|
1811
|
9.9 |
CRITICAL
Network
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field …
|
CWE-20
CWE-22
CWE-187
Improper Input Validation
Path Traversal
Partial String Comparison
|
CVE-2026-35031
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1812
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Stored cross-site scripting vulnerability exists in GROWI v7.4.6 and earlier. If this vulnerability is exploited, an arbitrary script may be executed in a user's web browser.
|
CWE-79
Cross-site Scripting
|
CVE-2026-26291
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1813
|
7.5 |
HIGH
Network
|
-
|
-
|
Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.
|
CWE-670
Always-Incorrect Control Flow Implementation
|
CVE-2026-40719
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1814
|
7.5 |
HIGH
Network
|
-
|
-
|
Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts.
The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::…
|
CWE-338
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
|
CVE-2026-5088
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1815
|
- |
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not val…
|
CWE-73
CWE-918
External Control of File Name or Path
Server-Side Request Forgery (SSRF)
|
CVE-2026-35032
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1816
|
- |
|
-
|
-
|
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions que…
|
CWE-88
CWE-862
Argument Injection
Missing Authorization
|
CVE-2026-35033
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1817
|
8.0 |
HIGH
Network
|
-
|
-
|
nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server in bridge/src/server.ts, resulting f…
|
CWE-1385
Missing Origin Validation in WebSockets
|
CVE-2026-35589
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1818
|
7.2 |
HIGH
Network
|
-
|
-
|
BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion (LFI) …
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-39387
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1819
|
9.6 |
CRITICAL
Network
|
-
|
-
|
NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within NuGet packages. An attacker can supply …
|
CWE-20
CWE-22
Improper Input Validation
Path Traversal
|
CVE-2026-39399
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1820
|
8.1 |
HIGH
Network
|
-
|
-
|
An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authen…
|
CWE-863
Incorrect Authorization
|
CVE-2025-40897
|
2026-04-18 00:38 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
