|
271
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Totara LMS v19.1.5 and before is vulnerable to Incorrect Access Control. The login page code can be manipulated to reveal the login form. An attacker can chain that with missing rate-limit on the log…
Update
|
CWE-284
Improper Access Control
|
CVE-2026-31282
|
2026-04-18 00:35 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
272
|
9.8 |
CRITICAL
Network
|
-
|
-
|
In Totara LMS v19.1.5 and before, the forgot password API does not implement rate limiting for the target email address. which can be used for an Email Bombing attack.
Update
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-31283
|
2026-04-18 00:35 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
273
|
8.8 |
HIGH
Network
|
-
|
-
|
A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `s…
Update
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-1462
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
274
|
6.2 |
MEDIUM
Local
|
-
|
-
|
A stack overflow in the experimental/tinyobj_loader_opt.h file of tinyobjloader commit d56555b allows attackers to cause a Denial of Service (DoS) via supplying a crafted .mtl file.
Update
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-29628
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
275
|
7.5 |
HIGH
Network
|
-
|
-
|
An out-of-bounds read in the read_global_param() function (libavcodec/av1dec.c) of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.
Update
|
CWE-125
Out-of-bounds Read
|
CVE-2026-30997
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
276
|
7.5 |
HIGH
Network
|
-
|
-
|
An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.
Update
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-30998
|
2026-04-18 00:34 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
277
|
- |
|
-
|
-
|
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, wou…
Update
|
CWE-601
Open Redirect
|
CVE-2026-39940
|
2026-04-18 00:33 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
278
|
8.8 |
HIGH
Network
|
-
|
-
|
In Phpgurukul Online Course Registration v3.1, an arbitrary file upload vulnerability was discovered within the profile picture upload functionality on the /my-profile.php page.
Update
|
CWE-94
Code Injection
|
CVE-2025-51414
|
2026-04-18 00:33 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
279
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Vtiger CRM 8.4.0 contains a reflected cross-site scripting (XSS) vulnerability in the MailManager module. Improper handling of user-controlled input in the _folder parameter allows a specially crafte…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2025-70936
|
2026-04-18 00:33 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
280
|
6.1 |
MEDIUM
Network
|
-
|
-
|
A HTML Injection vulnerability exists in the Dashboard module of Vtiger CRM 8.4.0. The application fails to properly neutralize user-supplied input in the tabid parameter of the DashBoardTab view (ge…
Update
|
CWE-80
Basic XSS
|
CVE-2026-26460
|
2026-04-18 00:33 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
