|
3531
|
9.8 |
CRITICAL
Network
|
-
|
-
|
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authe…
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-26210
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3532
|
- |
|
-
|
-
|
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the GraphCypherQAChain node forwards user-provided input directly into the Cypher query execut…
|
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
|
CVE-2026-41274
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3533
|
5.3 |
MEDIUM
Network
|
-
|
-
|
go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash a…
|
CWE-190
Integer Overflow or Wraparound
|
CVE-2026-32952
|
2026-04-24 23:50 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3534
|
7.6 |
HIGH
Network
|
wger
|
wger
|
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the GymConfigUpdateView declares permission_required = 'config.change_gymconfig' but inherits WgerFormMixin instead…
|
CWE-284
CWE-862
Improper Access Control
Missing Authorization
|
CVE-2026-40474
|
2026-04-24 23:46 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3535
|
5.4 |
MEDIUM
Network
|
wger
|
wger
|
wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attribution_link property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled lic…
|
CWE-79
Cross-site Scripting
|
CVE-2026-40353
|
2026-04-24 23:46 |
2026-04-18 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3536
|
- |
|
-
|
-
|
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the `RestoreController.PostRestoreJob` endpoint allows an administrator to supply an …
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41170
|
2026-04-24 23:45 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3537
|
- |
|
-
|
-
|
Squidex is an open source headless content management system and content management hub. Versions prior to 7.23.0 have a Server-Side Request Forgery (SSRF) vulnerability due to missing SSRF protectio…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41171
|
2026-04-24 23:45 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3538
|
- |
|
-
|
-
|
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, an SSRF vulnerability allows a user with asset upload permission to force the server …
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41172
|
2026-04-24 23:45 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3539
|
5.5 |
MEDIUM
Network
|
-
|
-
|
Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable to Blind Server-Side Request Forgery (SSRF). Th…
|
CWE-73
CWE-918
External Control of File Name or Path
Server-Side Request Forgery (SSRF)
|
CVE-2026-41177
|
2026-04-24 23:45 |
2026-04-23 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
3540
|
9.8 |
CRITICAL
Network
|
-
|
-
|
An issue in Ntfy ntfy.sh before v.2.21 allows a remote attacker to execute arbitrary code via the parseActions function
|
CWE-94
Code Injection
|
CVE-2026-39087
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
