-07T15:30:53

1 posts

Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-executi

CVE-2026-34197
(8.8 HIGH)

EPSS: 0.10%

updated 2026-04-07T15:30:49

2 posts

Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) a

Nuclei template

2 repos

https://github.com/0xBlackash/CVE-2026-34197

https://github.com/dinosn/CVE-2026-34197

CVE-2026-20433
(8.8 HIGH)

EPSS: 0.05%

updated 2026-04-07T15:30:48

1 posts

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: MOLY01088681; Issue ID: MSV-4460.

CVE-2026-4740
(8.2 HIGH)

EPSS: 0.01%

updated 2026-04-07T15:17:46.797000

1 posts

A flaw was found in Open Cluster Management (OCM), the technology underlying Red Hat Advanced Cluster Management (ACM). Improper validation of Kubernetes client certificate renewal allows a managed cluster administrator to forge a client certificate that can be approved by the OCM controller. This enables cross-cluster privilege escalation and may allow an attacker to gain control over other manag

CVE-2026-35405
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-07T15:17:43.367000

1 posts

libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to 0.17.1, libp2p-rendezvous server has no limit on how many namespaces a single peer can register. A malicious peer can just keep registering unique namespaces in a loop and the server happily accepts every single one allocating memory for each registration with no pushback. Keep doing this long enough

CVE-2026-35395
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T15:17:43.230000

1 posts

WeGIA is a Web manager for charitable institutions. Prior to 3.6.9, WeGIA (Web gerenciador para instituições assistenciais) contains a SQL injection vulnerability in dao/memorando/DespachoDAO.php. The id_memorando parameter is extracted from $_REQUEST without validation and directly interpolated into SQL queries, allowing any authenticated user to execute arbitrary SQL commands against the databas

CVE-2026-35043
(7.8 HIGH)

EPSS: 0.07%

updated 2026-04-07T15:17:41.963000

1 posts

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.38, the cloud deployment path in src/bentoml/_internal/cloud/deployment.py was not included in the fix for CVE-2026-33744. Line 1648 interpolates system_packages directly into a shell command using an f-string without any quoting. The generated script is uploaded to BentoCloud as

CVE-2026-35036
(7.5 HIGH)

EPSS: 0.03%

updated 2026-04-07T15:17:41.730000

1 posts

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memo

CVE-2026-34783
(8.1 HIGH)

EPSS: 0.16%

updated 2026-04-07T15:17:40.383000

1 posts

Ferret is a declarative system for working with web data. Prior to 2.0.0-alpha.4, a path traversal vulnerability in Ferret's IO::FS::WRITE standard library function allows a malicious website to write arbitrary files to the filesystem of the machine running Ferret. When an operator scrapes a website that returns filenames containing ../ sequences, and uses those filenames to construct output paths

CVE-2026-35409
(7.7 HIGH)

EPSS: 0.03%

updated 2026-04-07T14:20:08

1 posts

### Summary A Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. ### Details Directus implements an IP deny-list to prevent server-side requests to internal/private network ranges. The validation logic

CVE-2026-35408
(8.7 HIGH)

EPSS: 0.01%

updated 2026-04-07T14:19:50

1 posts

## Summary Directus's Single Sign-On (SSO) login pages lacked a `Cross-Origin-Opener-Policy` (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the `window` object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled

CVE-2026-5627
(9.1 CRITICAL)

EPSS: 0.03%

updated 2026-04-07T14:16:24.460000

2 posts

A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions an

CVE-2026-23818
(8.8 HIGH)

EPSS: 0.04%

updated 2026-04-07T14:16:20.830000

1 posts

A vulnerability has been identified in the graphical user interface (GUI) of HPE Aruba Networking Private 5G Core On-Prem that could allow an attacker to abuse an open redirect vulnerability in the login flow using a crafted URL. Successful exploitation may redirect an authenticated user to an attacker-controlled server hosting a spoofed login page prompting the unsuspecting victim to give away th

CVE-2026-28797
(8.8 HIGH)

EPSS: 0.07%

updated 2026-04-07T13:20:55.200000

1 posts

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary oper

CVE-2025-47391
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:35.010000

1 posts

Memory corruption while processing a frame request from user.

