|
1131
|
6.5 |
MEDIUM
Network
|
chamilo
|
chamilo_lms
|
Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of…
|
CWE-862
Missing Authorization
|
CVE-2026-33708
|
2026-04-17 03:25 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1132
|
7.5 |
HIGH
Network
|
chamilo
|
chamilo_lms
|
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, REST API keys are generated using md5(time() + (user_id * 5) - rand(10000, 10000)). The rand(10000, 10000) call always re…
|
CWE-330
Use of Insufficiently Random Values
|
CVE-2026-33710
|
2026-04-17 03:24 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1133
|
6.5 |
MEDIUM
Network
|
chamilo
|
chamilo_lms
|
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-33736
|
2026-04-17 03:23 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1134
|
6.5 |
MEDIUM
Network
|
chamilo
|
chamilo_lms
|
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, multiple files use simplexml_load_string() without XXE protection. With LIBXML_NOENT flag, arbitrary server files can be …
|
CWE-611
XXE
|
CVE-2026-33737
|
2026-04-17 03:22 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1135
|
6.8 |
MEDIUM
Physics
|
samsung
|
android
|
Improper input validation in data related to network restrictions prior to SMR Apr-2026 Release 1 allows physical attackers to bypass the restrictions.
|
NVD-CWE-noinfo
|
CVE-2026-21003
|
2026-04-17 02:25 |
2026-04-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1136
|
5.5 |
MEDIUM
Local
|
samsung
|
galaxy_wearable
|
Incorrect default permission in Galaxy Wearable prior to version 2.2.68.26 allows local attackers to access sensitive information.
|
CWE-276
Incorrect Default Permissions
|
CVE-2026-21013
|
2026-04-17 02:24 |
2026-04-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1137
|
2.8 |
LOW
Local
|
samsung
|
camera
|
Improper access control in Samsung Camera prior to version 16.5.00.28 allows local attacker to access location data. User interaction is required for triggering this vulnerability.
|
NVD-CWE-noinfo
|
CVE-2026-21014
|
2026-04-17 02:23 |
2026-04-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1138
|
8.5 |
HIGH
Network
|
gitlab
|
gitlab
|
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.9.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user to invoke u…
|
CWE-749
Exposed Dangerous Method or Function
|
CVE-2026-5173
|
2026-04-17 01:44 |
2026-04-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1139
|
8.8 |
HIGH
Network
|
google
|
chrome
|
Use after free in Media in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)
|
CWE-416
Use After Free
|
CVE-2026-5883
|
2026-04-17 01:36 |
2026-04-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1140
|
5.3 |
MEDIUM
Network
|
google
|
chrome
|
Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severit…
|
CWE-362
Race Condition
|
CVE-2026-5890
|
2026-04-17 01:35 |
2026-04-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
