|
1
|
7.2 |
HIGH
Network
|
-
|
-
|
A out-of-bounds write vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow attacker to execute unauthorized code or commands v…
New
|
CWE-787
Out-of-bounds Write
|
CVE-2026-40688
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2
|
9.6 |
CRITICAL
Network
|
-
|
-
|
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply …
New
|
CWE-20
CWE-22
Improper Input Validation
Path Traversal
|
CVE-2026-39399
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3
|
7.2 |
HIGH
Network
|
-
|
-
|
BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) …
New
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-39387
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
4
|
8.0 |
HIGH
Network
|
-
|
-
|
nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting f…
New
|
CWE-1385
Missing Origin Validation in WebSockets
|
CVE-2026-35589
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authent…
New
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-35034
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
6
|
- |
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions que…
New
|
CWE-88
CWE-862
Argument Injection
Missing Authorization
|
CVE-2026-35033
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
7
|
- |
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not val…
New
|
CWE-73
CWE-918
External Control of File Name or Path
Server-Side Request Forgery (SSRF)
|
CVE-2026-35032
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
8
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field …
New
|
CWE-20
CWE-22
CWE-187
Improper Input Validation
Path Traversal
Partial String Comparison
|
CVE-2026-35031
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
9
|
9.1 |
CRITICAL
Network
|
-
|
-
|
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. Versions prior to 7.15.2 contain a configuration-dependent authentication bypass in deployments where OAuth2 Proxy…
New
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-34457
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
10
|
3.5 |
LOW
Physics
|
-
|
-
|
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-i…
New
|
CWE-384
CWE-613
Session Fixation
Insufficient Session Expiration
|
CVE-2026-34454
|
2026-04-15 08:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