CVE-2025-47392
(8.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:35.010000

1 posts

Memory corruption when decoding corrupted satellite data files with invalid signature offsets.

CVE-2026-21373
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:35.010000

1 posts

Memory Corruption when accessing an output buffer without validating its size during IOCTL processing.

CVE-2026-21376
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:35.010000

2 posts

Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver.

CVE-2026-21380
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:35.010000

1 posts

Memory Corruption when using deprecated DMABUF IOCTL calls to manage video memory.

CVE-2026-21378
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:35.010000

1 posts

Memory Corruption when accessing an output buffer without validating its size during IOCTL processing in a camera sensor driver.

CVE-2026-21375
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:35.010000

1 posts

Memory Corruption when accessing an output buffer without validating its size during IOCTL processing.

CVE-2026-33540
(7.5 HIGH)

EPSS: 0.03%

updated 2026-04-07T13:20:35.010000

2 posts

Distribution is a toolkit to pack, ship, store, and deliver container content. Prior to 3.1.0, in pull-through cache mode, distribution discovers token auth endpoints by parsing WWW-Authenticate challenges returned by the configured upstream registry. The realm URL from a bearer challenge is used without validating that it matches the upstream registry host. As a result, an attacker-controlled ups

CVE-2026-5612
(8.8 HIGH)

EPSS: 0.04%

updated 2026-04-07T13:20:35.010000

1 posts

A vulnerability was determined in Belkin F9K1015 1.00.10. This vulnerability affects the function formWlEncrypt of the file /goform/formWlEncrypt. Executing a manipulation of the argument webpage can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not

CVE-2026-5628
(8.8 HIGH)

EPSS: 0.04%

updated 2026-04-07T13:20:35.010000

2 posts

A security vulnerability has been detected in Belkin F9K1015 1.00.10. Impacted is the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. The manipulation of the argument webpage leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted

CVE-2026-5629
(8.8 HIGH)

EPSS: 0.04%

updated 2026-04-07T13:20:35.010000

2 posts

A vulnerability was detected in Belkin F9K1015 1.00.10. The affected element is the function formSetFirewall of the file /goform/formSetFirewall. The manipulation of the argument webpage results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-0740
(9.8 CRITICAL)

EPSS: 0.08%

updated 2026-04-07T13:20:11.643000

4 posts

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note:

1 repos

https://github.com/xShadow-Here/CVE-2026-0740

CVE-2026-31842
(7.5 HIGH)

EPSS: 0.05%

updated 2026-04-07T13:20:11.643000

1 posts

Tinyproxy through 1.11.3 is vulnerable to HTTP request parsing desynchronization due to a case-sensitive comparison of the Transfer-Encoding header in src/reqs.c. The is_chunked_transfer() function uses strcmp() to compare the header value against "chunked", even though RFC 7230 specifies that transfer-coding names are case-insensitive. By sending a request with Transfer-Encoding: Chunked, an unau

CVE-2026-34896
(7.5 HIGH)

EPSS: 0.02%

updated 2026-04-07T13:20:11.643000

1 posts

Cross-Site Request Forgery (CSRF) vulnerability in Analytify Under Construction, Coming Soon & Maintenance Mode allows Cross Site Request Forgery.This issue affects Under Construction, Coming Soon & Maintenance Mode: from n/a through 2.1.1.

CVE-2026-35471
(9.8 CRITICAL)

EPSS: 0.07%

updated 2026-04-07T13:20:11.643000

3 posts

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.3, tdeleteFile() missing return after path traversal check. This vulnerability is fixed in 2.0.0-beta.3.

