|
301
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field …
Update
|
CWE-20
CWE-22
CWE-187
Improper Input Validation
Path Traversal
Partial String Comparison
|
CVE-2026-35031
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
302
|
- |
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not val…
Update
|
CWE-73
CWE-918
External Control of File Name or Path
Server-Side Request Forgery (SSRF)
|
CVE-2026-35032
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
303
|
- |
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions que…
Update
|
CWE-88
CWE-862
Argument Injection
Missing Authorization
|
CVE-2026-35033
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
304
|
- |
|
-
|
-
|
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in…
Update
|
CWE-78
OS Command
|
CVE-2026-40499
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
305
|
- |
|
-
|
-
|
Improper input validation, Improper verification of cryptographic signature vulnerability in XQUIC Project XQUIC xquic on Linux (QUIC protocol implementation, packet processing module, STREAM frame h…
Update
|
CWE-20
CWE-347
Improper Input Validation
Improper Verification of Cryptographic Signature
|
CVE-2026-6328
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
306
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-26291
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
307
|
7.5 |
HIGH
Network
|
-
|
-
|
Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.
Update
|
CWE-670
Always-Incorrect Control Flow Implementation
|
CVE-2026-40719
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
308
|
7.5 |
HIGH
Network
|
-
|
-
|
Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.
The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::…
Update
|
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
|
CVE-2026-5088
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
309
|
8.0 |
HIGH
Network
|
-
|
-
|
nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting f…
Update
|
CWE-1385
Missing Origin Validation in WebSockets
|
CVE-2026-35589
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
310
|
7.2 |
HIGH
Network
|
-
|
-
|
BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) …
Update
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-39387
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
