|
1421
|
8.8 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=…
|
CWE-862
Missing Authorization
|
CVE-2026-40349
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1422
|
8.8 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use t…
|
CWE-863
Incorrect Authorization
|
CVE-2026-40350
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1423
|
9.0 |
CRITICAL
Local
|
-
|
-
|
NovumOS is a custom 32-bit operating system written in Zig and x86 Assembly. In versions prior to 0.24, Syscall 15 (MemoryMapRange) allows Ring 3 user-mode processes to map arbitrary virtual address …
|
CWE-269
Improper Privilege Management
|
CVE-2026-40572
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1424
|
6.5 |
MEDIUM
Network
|
-
|
-
|
gdown is a Google Drive public file/folder downloader. Versions prior to 5.2.2 are vulnerable to a Path Traversal attack within the extractall functionality. When extracting a maliciously crafted ZIP…
|
CWE-22
Path Traversal
|
CVE-2026-40491
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1425
|
- |
|
-
|
-
|
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript into the…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40282
|
2026-04-21 04:02 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1426
|
6.8 |
MEDIUM
Network
|
-
|
-
|
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the …
|
CWE-79
Cross-site Scripting
|
CVE-2026-40284
|
2026-04-21 04:02 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1427
|
7.5 |
HIGH
Network
|
-
|
-
|
WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the 'Member Registration' (Cadastrar Sócio) functi…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40286
|
2026-04-21 04:02 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1428
|
6.1 |
MEDIUM
Physics
|
-
|
-
|
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded…
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40333
|
2026-04-21 04:00 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1429
|
3.5 |
LOW
Physics
|
-
|
-
|
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The functi…
|
CWE-170
Improper Null Termination
|
CVE-2026-40334
|
2026-04-21 04:00 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1430
|
5.2 |
MEDIUM
Physics
|
-
|
-
|
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_DPV()` in `camlibs/ptp2/ptp-pack.c` (lines 622–629). The UINT128 and I…
|
CWE-125
Out-of-bounds Read
|
CVE-2026-40335
|
2026-04-21 04:00 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
