|
321
|
7.5 |
HIGH
Network
|
-
|
-
|
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API en…
|
CWE-200
Information Exposure
|
CVE-2026-2262
|
2026-04-18 09:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
322
|
- |
|
-
|
-
|
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
|
-
|
CVE-2026-5250
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
323
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without chec…
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-40486
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
324
|
- |
|
-
|
-
|
monetr is a budgeting application for recurring expenses. In versions 1.12.3 and below, the public Stripe webhook endpoint buffers the entire request body into memory before validating the Stripe sig…
|
CWE-400
Uncontrolled Resource Consumption
|
CVE-2026-40481
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
325
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a us…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40479
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
326
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Pz-LinkCard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blogcard' shortcode attributes in all versions up to, and including, 2.5.8.1 due to insufficient input sanit…
|
CWE-79
Cross-site Scripting
|
CVE-2026-2434
|
2026-04-18 08:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
327
|
9.0 |
CRITICAL
Network
|
-
|
-
|
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanism…
|
CWE-917
CWE-1336
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-40478
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
328
|
9.0 |
CRITICAL
Network
|
-
|
-
|
Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the expression execution mechanisms. A…
|
CWE-917
CWE-1336
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Improper Neutralization of Special Elements Used in a Template Engine
|
CVE-2026-40477
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
329
|
- |
|
-
|
-
|
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response n…
|
CWE-407
Inefficient Algorithmic Complexity
|
CVE-2026-40476
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
330
|
7.6 |
HIGH
Network
|
-
|
-
|
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead…
|
CWE-284
CWE-862
Improper Access Control
Missing Authorization
|
CVE-2026-40474
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
