|
1011
|
6.6 |
MEDIUM
Network
|
-
|
-
|
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations wh…
New
|
CWE-184
CWE-863
Incomplete Blacklist
Incorrect Authorization
|
CVE-2026-26274
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1012
|
3.1 |
LOW
Network
|
-
|
-
|
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting (XSS) vulnerability was identified in the backend DataTable widget where a …
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-27937
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1013
|
3.3 |
LOW
Network
|
-
|
-
|
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-29179
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1014
|
5.4 |
MEDIUM
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`.…
New
|
CWE-352
Origin Validation Error
|
CVE-2026-41194
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1015
|
7.5 |
HIGH
Network
|
-
|
-
|
Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level `commentable` field in the API allows access to all commentable resou…
New
|
CWE-862
Missing Authorization
|
CVE-2026-40870
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1016
|
9.1 |
CRITICAL
Network
|
-
|
-
|
Vendure is an open-source headless commerce platform. Starting in version 1.7.4 and prior to versions 2.3.4, 3.5.7, and 3.6.2, an unauthenticated SQL injection vulnerability exists in the Vendure Sho…
New
|
CWE-89
SQL Injection
|
CVE-2026-40887
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1017
|
8.1 |
HIGH
Network
|
-
|
-
|
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, a password reset poisoning vulnerability was identified in the application due to improper trust of user-controlled HTTP hea…
New
|
CWE-601
Open Redirect
|
CVE-2026-40905
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1018
|
- |
|
-
|
-
|
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document viewer allows any authenticated user to access other …
New
|
CWE-284
CWE-639
Improper Access Control
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40865
|
2026-04-23 06:05 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1019
|
- |
|
-
|
-
|
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in the employee document upload endpoint allows any authenticated user to over…
New
|
CWE-284
CWE-639
Improper Access Control
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40866
|
2026-04-23 06:05 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1020
|
- |
|
-
|
-
|
Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in the helpdesk attachment viewer allows any authenticated user to view atta…
New
|
CWE-284
CWE-639
Improper Access Control
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40867
|
2026-04-23 06:05 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
