|
331
|
8.8 |
HIGH
Network
|
-
|
-
|
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verific…
New
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-40352
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
332
|
9.8 |
CRITICAL
Network
|
-
|
-
|
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attac…
New
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-40351
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
333
|
8.0 |
HIGH
Network
|
-
|
-
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could incl…
New
|
CWE-87
Improper Neutralization of Alternate XSS Syntax
|
CVE-2026-40321
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
334
|
- |
|
-
|
-
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affec…
New
|
CWE-330
Use of Insufficiently Random Values
|
CVE-2026-40306
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
335
|
4.3 |
MEDIUM
Network
|
-
|
-
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user cou…
New
|
CWE-285
Improper Authorization
|
CVE-2026-40305
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
336
|
5.3 |
MEDIUM
Network
|
-
|
-
|
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a …
New
|
CWE-284
CWE-863
Improper Access Control
Incorrect Authorization
|
CVE-2026-40304
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
337
|
9.1 |
CRITICAL
Network
|
-
|
-
|
The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature…
New
|
CWE-22
Path Traversal
|
CVE-2026-40258
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
338
|
8.8 |
HIGH
Network
|
chamilo
|
chamilo_lms
|
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An at…
Update
|
CWE-95
Eval Injection
|
CVE-2026-33618
|
2026-04-18 07:03 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
339
|
7.8 |
HIGH
Local
|
-
|
-
|
radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_pa…
New
|
CWE-78
OS Command
|
CVE-2026-40527
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
340
|
7.5 |
HIGH
Network
|
-
|
-
|
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, cou…
New
|
CWE-400
CWE-789
Uncontrolled Resource Consumption
Memory Allocation with Excessive Size Value
|
CVE-2026-40303
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