CVE-2026-5465
(8.8 HIGH)

EPSS: 0.05%

updated 2026-04-07T13:20:11.643000

1 posts

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the `UpdateProviderCommandHandler` failing to validate changes to the `externalId` field when a Provider (Employee) user updates their own profile. The `externalId` maps directly to a WordPress user ID and is pa

1 repos

https://github.com/kaleth4/CVE-2026-5465

CVE-2026-35171
(9.8 CRITICAL)

EPSS: 0.30%

updated 2026-04-07T13:20:11.643000

2 posts

Kedro is a toolbox for production-ready data science. Prior to 1.3.0, Kedro allows the logging configuration file path to be set via the KEDRO_LOGGING_CONFIG environment variable and loads it without validation. The logging configuration schema supports the special () key, which enables arbitrary callable instantiation. An attacker can exploit this to execute arbitrary system commands during appli

CVE-2026-35021
(7.8 HIGH)

EPSS: 0.03%

updated 2026-04-07T13:20:11.643000

1 posts

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious file paths. Attackers can inject shell metacharacters such as $() or backtick expressions into file paths that are interpolated into shell commands executed via execSync. Although the file path

CVE-2026-35203
(7.5 HIGH)

EPSS: 0.04%

updated 2026-04-07T13:20:11.643000

1 posts

ZLMediaKit is a streaming media service framework. the VP9 RTP payload parser in ext-codec/VP9Rtp.cpp reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that sufficient data exists in the buffer. A crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) causes the parser to read past the end of the allocated buffer, resulting in a heap-buf

CVE-2026-35442
(8.1 HIGH)

EPSS: 0.04%

updated 2026-04-07T13:20:11.643000

1 posts

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static

CVE-2026-5686
(8.8 HIGH)

EPSS: 0.02%

updated 2026-04-07T13:20:11.643000

1 posts

A security flaw has been discovered in Tenda CX12L 16.03.53.12. This vulnerability affects the function fromRouteStatic of the file /goform/RouteStatic. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

CVE-2026-5709
(8.8 HIGH)

EPSS: 0.07%

updated 2026-04-07T13:20:11.643000

1 posts

Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding mitigat

CVE-2026-5687
(8.8 HIGH)

EPSS: 0.05%

updated 2026-04-07T13:20:11.643000

1 posts

A weakness has been identified in Tenda CX12L 16.03.53.12. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. This manipulation of the argument page causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.

CVE-2026-35050
(9.1 CRITICAL)

EPSS: 0.06%

updated 2026-04-07T13:20:11.643000

1 posts

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in the app root directory. This allows to overwrite python files, for instance the "download-model.py" file could be overwritten. Then, this python file can be triggered to get executed from "Model" menu when requesting to download a new mode

CVE-2026-35045
(8.1 HIGH)

EPSS: 0.03%

updated 2026-04-07T13:20:11.643000

1 posts

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, the PUT /api/recipe/batch_update/ endpoint in Tandoor Recipes allows any authenticated user within a Space to modify any recipe in that Space, including recipes marked as private by other users. This bypasses all object-level authorization checks enforced on standard single-recipe e

1 repos

https://github.com/FilipeGaudard/CVE-2026-35045-PoC

CVE-2026-34975
(8.5 HIGH)

EPSS: 0.03%

updated 2026-04-07T13:20:11.643000

2 posts

Plunk is an open-source email platform built on top of AWS SES. Prior to 0.8.0, a CRLF header injection vulnerability was discovered in SESService.ts, where user-supplied values for from.name, subject, custom header keys/values, and attachment filenames were interpolated directly into raw MIME messages without sanitization. An authenticated API user could inject arbitrary email headers (e.g. Bcc,

CVE-2026-34208
(10.0 CRITICAL)

EPSS: 0.06%

updated 2026-04-07T13:20:11.643000

1 posts

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker

CVE-2026-34950
(9.1 CRITICAL)

EPSS: 0.02%

updated 2026-04-07T13:20:11.643000

2 posts

fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched.

CVE-2026-33752
(8.6 HIGH)

EPSS: 0.01%

updated 2026-04-07T13:20:11.643000

1 posts

curl_cffi is the a Python binding for curl. Prior to 0.15.0, curl_cffi does not restrict requests to internal IP ranges, and follows redirects automatically via the underlying libcurl. Because of this, an attacker-controlled URL can redirect requests to internal services such as cloud metadata endpoints. In addition, curl_cffi’s TLS impersonation feature can make these requests appear as legitimat

1 repos

https://github.com/redyank/CVE-2026-33752

CVE-2026-34402
(8.1 HIGH)

EPSS: 0.02%

updated 2026-04-07T13:20:11.643000

1 posts

ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed

CVE-2026-34904
(7.5 HIGH)

EPSS: 0.02%

updated 2026-04-07T09:31:28

1 posts

Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0.

