|
321
|
7.7 |
HIGH
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has be…
New
|
CWE-22
CWE-59
CWE-200
Path Traversal
Link Following
Information Exposure
|
CVE-2026-34242
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
322
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation servi…
New
|
CWE-200
CWE-918
Information Exposure
Server-Side Request Forgery (SSRF)
|
CVE-2026-34244
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
323
|
8.8 |
HIGH
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-34393
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
324
|
4.1 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-39845
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
325
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses s…
New
|
CWE-22
Path Traversal
|
CVE-2026-40256
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
326
|
7.8 |
HIGH
Local
|
-
|
-
|
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on th…
New
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-22676
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
327
|
9.4 |
CRITICAL
Network
|
-
|
-
|
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered o…
New
|
CWE-200
CWE-215
Information Exposure
Insertion of Sensitive Information Into Debugging Code
|
CVE-2026-40173
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
328
|
- |
|
-
|
-
|
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
New
|
CWE-80
Basic XSS
|
CVE-2026-1564
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
329
|
- |
|
-
|
-
|
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-1711
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
330
|
6.8 |
MEDIUM
Network
|
-
|
-
|
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arb…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40500
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
