|
21
|
- |
|
-
|
-
|
An example of BashOperator in Airflow documentation suggested a way of passing dag_run.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow ex…
New
|
CWE-77
Command Injection
|
CVE-2026-30898
|
2026-04-18 16:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
22
|
- |
|
-
|
-
|
Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly tr…
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-25917
|
2026-04-18 16:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
23
|
6.9 |
MEDIUM
Local
|
-
|
-
|
In iTerm2 through 3.6.9, displaying a .txt file can cause code execution via DCS 2000p and OSC 135 data, if the working directory contains a malicious file whose name is valid output from the conduct…
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41253
|
2026-04-18 15:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
24
|
8.8 |
HIGH
Network
|
-
|
-
|
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `c…
New
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-6518
|
2026-04-18 14:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
25
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-6048
|
2026-04-18 14:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
26
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up to, and including, 3.1.16 due to insuffic…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-4801
|
2026-04-18 14:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
27
|
7.5 |
HIGH
Network
|
-
|
-
|
Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remot…
New
|
CWE-321
CWE-502
Use of Hard-coded Cryptographic Key
Deserialization of Untrusted Data
|
CVE-2026-5426
|
2026-04-18 13:16 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
28
|
7.5 |
HIGH
Network
|
-
|
-
|
libexpat before 2.7.6 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.
New
|
CWE-331
Insufficient Entropy
|
CVE-2026-41080
|
2026-04-18 13:16 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
29
|
6.5 |
MEDIUM
Adjacent
|
-
|
-
|
An issue in the Bluetooth Low Energy (BLE) control interface of the Yamaha SR-B30A sound bar firmware 2.40 (Mobile App: Sound Bar Remote / version: 2.40) allows remote attackers within BLE radio rang…
New
|
CWE-284
Improper Access Control
|
CVE-2026-37100
|
2026-04-18 13:16 |
2026-04-17 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
30
|
7.5 |
HIGH
Network
|
-
|
-
|
JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.
Users are recommended to upgrade t…
New
|
CWE-532
Inclusion of Sensitive Information in Log Files
|
CVE-2026-31987
|
2026-04-18 13:16 |
2026-04-16 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
