|
1501
|
5.4 |
MEDIUM
Network
|
-
|
-
|
The Keycloak authentication manager in `apache-airflow-providers-keycloak` did not generate or validate the OAuth 2.0 `state` parameter on the login / login-callback flow, and did not use PKCE. An at…
|
CWE-352
Origin Validation Error
|
CVE-2026-40948
|
2026-04-21 02:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1502
|
7.7 |
HIGH
Network
|
-
|
-
|
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets throu…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40348
|
2026-04-21 02:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1503
|
8.8 |
HIGH
Network
|
-
|
-
|
WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpf_usuario POST parameter overwrites the sessi…
|
CWE-89
CWE-302
CWE-473
SQL Injection
Authentication Bypass by Assumed-Immutable Data
PHP External Variable Modification
|
CVE-2026-40285
|
2026-04-21 02:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1504
|
- |
|
-
|
-
|
pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as ins…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2026-3219
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1505
|
6.3 |
MEDIUM
Local
|
-
|
-
|
Dell PowerProtect Data Domain appliances, versions 7.7.1.0 through 8.7.0.0, LTS2025 release versions 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an improper …
|
CWE-269
Improper Privilege Management
|
CVE-2026-35154
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1506
|
3.1 |
LOW
Network
|
-
|
-
|
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. In versions prior to 2.0.0, file upload endpoints render user-supplied filenames directly into HTML …
|
CWE-20
CWE-79
CWE-116
Improper Input Validation
Cross-site Scripting
Improper Encoding or Escaping of Output
|
CVE-2026-33436
|
2026-04-21 02:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1507
|
- |
|
-
|
-
|
Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is a…
|
-
|
CVE-2026-30269
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1508
|
- |
|
-
|
-
|
libcoap contains out-of-bounds read vulnerabilities in OSCORE Appendix B.2 CBOR unwrap handling where get_byte_inc() in src/oscore/oscore_cbor.c relies solely on assert() for bounds checking, which i…
|
CWE-125
Out-of-bounds Read
|
CVE-2026-29013
|
2026-04-21 02:16 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1509
|
6.7 |
MEDIUM
Local
|
-
|
-
|
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a stack-based buffer overflo…
|
CWE-121
Stack-based Buffer Overflow
|
CVE-2026-26951
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1510
|
7.2 |
HIGH
Network
|
-
|
-
|
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain an OS command injection vuln…
|
CWE-78
OS Command
|
CVE-2026-26943
|
2026-04-21 02:16 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
