|
1421
|
9.1 |
CRITICAL
Network
|
orthanc-server
|
orthanc
|
An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETTE COLOR` images does not validate pixel …
|
CWE-125
Out-of-bounds Read
|
CVE-2026-5445
|
2026-04-15 05:10 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1422
|
7.8 |
HIGH
Local
|
hdfgroup
|
hdf5
|
HDF5 is software for managing data. In 1.14.1-2 and earlier, a heap-use-after-free was found in the h5dump helper utility. An attacker who can supply a malicious h5 file can trigger a heap use-after-…
|
CWE-416
Use After Free
|
CVE-2026-34734
|
2026-04-15 05:09 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1423
|
8.2 |
HIGH
Network
|
gitroom
|
postiz
|
Postiz is an AI social media scheduling tool. Prior to 2.21.5, the /api/public/stream endpoint is vulnerable to SSRF. Although the application validates the initially supplied URL and blocks direct p…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-40168
|
2026-04-15 05:09 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1424
|
9.8 |
CRITICAL
Network
|
goshs
|
goshs
|
goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.4, goshs enforces the documented per-folder .goshs ACL/basic-auth mechanism for directory listings and file reads, but it does not enfor…
|
CWE-862
Missing Authorization
|
CVE-2026-40189
|
2026-04-15 05:08 |
2026-04-11 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1425
|
7.5 |
HIGH
Network
|
softether
|
softethervpn
|
SoftEtherVPN is a an open-source cross-platform multi-protocol VPN Program. In 5.2.5188 and earlier, a pre-authentication denial-of-service vulnerability exists in SoftEther VPN Developer Edition 5.2…
|
CWE-789
Memory Allocation with Excessive Size Value
|
CVE-2026-39312
|
2026-04-15 05:08 |
2026-04-8 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1426
|
9.1 |
CRITICAL
Network
|
docker
|
model_runner
|
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exc…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-33990
|
2026-04-15 05:08 |
2026-04-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1427
|
9.8 |
CRITICAL
Network
|
xwiki
|
xwiki
|
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script…
|
CWE-862
Missing Authorization
|
CVE-2026-33229
|
2026-04-15 05:08 |
2026-04-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1428
|
8.6 |
HIGH
Network
|
patrickjuchli
|
basic-ftp
|
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(),…
|
CWE-93
CRLF Injection
|
CVE-2026-39983
|
2026-04-15 05:07 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1429
|
6.1 |
MEDIUM
Network
|
unjs
|
unhead
|
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safe…
|
CWE-184
Incomplete Blacklist
|
CVE-2026-39315
|
2026-04-15 05:07 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1430
|
7.5 |
HIGH
Network
|
apache
|
tomcat
|
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.
This issue affects Apache Tomcat: from 11.0.0-M1 through …
|
CWE-444
HTTP Request Smuggling
|
CVE-2026-24880
|
2026-04-15 05:02 |
2026-04-10 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
