|
181
|
3.3 |
LOW
Local
|
-
|
-
|
MuPDF mutool does not sanitize PDF metadata fields before writing them to terminal output, allowing attackers to inject arbitrary ANSI escape sequences through crafted PDF metadata. Attackers can emb…
New
|
CWE-150
Improper Neutralization of Escape, Meta, or Control Sequences
|
CVE-2026-40505
|
2026-04-16 11:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
182
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Creolabs Gravity before 0.9.6 contains a heap buffer overflow vulnerability in the gravity_vm_exec function that allows attackers to write out-of-bounds memory by crafting scripts with many string li…
New
|
CWE-122
Heap-based Buffer Overflow
|
CVE-2026-40504
|
2026-04-16 11:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
183
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The WP YouTube Lyte plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lyte' shortcode in all versions up to, and including, 1.7.29 due to insufficient input sanitiza…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-3299
|
2026-04-16 11:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
184
|
8.1 |
HIGH
Local
|
-
|
-
|
Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trusted_mods or secure.http_mods, then a crafted mod can intercept the re…
New
|
CWE-670
Always-Incorrect Control Flow Implementation
|
CVE-2026-40960
|
2026-04-16 10:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
185
|
9.3 |
CRITICAL
Local
|
-
|
-
|
Luanti 5 before 5.15.2, when LuaJIT is used, allows a Lua sandbox escape via a crafted mod.
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-40959
|
2026-04-16 10:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
186
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenHarness prior to commit dd1d235 contains a path traversal vulnerability that allows remote gateway users with chat access to read arbitrary files by supplying path traversal sequences to the /mem…
New
|
CWE-22
Path Traversal
|
CVE-2026-40503
|
2026-04-16 10:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
187
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient…
New
|
CWE-862
Missing Authorization
|
CVE-2026-40502
|
2026-04-16 10:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
188
|
- |
|
-
|
-
|
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in…
New
|
CWE-78
OS Command
|
CVE-2026-40499
|
2026-04-16 10:16 |
2026-04-15 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
189
|
6.3 |
MEDIUM
Network
|
geosolutionsgroup
|
geonode
|
GeoNode versions 4.4.5 and 5.0.2 (and prior within their respective releases) contain a server-side request forgery vulnerability in the service registration endpoint that allows authenticated attack…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-39922
|
2026-04-16 10:16 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
190
|
6.3 |
MEDIUM
Network
|
geosolutionsgroup
|
geonode
|
GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbou…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-39921
|
2026-04-16 10:16 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
