|
681
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes ti…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40928
|
2026-04-24 00:49 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
682
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It …
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40929
|
2026-04-24 00:48 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
683
|
7.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRu…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40926
|
2026-04-24 00:48 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
684
|
9.9 |
CRITICAL
Network
|
flowiseai
|
flowise
|
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker ca…
New
|
CWE-78
OS Command
|
CVE-2026-40933
|
2026-04-24 00:40 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
685
|
7.1 |
HIGH
Local
|
apktool
|
apktool
|
Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafte…
New
|
CWE-22
Path Traversal
|
CVE-2026-39973
|
2026-04-24 00:39 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
686
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields direct…
New
|
CWE-89
SQL Injection
|
CVE-2026-41167
|
2026-04-24 00:37 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
687
|
9.1 |
CRITICAL
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an au…
New
|
CWE-22
Path Traversal
|
CVE-2026-33656
|
2026-04-24 00:37 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
688
|
7.5 |
HIGH
Network
|
gnu
|
glibc
|
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library versio…
New
|
CWE-127
Buffer Under-read
|
CVE-2026-5928
|
2026-04-24 00:33 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
689
|
9.8 |
CRITICAL
Network
|
gnu
|
glibc
|
Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 cou…
New
|
CWE-122
CWE-787
Heap-based Buffer Overflow
Out-of-bounds Write
|
CVE-2026-5450
|
2026-04-24 00:33 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
690
|
9.0 |
CRITICAL
Network
|
gitroom
|
postiz
|
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to t…
Update
|
CWE-79
CWE-345
CWE-434
Cross-site Scripting
Insufficient Verification of Data Authenticity
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-40487
|
2026-04-24 00:27 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
