|
391
|
4.9 |
MEDIUM
Network
|
-
|
-
|
Valtimo is an open-source business process automation platform. In versions 13.0.0 through 13.21.0, the InboxHandlingService logs the full content of every incoming inbox message at INFO level. Inbox…
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-34164
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
392
|
- |
|
-
|
-
|
spdystream is a Go library for multiplexing streams over SPDY connections. In versions 0.5.0 and below, the SPDY/3 frame parser does not validate attacker-controlled counts and lengths before allocat…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-35469
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
393
|
7.5 |
HIGH
Network
|
-
|
-
|
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack bu…
New
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-40170
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
394
|
- |
|
-
|
-
|
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether th…
New
|
CWE-285
CWE-636
Improper Authorization
Not Failing Securely ('Failing Open')
|
CVE-2026-40248
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
395
|
8.1 |
HIGH
Network
|
-
|
-
|
sagredo qmail before 2026.04.07 allows tls_quit remote code execution because of popen in notlshosts_auto in qmail-remote.c.
New
|
CWE-78
OS Command
|
CVE-2026-41113
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
396
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Vision Helpdesk before 5.7.0 (patched in 5.6.10) allows attackers to read user profiles via modified serialized cookie data to vis_client_id.
New
|
CWE-425
Direct Request ('Forced Browsing')
|
CVE-2024-58343
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
397
|
8.5 |
HIGH
Network
|
-
|
-
|
SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id pa…
New
|
CWE-24
Path Traversal: '../filedir'
|
CVE-2026-40318
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
398
|
8.6 |
HIGH
Network
|
-
|
-
|
Cloud Foundry UUA is vulnerable to a bypass that allows an attacker to obtain a token for any user and gain access to UAA-protected systems. This vulnerability exists when SAML 2.0 bearer assertions …
New
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-22734
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
399
|
- |
|
-
|
-
|
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the PUT handler for updating Policy Data notification subscriptions at /nudr-dr/v2/pol…
New
|
CWE-636
CWE-754
Not Failing Securely ('Failing Open')
Improper Check for Unusual or Exceptional Conditions
|
CVE-2026-40249
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
400
|
- |
|
-
|
-
|
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied argument…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40308
|
2026-04-18 00:38 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
