|
631
|
7.5 |
HIGH
Network
|
-
|
-
|
Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.
|
CWE-284
Improper Access Control
|
CVE-2026-30994
|
2026-04-18 00:37 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
632
|
8.6 |
HIGH
Network
|
-
|
-
|
Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador_ver.php endpoint.
|
CWE-89
SQL Injection
|
CVE-2026-30995
|
2026-04-18 00:37 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
633
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Slah CMS v1.5.0 and below was discovered to contain a remote code execution (RCE) vulnerability in the session() function at config.php. This vulnerability is exploitable via a crafted input.
|
CWE-94
Code Injection
|
CVE-2026-30993
|
2026-04-18 00:37 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
634
|
8.0 |
HIGH
Network
|
-
|
-
|
Totara LMS v19.1.5 and before is vulnerable to HTLM Injection. An attacker can inject malicious HTLM code in a message and send it to all the users in the application, resulting in executing the code…
|
CWE-79
Cross-site Scripting
|
CVE-2026-31281
|
2026-04-18 00:35 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
635
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the log…
|
CWE-284
Improper Access Control
|
CVE-2026-31282
|
2026-04-18 00:35 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
636
|
9.8 |
CRITICAL
Network
|
-
|
-
|
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-31283
|
2026-04-18 00:35 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
637
|
8.8 |
HIGH
Network
|
-
|
-
|
A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `s…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-1462
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
638
|
6.2 |
MEDIUM
Local
|
-
|
-
|
A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-29628
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
639
|
7.5 |
HIGH
Network
|
-
|
-
|
An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
|
CWE-125
Out-of-bounds Read
|
CVE-2026-30997
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
640
|
7.5 |
HIGH
Network
|
-
|
-
|
An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-30998
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
