|
561
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, a user with the project.edit permission (granted by the per-project "Administration" role) can configure machine translation servi…
|
CWE-200
CWE-918
Information Exposure
Server-Side Request Forgery (SSRF)
|
CVE-2026-34244
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
562
|
8.8 |
HIGH
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the user patching API endpoint didn't properly limit the scope of edits. This issue has been fixed in version 5.17.
|
CWE-269
Improper Privilege Management
|
CVE-2026-34393
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
563
|
4.1 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable …
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-39845
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
564
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses s…
|
CWE-22
Path Traversal
|
CVE-2026-40256
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
565
|
7.8 |
HIGH
Local
|
-
|
-
|
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on th…
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-22676
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
566
|
9.4 |
CRITICAL
Network
|
-
|
-
|
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered o…
|
CWE-200
CWE-215
Information Exposure
Insertion of Sensitive Information Into Debugging Code
|
CVE-2026-40173
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
567
|
7.8 |
HIGH
Local
|
-
|
-
|
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs she…
|
CWE-20
CWE-78
Improper Input Validation
OS Command
|
CVE-2026-40176
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
568
|
6.1 |
MEDIUM
Network
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasse…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40186
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
569
|
8.8 |
HIGH
Network
|
-
|
-
|
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $source…
|
CWE-20
CWE-78
Improper Input Validation
OS Command
|
CVE-2026-40261
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
570
|
- |
|
-
|
-
|
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
|
CWE-80
Basic XSS
|
CVE-2026-1564
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
