|
241
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue in the <code>pickle</code> protocol of Pyro v3.x allows attackers to execute arbitrary code via supplying a crafted pickled string message.
Update
|
CWE-94
Code Injection
|
CVE-2026-31048
|
2026-04-18 00:38 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
242
|
7.5 |
HIGH
Network
|
-
|
-
|
nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, an untrusted peer could crash a validator by …
Update
|
CWE-125
CWE-193
Out-of-bounds Read
Off-by-one Error
|
CVE-2026-32605
|
2026-04-18 00:38 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
243
|
4.3 |
MEDIUM
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have an authenticated Server-Side Request Forgery (SSRF) vulnerability that allows bypassing the inter…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-33534
|
2026-04-18 00:38 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
244
|
4.6 |
MEDIUM
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard (non-admin…
Update
|
CWE-80
CWE-116
Basic XSS
Improper Encoding or Escaping of Output
|
CVE-2026-33657
|
2026-04-18 00:38 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
245
|
8.8 |
HIGH
Network
|
-
|
-
|
A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a fu…
Update
|
CWE-269
CWE-639
Improper Privilege Management
Authorization Bypass Through User-Controlled Key
|
CVE-2026-38529
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
246
|
8.1 |
HIGH
Network
|
-
|
-
|
A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently…
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-38530
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
247
|
8.1 |
HIGH
Network
|
-
|
-
|
A Broken Object-Level Authorization (BOLA) in the /Contact/Persons/PersonController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanentl…
Update
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-38532
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
248
|
6.5 |
MEDIUM
Network
|
-
|
-
|
An improper authorization vulnerability in the /api/v1/users/{id} endpoint of Snipe-IT v8.4.0 allows authenticated attackers with the users.edit permission to modify sensitive authentication and acco…
Update
|
CWE-285
Improper Authorization
|
CVE-2026-38533
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
249
|
4.9 |
MEDIUM
Network
|
-
|
-
|
October is a Content Management System (CMS) and web platform. Versions prior to 3.7.13 and versions 4.0.0 through 4.1.4 contain a sandbox bypass vulnerability in the optional Twig safe mode feature …
Update
|
CWE-284
CWE-693
Improper Access Control
Protection Mechanism Failure
|
CVE-2026-22692
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
250
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue pertaining to CWE-843: Access of Resource Using Incompatible Type was discovered in transloadit uppy v0.25.6.
Update
|
CWE-843
Type Confusion
|
CVE-2025-70023
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
