|
1411
|
9.1 |
CRITICAL
Network
|
-
|
-
|
The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature…
|
CWE-22
Path Traversal
|
CVE-2026-40258
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1412
|
9.8 |
CRITICAL
Network
|
-
|
-
|
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password-based login endpoint uses TypeScript type assertion without runtime validation, allowing an unauthenticated attac…
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-40351
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1413
|
8.8 |
HIGH
Network
|
-
|
-
|
FastGPT is an AI Agent building platform. In versions prior to 4.14.9.5, the password change endpoint is vulnerable to NoSQL injection. An authenticated attacker can bypass the "old password" verific…
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-40352
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1414
|
- |
|
-
|
-
|
graphql-go is a Go implementation of GraphQL. In versions 15.31.4 and below, the OverlappingFieldsCanBeMerged validation rule performs O(n²) pairwise comparisons of fields sharing the same response n…
|
CWE-407
Inefficient Algorithmic Complexity
|
CVE-2026-40476
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1415
|
5.4 |
MEDIUM
Network
|
-
|
-
|
Kimai is an open-source time tracking application. In versions 1.16.3 through 2.52.0, the escapeForHtml() function in KimaiEscape.js does not escape double quote or single quote characters. When a us…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40479
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1416
|
4.3 |
MEDIUM
Network
|
-
|
-
|
Kimai is an open-source time tracking application. In versions 2.52.0 and below, the User Preferences API endpoint (PATCH /api/users/{id}/preferences) applies submitted preference values without chec…
|
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
CVE-2026-40486
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1417
|
- |
|
-
|
-
|
SP1 is a zero‑knowledge virtual machine that proves the correct execution of programs compiled for the RISC-V architecture. In versions 6.0.0 through 6.0.2, a soundness vulnerability in the SP1 V6 re…
|
CWE-345
CWE-354
Insufficient Verification of Data Authenticity
Improper Validation of Integrity Check Value
|
CVE-2026-40323
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1418
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Hot Chocolate is an open-source GraphQL server. Prior to versions 12.22.7, 13.9.16, 14.3.1, and 15.1.14, Hot Chocolate's recursive descent parser `Utf8GraphQLParser` has no recursion depth limit. A c…
|
CWE-674
Uncontrolled Recursion
|
CVE-2026-40324
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1419
|
5.1 |
MEDIUM
Local
|
-
|
-
|
The Sentry kernel is a high security level micro-kernel implementation made for high security embedded systems. A given task with one of the DEV or IO capability is able to interact with another task…
|
CWE-283
Unverified Ownership
|
CVE-2026-40337
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1420
|
- |
|
-
|
-
|
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.37, NocoBase's workflow HTTP request plugin and custom request ac…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40346
|
2026-04-21 04:03 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
