|
531
|
- |
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions que…
Update
|
CWE-88
CWE-862
Argument Injection
Missing Authorization
|
CVE-2026-35033
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
532
|
8.0 |
HIGH
Network
|
-
|
-
|
nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting f…
Update
|
CWE-1385
Missing Origin Validation in WebSockets
|
CVE-2026-35589
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
533
|
7.2 |
HIGH
Network
|
-
|
-
|
BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) …
Update
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-39387
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
534
|
9.6 |
CRITICAL
Network
|
-
|
-
|
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply …
Update
|
CWE-20
CWE-22
Improper Input Validation
Path Traversal
|
CVE-2026-39399
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
535
|
8.1 |
HIGH
Network
|
-
|
-
|
An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authen…
Update
|
CWE-863
Incorrect Authorization
|
CVE-2025-40897
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
536
|
8.9 |
HIGH
Network
|
-
|
-
|
A Stored Cross-Site Scripting vulnerability was discovered in the Assets and Nodes functionality due to improper validation of an input parameter. An authenticated user with custom fields privileges …
Update
|
CWE-79
Cross-site Scripting
|
CVE-2025-40899
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
537
|
9.9 |
CRITICAL
Network
|
-
|
-
|
OpenRemote is an open-source IoT platform. Versions 1.21.0 and below contain two interrelated expression injection vulnerabilities in the rules engine that allow arbitrary code execution on the serve…
Update
|
CWE-94
CWE-917
Code Injection
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
|
CVE-2026-39842
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
538
|
8.3 |
HIGH
Network
|
-
|
-
|
mcp-server-kubernetes is a Model Context Protocol server for Kubernetes cluster management. Versions 3.4.0 and prior contain an argument injection vulnerability in the port_forward tool in src/tools/…
Update
|
CWE-88
Argument Injection
|
CVE-2026-39884
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
539
|
6.9 |
MEDIUM
Network
|
-
|
-
|
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the serendipity_setCookie() function in include/functions_config.inc.php uses $_SERVER['HTTP_HOST'] without validation as…
Update
|
CWE-565
Reliance on Cookies without Validation and Integrity Checking
|
CVE-2026-39963
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
540
|
7.2 |
HIGH
Network
|
-
|
-
|
Serendipity is a PHP-powered weblog engine. In versions 2.6-beta2 and below, the email sending functionality in include/functions.inc.php inserts $_SERVER['HTTP_HOST'] directly into the Message-ID SM…
Update
|
CWE-113
HTTP Response Splitting
|
CVE-2026-39971
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