CVE-2026-1114
(9.8 CRITICAL)

EPSS: 0.04%

updated 2026-04-07T09:31:22

2 posts

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and

CVE-2025-65115
(8.8 HIGH)

EPSS: 0.07%

updated 2026-04-07T06:30:28

1 posts

Remote Code Execution Vulnerability in JP1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management 2 - Operations Director on Windows, Job Management Partner 1/IT Desktop Management 2 - Manager on Windows, JP1/IT Desktop Management - Manager on Windows, Job Management Partner 1/IT Desktop Management - Manager on Windows, JP1/NETM/DM Manager on Windows, JP1/NETM/DM Client on Windows

CVE-2026-5708
(8.8 HIGH)

EPSS: 0.12%

updated 2026-04-07T00:30:28

1 posts

Unsanitized control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) prior to version 2026.03 could allow an authenticated remote user to escalate privileges, assume the virtual desktop host instance profile permissions, and interact with AWS resources and services via a crafted API request. To remediate this issue, users are advised to

CVE-2026-5707
(8.8 HIGH)

EPSS: 0.21%

updated 2026-04-07T00:30:28

1 posts

Unsanitized input in an OS command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. To remediate this issue, users are advised to upgrade to RES version 2026.03 or apply the corresponding

CVE-2026-5685
(8.8 HIGH)

EPSS: 0.05%

updated 2026-04-07T00:30:27

1 posts

A vulnerability was identified in Tenda CX12L 16.03.53.12. This affects the function fromAddressNat of the file /goform/addressNat. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit is publicly available and might be used.

CVE-2026-5684
(8.0 HIGH)

EPSS: 0.03%

updated 2026-04-07T00:30:27

1 posts

A vulnerability was determined in Tenda CX12L 16.03.53.12. Affected by this issue is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack requires access to the local network. The exploit has been publicly disclosed and may be utilized.

CVE-2026-35393
(9.8 CRITICAL)

EPSS: 0.07%

updated 2026-04-06T23:43:51

3 posts

### Summary * POST multipart upload directory not sanitized | `httpserver/updown.go:71-174` This finding affect the default configuration, no flags or authentication required. ### Details **File:** `httpserver/updown.go:71-174` **Trigger:** `POST /<path>/upload` (server.go:49-51 checks `HasSuffix(r.URL.Path, "/upload")`) The filename is sanitized (slashes stripped, line 105-106), but the targe

CVE-2026-35392
(9.8 CRITICAL)

EPSS: 0.07%

updated 2026-04-06T23:43:46

2 posts

### Summary * PUT upload has no path sanitization | `httpserver/updown.go:20-69` This finding affects the default configuration, no flags or authentication required. ### Details **File:** `httpserver/updown.go:20-69` **Trigger:** `PUT /<path>` (server.go:57-59 routes directly to `put()`) The handler uses `req.URL.Path` raw to build the save path. No `filepath.Clean`, no `..` check, no webroot

CVE-2026-35187
(7.7 HIGH)

EPSS: 0.03%

updated 2026-04-06T23:43:26

1 posts

## Vulnerability Details **CWE-918**: Server-Side Request Forgery (SSRF) The `parse_urls` API function in `src/pyload/core/api/__init__.py` (line 556) fetches arbitrary URLs server-side via `get_url(url)` (pycurl) without any URL validation, protocol restriction, or IP blacklist. An authenticated user with ADD permission can: - Make HTTP/HTTPS requests to internal network resources and cloud me

CVE-2026-35209
(7.5 HIGH)

