|
341
|
6.1 |
MEDIUM
Network
|
-
|
-
|
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/…
New
|
CWE-79
CWE-116
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-40302
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
342
|
4.7 |
MEDIUM
Network
|
-
|
-
|
DOMSanitizer is a DOM/SVG/MathML Sanitizer for PHP 7.3+. Prior to version 1.0.10, DOMSanitizer::sanitize() allows <style> elements in SVG content but never inspects their text content. CSS url() refe…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40301
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
343
|
- |
|
-
|
-
|
next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and …
New
|
CWE-601
Open Redirect
|
CVE-2026-40299
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
344
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenFGA is an authorization/permission engine built for developers. In versions 0.1.4 through 1.13.1, when OpenFGA is configured to use preshared-key authentication with the built-in playground enabl…
New
|
CWE-200
Information Exposure
|
CVE-2026-40293
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
345
|
7.5 |
HIGH
Network
|
-
|
-
|
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) functi…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40286
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
346
|
6.8 |
MEDIUM
Network
|
-
|
-
|
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40284
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
347
|
- |
|
-
|
-
|
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-40282
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
348
|
8.1 |
HIGH
Network
|
-
|
-
|
HomeBox is a home inventory and organization system. Versions prior to 0.25.0 contain a vulnerability where the defaultGroup ID remained permanently assigned to a user after being invited to a group,…
New
|
CWE-708
Incorrect Ownership Assignment
|
CVE-2026-40196
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
349
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In versions 4.12.0 through 4.17.1, simultaneous requests that trigger a nonce retry may cause the prox…
New
|
CWE-362
CWE-863
Race Condition
Incorrect Authorization
|
CVE-2026-40155
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
350
|
- |
|
-
|
-
|
Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without va…
New
|
CWE-426
Untrusted Search Path
|
CVE-2026-35603
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
