|
41
|
6.8 |
MEDIUM
Network
|
-
|
-
|
The AsyncHttpClient (AHC) library allows Java applications to easily execute HTTP requests and asynchronously process HTTP responses. When redirect following is enabled (followRedirect(true)), versio…
New
|
CWE-200
Information Exposure
|
CVE-2026-40490
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
42
|
- |
|
-
|
-
|
editorconfig-core-c is an EditorConfig core library for use by plugins supporting EditorConfig parsing. Versions up to and including 0.12.10 have a stack-based buffer overflow in ec_glob() that allo…
New
|
CWE-121
CWE-787
Stack-based Buffer Overflow
Out-of-bounds Write
|
CVE-2026-40489
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
43
|
8.9 |
HIGH
Network
|
-
|
-
|
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to t…
New
|
CWE-79
CWE-345
CWE-434
Cross-site Scripting
Insufficient Verification of Data Authenticity
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-40487
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
44
|
8.8 |
HIGH
Local
|
-
|
-
|
Emissary is a P2P based data-driven workflow engine. In versions 8.42.0 and below, Executrix.getCommand() is vulnerable to OS command injection because it interpolates temporary file paths into a /b…
New
|
CWE-78
CWE-116
OS Command
Improper Encoding or Escaping of Output
|
CVE-2026-35582
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
45
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The Hostel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode_id' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-1838
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
46
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Youzify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'checkin_place_id' parameter in all versions up to, and including, 1.3.6 due to insufficient input sanitization a…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-1559
|
2026-04-18 11:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
47
|
9.0 |
CRITICAL
Local
|
-
|
-
|
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address …
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-40572
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
48
|
8.8 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use t…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-40350
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
49
|
9.3 |
CRITICAL
Local
|
-
|
-
|
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers with…
New
|
CWE-20
CWE-269
Improper Input Validation
Improper Privilege Management
|
CVE-2026-40317
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
50
|
7.5 |
HIGH
Network
|
-
|
-
|
SecureDrop Client is a desktop app for journalists to securely communicate with sources and handle submissions on the SecureDrop Workstation. In versions 0.17.4 and below, a compromised SecureDrop Se…
New
|
CWE-36
CWE-73
Absolute Path Traversal
External Control of File Name or Path
|
CVE-2026-35465
|
2026-04-18 10:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