EPSS: 0.03%

updated 2026-04-06T23:42:30

1 posts

### Impact Applications that pass unsanitized user input (e.g. parsed JSON request bodies, database records, or config files from untrusted sources) as the first argument to `defu()` are vulnerable to prototype pollution. A crafted payload containing a `__proto__` key can override intended default values in the merged result: ```js import { defu } from 'defu' const userInput = JSON.parse('{"__

CVE-2026-35044
(8.8 HIGH)

EPSS: 0.04%

updated 2026-04-06T23:42:10

1 posts

## Summary The Dockerfile generation function `generate_containerfile()` in `src/bentoml/_internal/container/generate.py` uses an unsandboxed `jinja2.Environment` with the `jinja2.ext.do` extension to render user-provided `dockerfile_template` files. When a victim imports a malicious bento archive and runs `bentoml containerize`, attacker-controlled Jinja2 template code executes arbitrary Python

CVE-2026-34841
(9.8 CRITICAL)

EPSS: 0.02%

updated 2026-04-06T23:41:04

1 posts

### **Impact** This is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted. Potential impact includes: * Execution of a malicious `postinstall`

CVE-2026-34989(CVSS UNKNOWN)

EPSS: 0.05%

updated 2026-04-06T23:40:25

1 posts

## Summary ### **Vulnerability 1: Stored DOM XSS via Profile Name Update (Persistent Payload Injection)** - Stored Cross-Site Scripting via Unsanitized User Name in Profile Management ### Description The application fails to properly sanitize user-controlled input when users update their profile name (e.g., full name / username). An attacker can inject a malicious JavaScript payload into their pr

CVE-2026-34976
(10.0 CRITICAL)

EPSS: 0.03%

updated 2026-04-06T23:26:04

2 posts

The `restoreTenant` admin mutation is missing from the authorization middleware config (`admin.go:499-522`), making it completely unauthenticated. Unlike the similar `restore` mutation which requires Guardian-of-Galaxy authentication, `restoreTenant` executes with zero middleware. This mutation accepts attacker-controlled backup source URLs (including `file://` for local filesystem access), S3/Mi

CVE-2026-33579
(9.9 CRITICAL)

EPSS: 0.02%

updated 2026-04-06T23:16:26.987000

2 posts

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for broader scopes including admin access by exploiting the missing scope validation in extensions/device-pair/index.ts and

1 repos

https://github.com/atalovesyou/openclaw-security-checker

CVE-2026-35172
(7.5 HIGH)

EPSS: 0.03%

updated 2026-04-06T23:14:52

1 posts

## summary: distribution can restore read access in `repo a` after an explicit delete when `storage.cache.blobdescriptor: redis` and `storage.delete.enabled: true` are both enabled. the delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later `Stat` or `Get` from `repo b` repopulates the shared descriptor and makes the deleted blob readable from `r

CVE-2026-34986
(7.5 HIGH)

EPSS: 0.01%

updated 2026-04-06T23:11:46

1 posts

### Impact Decrypting a JSON Web Encryption (JWE) object will panic if the `alg` field indicates a key wrapping algorithm ([one ending in `KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants), with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. The panic happens when `cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a s

CVE-2026-35020
(8.4 HIGH)

EPSS: 0.06%

updated 2026-04-06T21:31:41

1 posts

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the command lookup helper and deep-link terminal launcher that allows local attackers to execute arbitrary commands by manipulating the TERMINAL environment variable. Attackers can inject shell metacharacters into the TERMINAL variable which are interpreted by /bin/sh when the command lookup helper cons

CVE-2026-35022
(9.8 CRITICAL)

EPSS: 0.25%

updated 2026-04-06T21:31:41

2 posts

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in authentication helper execution where helper configuration values are executed using shell=true without input validation. Attackers who can influence authentication settings can inject shell metacharacters through parameters like apiKeyHelper, awsAuthRefresh, awsCredentialExport, and gcpAuthRefresh to e

CVE-2025-47390
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-06T18:33:15

1 posts

Memory corruption while preprocessing IOCTL request in JPEG driver.

CVE-2026-21372
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-06T18:33:15

1 posts

Memory Corruption when sending IOCTL requests with invalid buffer sizes during memcpy operations.

