|
171
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects. This issue has…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-33440
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
172
|
7.4 |
HIGH
Network
|
-
|
-
|
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting,…
New
|
CWE-307
mproper Restriction of Excessive Authentication Attempts
|
CVE-2026-33667
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
173
|
7.7 |
HIGH
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has be…
New
|
CWE-22
CWE-59
CWE-200
Path Traversal
Link Following
Information Exposure
|
CVE-2026-34242
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
174
|
8.8 |
HIGH
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-34393
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
175
|
4.1 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable …
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-39845
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
176
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses s…
New
|
CWE-22
Path Traversal
|
CVE-2026-40256
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
177
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation servi…
New
|
CWE-200
CWE-918
Information Exposure
Server-Side Request Forgery (SSRF)
|
CVE-2026-34244
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
178
|
7.8 |
HIGH
Local
|
-
|
-
|
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on th…
New
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-22676
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
179
|
- |
|
-
|
-
|
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
New
|
CWE-80
Basic XSS
|
CVE-2026-1564
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
180
|
- |
|
-
|
-
|
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-1711
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
