|
781
|
5.3 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/getCaptcha.php` accepts the CAPTCHA length (`ql`) directly from the query string with no clamping or sanitization, l…
New
|
CWE-804
Guessable CAPTCHA
|
CVE-2026-40935
|
2026-04-24 00:50 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
782
|
7.8 |
HIGH
Local
|
node-modules
|
compressing
|
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility…
New
|
CWE-59
Link Following
|
CVE-2026-40931
|
2026-04-24 00:49 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
783
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under `objects/` accept state-changing requests via `$_REQUEST`/`$_GET` and persist changes ti…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40928
|
2026-04-24 00:49 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
784
|
5.4 |
MEDIUM
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/commentDelete.json.php` is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It …
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40929
|
2026-04-24 00:48 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
785
|
7.1 |
HIGH
Network
|
wwbn
|
avideo
|
WWBN AVideo is an open source video platform. In versions 29.0 and prior, three admin-only JSON endpoints — `objects/categoryAddNew.json.php`, `objects/categoryDelete.json.php`, and `objects/pluginRu…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-40926
|
2026-04-24 00:48 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
786
|
9.9 |
CRITICAL
Network
|
flowiseai
|
flowise
|
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker ca…
New
|
CWE-78
OS Command
|
CVE-2026-40933
|
2026-04-24 00:40 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
787
|
7.1 |
HIGH
Local
|
apktool
|
apktool
|
Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafte…
New
|
CWE-22
Path Traversal
|
CVE-2026-39973
|
2026-04-24 00:39 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
788
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields direct…
New
|
CWE-89
SQL Injection
|
CVE-2026-41167
|
2026-04-24 00:37 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
789
|
9.1 |
CRITICAL
Network
|
-
|
-
|
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an au…
New
|
CWE-22
Path Traversal
|
CVE-2026-33656
|
2026-04-24 00:37 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
790
|
7.5 |
HIGH
Network
|
gnu
|
glibc
|
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library versio…
New
|
CWE-127
Buffer Under-read
|
CVE-2026-5928
|
2026-04-24 00:33 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
