|
341
|
5.0 |
MEDIUM
Network
|
-
|
-
|
Weblate is a web based localization tool. In versions prior to 5.17, repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses s…
Update
|
CWE-22
Path Traversal
|
CVE-2026-40256
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
342
|
7.8 |
HIGH
Local
|
-
|
-
|
Barracuda RMM versions prior to 2025.2.2 contain a privilege escalation vulnerability that allows local attackers to gain SYSTEM-level privileges by exploiting overly permissive filesystem ACLs on th…
Update
|
CWE-732
Incorrect Permission Assignment for Critical Resource
|
CVE-2026-22676
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
343
|
9.4 |
CRITICAL
Network
|
-
|
-
|
Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered o…
Update
|
CWE-200
CWE-215
Information Exposure
Insertion of Sensitive Information Into Debugging Code
|
CVE-2026-40173
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
344
|
- |
|
-
|
-
|
Pega Platform versions 8.1.0 through 25.1.1 are affected by an HTML Injection vulnerability in a user interface component. Requires a high privileged user with a developer role.
Update
|
CWE-80
Basic XSS
|
CVE-2026-1564
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
345
|
- |
|
-
|
-
|
Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-Site Scripting vulnerability in a user interface component. Requires a high privileged user with a developer role.
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-1711
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
346
|
6.8 |
MEDIUM
Network
|
-
|
-
|
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arb…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40500
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
347
|
9.1 |
CRITICAL
Network
|
-
|
-
|
A flaw was found in ArgoCD Image Updater. This vulnerability allows an attacker, with permissions to create or modify an ImageUpdater resource in a multi-tenant environment, to bypass namespace bound…
Update
|
CWE-1220
Insufficient Granularity of Access Control
|
CVE-2026-6388
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
348
|
7.8 |
HIGH
Local
|
-
|
-
|
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs she…
Update
|
CWE-20
CWE-78
Improper Input Validation
OS Command
|
CVE-2026-40176
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
349
|
6.1 |
MEDIUM
Network
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. A regression introduced in commit 49d0bb7, included in versions 2.17.1 of the ApostropheCMS-maintained sanitize-html package bypasse…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-40186
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
350
|
8.8 |
HIGH
Network
|
-
|
-
|
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $source…
Update
|
CWE-20
CWE-78
Improper Input Validation
OS Command
|
CVE-2026-40261
|
2026-04-18 00:38 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
