|
331
|
8.8 |
HIGH
Network
|
-
|
-
|
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verific…
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-40352
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
332
|
9.8 |
CRITICAL
Network
|
-
|
-
|
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attac…
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-40351
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
333
|
8.0 |
HIGH
Network
|
-
|
-
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could incl…
|
CWE-87
Improper Neutralization of Alternate XSS Syntax
|
CVE-2026-40321
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
334
|
- |
|
-
|
-
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affec…
|
CWE-330
Use of Insufficiently Random Values
|
CVE-2026-40306
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
335
|
4.3 |
MEDIUM
Network
|
-
|
-
|
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user cou…
|
CWE-285
Improper Authorization
|
CVE-2026-40305
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
336
|
5.3 |
MEDIUM
Network
|
-
|
-
|
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, the unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a …
|
CWE-284
CWE-863
Improper Access Control
Incorrect Authorization
|
CVE-2026-40304
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
337
|
9.1 |
CRITICAL
Network
|
-
|
-
|
The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature…
|
CWE-22
Path Traversal
|
CVE-2026-40258
|
2026-04-18 07:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
338
|
8.8 |
HIGH
Network
|
chamilo
|
chamilo_lms
|
Chamilo LMS is a learning management system. Prior to .0.0-RC.3, the PlatformConfigurationController::decodeSettingArray() method uses PHP's eval() to parse platform settings from the database. An at…
|
CWE-95
Eval Injection
|
CVE-2026-33618
|
2026-04-18 07:03 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
339
|
7.8 |
HIGH
Local
|
-
|
-
|
radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_pa…
|
CWE-78
OS Command
|
CVE-2026-40527
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
340
|
7.5 |
HIGH
Network
|
-
|
-
|
zrok is software for sharing web services, files, and network resources. Prior to version 2.0.1, endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, cou…
|
CWE-400
CWE-789
Uncontrolled Resource Consumption
Memory Allocation with Excessive Size Value
|
CVE-2026-40303
|
2026-04-18 06:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
