|
681
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Pachno 1.0.6 contains an open redirection vulnerability that allows attackers to redirect users to arbitrary external websites by manipulating the return_to parameter. Attackers can craft malicious l…
|
CWE-305
Authentication Bypass by Primary Weakness
|
CVE-2026-40039
|
2026-04-18 00:28 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
682
|
8.8 |
HIGH
Network
|
-
|
-
|
Pachno 1.0.6 contains an unrestricted file upload vulnerability that allows authenticated users to upload arbitrary file types by bypassing ineffective extension filtering to the /uploadfile endpoint…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-40040
|
2026-04-18 00:28 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
683
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-chang…
|
CWE-352
Origin Validation Error
|
CVE-2026-40041
|
2026-04-18 00:28 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
684
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Pachno 1.0.6 contains an XML external entity injection vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting unsafe XML parsing in the TextParser helper. Attackers…
|
CWE-403
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
|
CVE-2026-40042
|
2026-04-18 00:28 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
685
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username c…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40043
|
2026-04-18 00:28 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
686
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Pachno 1.0.6 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary code by injecting malicious serialized objects into cache files. Attackers can write P…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-40044
|
2026-04-18 00:28 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
687
|
- |
|
-
|
-
|
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users w…
|
CWE-200
CWE-862
Information Exposure
Missing Authorization
|
CVE-2026-32270
|
2026-04-18 00:26 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
688
|
- |
|
-
|
-
|
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, there is an SQL injection vulnerability in the Commerce TotalRevenue widget which allo…
|
CWE-89
SQL Injection
|
CVE-2026-32271
|
2026-04-18 00:26 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
689
|
- |
|
-
|
-
|
Craft Commerce is an ecommerce platform for Craft CMS. In versions 5.0.0 through 5.5.4, an SQL injection vulnerability exists where the ProductQuery::hasVariant and VariantQuery::hasProduct propertie…
|
CWE-89
SQL Injection
|
CVE-2026-32272
|
2026-04-18 00:26 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
690
|
5.3 |
MEDIUM
Network
|
-
|
-
|
ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single…
|
CWE-122
CWE-191
Heap-based Buffer Overflow
Integer Underflow (Wrap or Wraparound)
|
CVE-2026-33899
|
2026-04-18 00:26 |
2026-04-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
