|
111
|
3.1 |
LOW
Network
|
-
|
-
|
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML …
New
|
CWE-20
CWE-79
CWE-116
Improper Input Validation
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-33436
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
112
|
6.3 |
MEDIUM
Network
|
-
|
-
|
xrdp is an open source RDP server. Versions through 0.10.5 allow an authenticated remote user to execute arbitrary commands on the server due to unsafe handling of the AlternateShell parameter in xrd…
New
|
CWE-78
OS Command
|
CVE-2026-33145
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
113
|
- |
|
-
|
-
|
Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. In versions prior to 23.0.0 , the ODT to PDF conversion process in odf.php concatenates …
New
|
CWE-78
OS Command
|
CVE-2026-23500
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
114
|
7.5 |
HIGH
Network
|
-
|
-
|
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated POST requests that modify debug
settings (e.g., enabling SSH), allowing unauthorized state changes that
can facilitate later compromise.
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-40461
|
2026-04-18 05:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
115
|
8.1 |
HIGH
Adjacent
|
-
|
-
|
Anviz CrossChex Standard
lacks source verification in the client/server channel, enabling TCP
packet injection by an attacker on the same network to alter or disrupt
application traffic.
New
|
CWE-940
Improper Verification of Source of a Communication Channel
|
CVE-2026-40434
|
2026-04-18 05:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
116
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, the external engine plugin loader concatenates a user-supplied engine name into a files…
New
|
CWE-22
CWE-73
CWE-94
CWE-427
Path Traversal
External Control of File Name or Path
Code Injection
Uncontrolled Search Path Element
|
CVE-2026-40342
|
2026-04-18 05:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
117
|
6.8 |
MEDIUM
Network
|
-
|
-
|
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40283
|
2026-04-18 05:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
118
|
8.8 |
HIGH
Network
|
-
|
-
|
Anviz CX2 Lite and CX7 are vulnerable to unverified update packages that can be uploaded. The
device unpacks and executes a script resulting in unauthenticated remote
code execution.
New
|
CWE-494
Download of Code Without Integrity Check
|
CVE-2026-40066
|
2026-04-18 05:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
119
|
8.8 |
HIGH
Network
|
-
|
-
|
Anviz CX2 Lite is vulnerable to an authenticated command injection via a
filename parameter that enables arbitrary command execution (e.g.,
starting telnetd), resulting in root‑level access.
New
|
CWE-77
Command Injection
|
CVE-2026-35682
|
2026-04-18 05:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
120
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Anviz CX2 Lite and CX7 are vulnerable to unauthenticated firmware uploads. This causes crafted
archives to be accepted, enabling attackers to plant and execute code
and obtain a reverse shell.
New
|
CWE-306
Missing Authentication for Critical Function
|
CVE-2026-35546
|
2026-04-18 05:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
