|
221
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into t…
New
|
CWE-79
Cross-site Scripting
|
CVE-2025-6024
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
222
|
6.0 |
MEDIUM
Network
|
-
|
-
|
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usab…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2025-12624
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
223
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment…
New
|
CWE-284
Improper Access Control
|
CVE-2026-31843
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
224
|
- |
|
-
|
-
|
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade t…
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-31987
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
225
|
7.1 |
HIGH
Network
|
-
|
-
|
An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-m…
New
|
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
|
CVE-2026-30459
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
226
|
7.5 |
HIGH
Network
|
-
|
-
|
A NULL pointer dereference vulnerability exists in fio (Flexible I/O Tester) v3.41 when parsing job files containing the fdp_pli option. The callback function str_fdp_pli_cb() does not validate the i…
New
|
CWE-476
NULL Pointer Dereference
|
CVE-2026-30656
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
227
|
- |
|
-
|
-
|
An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio rang…
New
|
-
|
CVE-2026-37100
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
228
|
2.9 |
LOW
Local
|
-
|
-
|
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
New
|
CWE-331
Insufficient Entropy
|
CVE-2026-41080
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
229
|
- |
|
-
|
-
|
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The z…
New
|
CWE-120
CWE-131
Classic Buffer Overflow
Incorrect Calculation of Buffer Size
|
CVE-2026-27820
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
230
|
- |
|
-
|
-
|
DataEase is an open source data visualization analysis tool. Versions 2.10.20 and below contain a SQL injection vulnerability in the dataset export functionality. The expressionTree parameter in POST…
New
|
CWE-89
SQL Injection
|
CVE-2026-33082
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
