|
301
|
8.8 |
HIGH
Local
|
-
|
-
|
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /b…
|
CWE-78
CWE-116
OS Command
Improper Encoding or Escaping of Output
|
CVE-2026-35582
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
302
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and…
|
CWE-79
Cross-site Scripting
|
CVE-2026-1838
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
303
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization a…
|
CWE-79
Cross-site Scripting
|
CVE-2026-1559
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
304
|
9.0 |
CRITICAL
Local
|
-
|
-
|
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address …
|
CWE-269
Improper Privilege Management
|
CVE-2026-40572
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305
|
8.8 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use t…
|
CWE-863
Incorrect Authorization
|
CVE-2026-40350
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
306
|
7.5 |
HIGH
Network
|
-
|
-
|
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Se…
|
CWE-36
CWE-73
Absolute Path Traversal
External Control of File Name or Path
|
CVE-2026-35465
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
307
|
8.8 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=…
|
CWE-862
Missing Authorization
|
CVE-2026-40349
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
308
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Python-Multipart is a streaming multipart parser for Python. Versions prior to 0.0.26 have a denial of service vulnerability when parsing crafted `multipart/form-data` requests with large preamble or…
|
CWE-400
CWE-834
Uncontrolled Resource Consumption
Excessive Iteration
|
CVE-2026-40347
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
309
|
- |
|
-
|
-
|
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request ac…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40346
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
310
|
3.5 |
LOW
Physics
|
-
|
-
|
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input f…
|
CWE-126
Buffer Over-read
|
CVE-2026-40341
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
