|
251
|
- |
|
-
|
-
|
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied argument…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40308
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
252
|
8.1 |
HIGH
Network
|
-
|
-
|
sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.
New
|
CWE-78
OS Command
|
CVE-2026-41113
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
253
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.
New
|
CWE-425
Direct Request ('Forced Browsing')
|
CVE-2024-58343
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
254
|
8.5 |
HIGH
Network
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id pa…
New
|
CWE-24
Path Traversal: '../filedir'
|
CVE-2026-40318
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
255
|
8.6 |
HIGH
Network
|
-
|
-
|
Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions …
New
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-22734
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
256
|
- |
|
-
|
-
|
pypdf is a free and open-source pure-python PDF library. In versions prior to 6.10.0, manipulated XMP metadata entity declarations can exhaust RAM. An attacker who exploits this vulnerability can cra…
New
|
CWE-776
XML Entity Expansion
|
CVE-2026-40260
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
257
|
6.8 |
MEDIUM
Local
|
-
|
-
|
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. In versions 3.26.0 and below, the BER/DER decoding functions in the shared common library (asn1.c) accept a raw pointer but n…
New
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40253
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
258
|
6.1 |
MEDIUM
Network
|
-
|
-
|
AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions pr…
New
|
CWE-601
Open Redirect
|
CVE-2026-40255
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
259
|
8.1 |
HIGH
Network
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts pub…
New
|
CWE-285
Improper Authorization
|
CVE-2026-40259
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
260
|
9.0 |
CRITICAL
Network
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, Mermaid diagrams are rendered with securityLevel set to "loose", and the resulting SVG is injected into the…
New
|
CWE-79
CWE-94
Cross-site Scripting
Code Injection
|
CVE-2026-40322
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
