|
131
|
5.4 |
MEDIUM
Network
|
b3log
|
siyuan
|
SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering (incomplete fix for CVE-2026-33066) enabled the Lute HTM…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40922
|
2026-04-21 01:16 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
132
|
- |
|
-
|
-
|
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in…
|
CWE-78
OS Command
|
CVE-2026-40499
|
2026-04-21 01:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
133
|
8.9 |
HIGH
Network
|
-
|
-
|
Postiz is an AI social media scheduling tool. Prior to version 2.21.6, a file upload validation bypass allows any authenticated user to upload arbitrary HTML, SVG, or other executable file types to t…
|
CWE-79
CWE-345
CWE-434
Cross-site Scripting
Insufficient Verification of Data Authenticity
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-40487
|
2026-04-21 01:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
134
|
9.3 |
CRITICAL
Local
|
-
|
-
|
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 12 (JumpToUser) accepts an arbitrary entry point address from user-space registers with…
|
CWE-20
CWE-269
Improper Input Validation
Improper Privilege Management
|
CVE-2026-40317
|
2026-04-21 01:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
135
|
- |
|
-
|
-
|
free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for creating or updating Traffic Influence Subscriptions checks whether th…
|
CWE-285
CWE-636
Improper Authorization
Not Failing Securely ('Failing Open')
|
CVE-2026-40248
|
2026-04-21 01:16 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
136
|
7.5 |
HIGH
Network
|
-
|
-
|
ngtcp2 is a C implementation of the IETF QUIC protocol. In versions prior to 1.22.1, ngtcp2_qlog_parameters_set_transport_params() serializes peer transport parameters into a fixed 1024-byte stack bu…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-40170
|
2026-04-21 01:16 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
137
|
5.3 |
MEDIUM
Network
|
-
|
-
|
Information exposure vulnerability has been identified in Apache Kafka.
The NetworkClient component will output entire requests and responses information in the DEBUG log level in the logs. By defau…
|
CWE-533
|
CVE-2026-33558
|
2026-04-21 01:16 |
2026-04-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
138
|
9.1 |
CRITICAL
Network
|
-
|
-
|
A possible security vulnerability has been identified in Apache Kafka.
By default, the broker property `sasl.oauthbearer.jwt.validator.class` is set to `org.apache.kafka.common.security.oauthbearer.…
|
CWE-1285
Improper Validation of Specified Index, Position, or Offset in Input
|
CVE-2026-33557
|
2026-04-21 01:16 |
2026-04-20 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
139
|
4.8 |
MEDIUM
Network
|
-
|
-
|
Cryptomator is an open-source client-side encryption application for cloud storage. Version 1.19.1 contains a logic flaw in CheckHostTrustController.getAuthority() that allows an attacker to bypass t…
|
CWE-305
CWE-319
Authentication Bypass by Primary Weakness
Cleartext Transmission of Sensitive Information
|
CVE-2026-33472
|
2026-04-21 01:16 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
140
|
7.5 |
HIGH
Network
|
-
|
-
|
UI / API User with asset materialize permission could trigger dags they had no access to.
Users are advised to migrate to Airflow version 3.2.0 that fixes the issue.
|
CWE-863
Incorrect Authorization
|
CVE-2026-32228
|
2026-04-21 01:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