CVE-2026-21367
(7.7 HIGH)

EPSS: 0.04%

updated 2026-04-06T18:33:15

1 posts

Transient DOS when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans.

CVE-2026-21382
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-06T18:33:15

2 posts

Memory Corruption when handling power management requests with improperly sized input/output buffers.

CVE-2026-21381
(7.7 HIGH)

EPSS: 0.04%

updated 2026-04-06T18:33:15

1 posts

Transient DOS when receiving a service data frame with excessive length during device matching over a neighborhood awareness network protocol connection.

CVE-2026-21374
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-06T18:33:07

2 posts

Memory Corruption when processing auxiliary sensor input/output control commands with insufficient buffer size validation.

CVE-2026-21371
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-06T18:33:06

1 posts

Memory Corruption when retrieving output buffer with insufficient size validation.

CVE-2025-47389
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-06T18:33:05

1 posts

Memory corruption when buffer copy operation fails due to integer overflow during attestation report generation.

CVE-2026-35616
(9.8 CRITICAL)

EPSS: 5.95%

updated 2026-04-06T18:12:57.863000

11 posts

A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.

5 repos

https://github.com/BishopFox/CVE-2026-35616-check

https://github.com/0xBlackash/CVE-2026-35616

https://github.com/fevar54/CVE-2026-35616-detector.py

https://github.com/z3r0h3ro/CVE-2026-35616-poc

https://github.com/fevar54/forticlient_ems_cve_2026_35616_poc.py

CVE-2026-30078
(7.5 HIGH)

EPSS: 0.06%

updated 2026-04-06T15:31:34

2 posts

OpenAirInterface V2.2.0 AMF crashes when it receives an NGAP message with invalid procedure code or invalid PDU-type. For example when the message specification requires InitiatingMessage but sent with successfulOutcome.

CVE-2026-34885
(8.5 HIGH)

EPSS: 0.03%

updated 2026-04-06T15:31:34

1 posts

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34.

Nuclei template

CVE-2026-3524
(8.8 HIGH)

EPSS: 0.01%

updated 2026-04-06T15:31:34

1 posts

Mattermost Plugin Legal Hold versions <=1.1.4 fail to halt request processing after a failed authorization check in ServeHTTP which allows an authenticated attacker to access, create, download, and delete legal hold data via crafted API requests to the plugin's endpoints. Mattermost Advisory ID: MMSA-2026-00621

CVE-2026-35470
(8.8 HIGH)

EPSS: 0.03%

updated 2026-04-03T21:57:08

2 posts

## Description Six `confronta_righe.php` files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The `righe` parameter received via `$_GET['righe']` is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database

CVE-2026-32186
(6.5 MEDIUM)

EPSS: 0.09%

updated 2026-04-03T21:32:44

1 posts

Microsoft Bing Elevation of Privilege Vulnerability

CVE-2026-3184
(3.7 LOW)

EPSS: 0.08%

updated 2026-04-03T21:31:49

1 posts

A flaw was found in util-linux. Improper hostname canonicalization in the `login(1)` utility, when invoked with the `-h` option, can modify the supplied remote hostname before setting `PAM_RHOST`. A remote attacker could exploit this by providing a specially crafted hostname, potentially bypassing host-based Pluggable Authentication Modules (PAM) access control rules that rely on fully qualified d

1 repos

https://github.com/Mothra-1/CVE-2026-31844

CVE-2026-34040
(8.8 HIGH)

EPSS: 0.01%

updated 2026-04-03T16:51:28.670000

1 posts

Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.

CVE-2026-1668
(9.8 CRITICAL)

EPSS: 0.37%

updated 2026-04-02T15:03:02.430000

1 posts

The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended command execution.<br>An unauthenticated attacker with network access to the affected interface may cause memory corruption, service instability, or informatio

1 repos

https://github.com/tangrs/cve-2026-1668-poc

CVE-2026-33744
(7.8 HIGH)

EPSS: 0.01%

updated 2026-04-01T15:00:48.743000

1 posts

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.37, the `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages` is semantically a list of OS package names (data), users do not expect values to be int