|
661
|
8.3 |
HIGH
Network
|
-
|
-
|
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privile…
New
|
CWE-862
Missing Authorization
|
CVE-2026-41454
|
2026-04-24 01:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
662
|
8.5 |
HIGH
Network
|
-
|
-
|
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination va…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41455
|
2026-04-24 01:27 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
663
|
8.8 |
HIGH
Network
|
freepbx
|
api
|
FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess() function where GraphQL mutation input fields are passed directly to shell_exec() w…
New
|
CWE-78
OS Command
|
CVE-2026-40520
|
2026-04-24 01:27 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
664
|
6.1 |
MEDIUM
Network
|
dovestones
|
ad_phonebook
|
Dovestones Softwares ADPhonebook <4.0.1.1 has a reflected cross-site scripting (XSS) vulnerability in the search parameter of the /ADPhonebook?Department=HR endpoint. User-supplied input is reflected…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-31013
|
2026-04-24 01:24 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
665
|
4.7 |
MEDIUM
Network
|
-
|
-
|
CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface.
New
|
CWE-89
SQL Injection
|
CVE-2026-40529
|
2026-04-24 01:23 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
666
|
6.3 |
MEDIUM
Network
|
dovestones
|
ad_self_update
|
Dovestones Softwares AD Self Update <4.0.0.5 is vulnerable to Cross Site Request Forgery (CSRF). The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent p…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-31014
|
2026-04-24 01:21 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
667
|
6.8 |
MEDIUM
Network
|
-
|
-
|
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Starting in version 1.0.10 and prior to version 3.4.0, `SAFE_FOR_TEMPLATES` strips `{{...}}` expressions from untrust…
New
|
CWE-79
CWE-1289
Cross-site Scripting
Improper Validation of Unsafe Equivalence in Input
|
CVE-2026-41239
|
2026-04-24 01:18 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
668
|
- |
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
net: skb: fix cross-cache free of KFENCE-allocated skb head
SKB_SMALL_HEAD_CACHE_SIZE is intentionally set to a non-power-of-2
va…
Update
|
-
|
CVE-2026-31429
|
2026-04-24 01:17 |
2026-04-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
669
|
- |
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
X.509: Fix out-of-bounds access when parsing extensions
Leo reports an out-of-bounds access when parsing a certificate with
empty…
Update
|
-
|
CVE-2026-31430
|
2026-04-24 01:17 |
2026-04-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
670
|
- |
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
crypto: algif_aead - Revert to operating out-of-place
This mostly reverts commit 72548b093ee3 except for the copying of
the assoc…
New
|
-
|
CVE-2026-31431
|
2026-04-24 01:17 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
